Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (Chris Wysopal)]

On Fri, 19 Jul 2002 haiku () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > As a consulting company that publishes vulnerability information and tools,
> > we contribute to the pool that we drink out of.
>
> Oh.  So this is your argument.  You contribute to it, therefore you may
> use it?  Wait .... I thought you said the information should be free
> for non-commercial use.  Does not taking from the pool to use within a
> company constitute commercial use?  Genius!  So, the "do as I say and
> not as I do" applies here?  What other double-standards are we also
> applying in this discussion?

Please show where I said that vulnerability information or tools should be
restricted to non-commercial use only.  That was Jay.  I suggested a public
vulnerability database.  I have been involved in the research, writing, or
coordination of dozens and dozens of advisories for over 7 years.  In not
one case were these advisories restricted in any way. I might add that
there was no advertising or other fluff.  Just technical information.


> So, now that we've clarified that there is, in fact, a double-standard
> here, this would explain why a certain vicious rumor about the @stake
> toolkit that somehow found the light of day contains not only many,
> many publicly available exploits, but also some 0day that the vendors
> have yet to fix.  Tell me, Chris, I'm a little confused how this
> applies to both "Responsible Disclosure" and "information being free
> for non-commercial use."  From my take, there's nothing responsible

You have clarified nothing.  You are inventing controversy where there is
none.

Let me know about which specific files have 0day information in them that
we are supposedly distributing and I will investigate.  We have nothing to
hide here.

Again the non-commercial use is something that Jay was talking about.  We
give out the @stake Pocket Security Toolkits at trade shows so obviously
they are for commercial use too.

> What about the folks that don't speak English as a first language, or
> no English whatsoever?

I don't undersatnd the point here.

> In short, yeah, you could say I'm skeptical.  And what's going to stop
> other information security companies from using it anyway?  If the data
> is freely available, it's there for the harvest.  If you want to
> prevent it from being exploited by outside parties, you have to neuter
> it to where there's no details whatsoever.  Then, it becomes roughly
> tits on a boar.

I never proposed restricting the use of the public vulnerability database.

> FYI, as I recall, the information in the Bugtraq Database is freely
> available to the public through their web site anyways.  Perhaps you
> may have overlooked this.

Sure and it is the best one out there. That doesn't mean another database
that allowed mirroring of the database itself and was updated by the
vulnerability reporters and editted by the community couldn't be better.
Maybe it won't be better.  Why not discuss it rationally without flying off
the handle with accusations of hidden agendas that never materialize?

> The open source tools could tie into it.  Open Source != Non-Commercial.

And your point is?

> Ok, as I recall, Renaud was at least making a little money off his
> project by offering support, while the rest of these pentest dirtbags
> exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit
> had Nessus sigs, did it not?) for whatever fee.  Now, correct me if I'm
> wrong here, but first, doesn't this mean that Renaud would no longer be
> able to offer commercial support for his product?  I think so.

We never charged any money for the @stake toolkit. I am not exactly sure
why you think I am proposing anything that would restrict Renaud from
making money charging support?

> And I believe the same applies to Marty, as Sourcefire is offering
> commercial products built on Snort.  Gee, what a fucking HUGE hole in
> your logic.  And, you additionally fuck them in the process.  Good job.

Again I never said anything about restricting the use of vulnerability
information.

> Ok, so you have a database that can be used commercially, or you don't.
> Notice how there's no fucking in-between?  And what if a person wants
> to use the "non-commercial database" in their commercial product?
> Does this now require a licensing fee?  Or do you just turn them away?
> This has sham written all over it.

No it has your confusion written all over it.

> > think there should be a law restricting free speech.  Once someone has
> > chosen to publish information they are going to publish it.  It is better
> > for the community that VulnWatch approve these messages so that everyone
> > can get the information at the same time.
>
> I really wish you weren't so two-faced, paradoxial, and self-righteous.
> And on that note, how does this make VulnWatch any different from any
> other security mailing list?  Securiteam does the same thing.  This
> list allegedly does the same thing.  Bugtraq does the same thing.

How is this two-faced?  SecurityFocus/Symantec just announced a similar
dual policy.  Once policy for vulnerability information that Symantec
researchers originate and control the release of and another policy for the
moderation of the Bugtraq disclosure list.  Once someone decides to publish
information it will be published.  Some researchers even run their own
lists and now there is an unmoderated disclosure list.  Bugtraq or
Vulnwatch wouldn't be stopping anything by not approving disclosure
messages.

> Bottom-line, there's going to be people that make money off security
> information whether you like it or not.  @Stake does.  SecurityFocus
> does.  ISS does.  NAI does.  Even CERT does.  Welcome to the capitalist
> world; leave your agendas and egos at the door.  Any company that uses
> information/software provided by them tends to make money, as they
> spend less time down due to security incidents.  Funny how economics
> work, isn't it?

Again I never said to not let commercial entities make money off security
information.  I simply stated the economics of the vulnerability database
case.  I now realize you are the one with the ego problem and the agenda
issues. As you know I work at a commercial venture in the security industry
this paragraph above is a bit patronizing don't you think?

Well I hope I cleared up some of your misunderstandings.

-Chris