Full Disclosure mailing list archives
Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Chris Wysopal)
Date: Sat, 20 Jul 2002 22:28:18 +0000 (GMT)
On Fri, 19 Jul 2002 haiku () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1As a consulting company that publishes vulnerability information and tools, we contribute to the pool that we drink out of.Oh. So this is your argument. You contribute to it, therefore you may use it? Wait .... I thought you said the information should be free for non-commercial use. Does not taking from the pool to use within a company constitute commercial use? Genius! So, the "do as I say and not as I do" applies here? What other double-standards are we also applying in this discussion?
Please show where I said that vulnerability information or tools should be restricted to non-commercial use only. That was Jay. I suggested a public vulnerability database. I have been involved in the research, writing, or coordination of dozens and dozens of advisories for over 7 years. In not one case were these advisories restricted in any way. I might add that there was no advertising or other fluff. Just technical information.
So, now that we've clarified that there is, in fact, a double-standard here, this would explain why a certain vicious rumor about the @stake toolkit that somehow found the light of day contains not only many, many publicly available exploits, but also some 0day that the vendors have yet to fix. Tell me, Chris, I'm a little confused how this applies to both "Responsible Disclosure" and "information being free for non-commercial use." From my take, there's nothing responsible
You have clarified nothing. You are inventing controversy where there is none. Let me know about which specific files have 0day information in them that we are supposedly distributing and I will investigate. We have nothing to hide here. Again the non-commercial use is something that Jay was talking about. We give out the @stake Pocket Security Toolkits at trade shows so obviously they are for commercial use too.
What about the folks that don't speak English as a first language, or no English whatsoever?
I don't undersatnd the point here.
In short, yeah, you could say I'm skeptical. And what's going to stop other information security companies from using it anyway? If the data is freely available, it's there for the harvest. If you want to prevent it from being exploited by outside parties, you have to neuter it to where there's no details whatsoever. Then, it becomes roughly tits on a boar.
I never proposed restricting the use of the public vulnerability database.
FYI, as I recall, the information in the Bugtraq Database is freely available to the public through their web site anyways. Perhaps you may have overlooked this.
Sure and it is the best one out there. That doesn't mean another database that allowed mirroring of the database itself and was updated by the vulnerability reporters and editted by the community couldn't be better. Maybe it won't be better. Why not discuss it rationally without flying off the handle with accusations of hidden agendas that never materialize?
The open source tools could tie into it. Open Source != Non-Commercial.
And your point is?
Ok, as I recall, Renaud was at least making a little money off his project by offering support, while the rest of these pentest dirtbags exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm wrong here, but first, doesn't this mean that Renaud would no longer be able to offer commercial support for his product? I think so.
We never charged any money for the @stake toolkit. I am not exactly sure why you think I am proposing anything that would restrict Renaud from making money charging support?
And I believe the same applies to Marty, as Sourcefire is offering commercial products built on Snort. Gee, what a fucking HUGE hole in your logic. And, you additionally fuck them in the process. Good job.
Again I never said anything about restricting the use of vulnerability information.
Ok, so you have a database that can be used commercially, or you don't. Notice how there's no fucking in-between? And what if a person wants to use the "non-commercial database" in their commercial product? Does this now require a licensing fee? Or do you just turn them away? This has sham written all over it.
No it has your confusion written all over it.
think there should be a law restricting free speech. Once someone has chosen to publish information they are going to publish it. It is better for the community that VulnWatch approve these messages so that everyone can get the information at the same time.I really wish you weren't so two-faced, paradoxial, and self-righteous. And on that note, how does this make VulnWatch any different from any other security mailing list? Securiteam does the same thing. This list allegedly does the same thing. Bugtraq does the same thing.
How is this two-faced? SecurityFocus/Symantec just announced a similar dual policy. Once policy for vulnerability information that Symantec researchers originate and control the release of and another policy for the moderation of the Bugtraq disclosure list. Once someone decides to publish information it will be published. Some researchers even run their own lists and now there is an unmoderated disclosure list. Bugtraq or Vulnwatch wouldn't be stopping anything by not approving disclosure messages.
Bottom-line, there's going to be people that make money off security information whether you like it or not. @Stake does. SecurityFocus does. ISS does. NAI does. Even CERT does. Welcome to the capitalist world; leave your agendas and egos at the door. Any company that uses information/software provided by them tends to make money, as they spend less time down due to security incidents. Funny how economics work, isn't it?
Again I never said to not let commercial entities make money off security information. I simply stated the economics of the vulnerability database case. I now realize you are the one with the ego problem and the agenda issues. As you know I work at a commercial venture in the security industry this paragraph above is a bit patronizing don't you think? Well I hope I cleared up some of your misunderstandings. -Chris
Current thread:
- Symantec Buys SecurityFocus, among others., (continued)
- Symantec Buys SecurityFocus, among others. Steve (Jul 18)
- Symantec Buys SecurityFocus, among others. Brian Hatch (Jul 18)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... hellNbak (Jul 19)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... Christopher Meiklejohn (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- 99% Peter van den Heuvel (Jul 20)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 20)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- Symantec Buys SecurityFocus, among others.... Bela Lubkin (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)