Full Disclosure mailing list archives

RE: Security Industry Under Scrutiny: Part One

From: "João Miguel Neves" <joao () silvaneves org>
Date: Thu, 7 Nov 2002 14:21:02 -0000 (WET)

* security advisories are rarely based on original concepts


Agreed.

* most of them are filled with lots of crap used to build up the
reputation of
  the whitehat.


And sometimes enough information for me to repeat the test and check if
I'm also vulnerable.

* whitehats should contact vendors and not public forums as only the
vendors can
  release an update.


Most do that. If you regularly read mailing-lists like bugtraq or
full-disclosure you'll find almost (if not all in the last year) have a
vendor status that describes how and when the vendor was contacted and
what was its reaction.

* "proof of concept" toolz are used to fuel script kiddies so as to
justify the
  employment of security professionals.  kinda like the CIA bombing a
sky scraper to get more funding.

This is a blatant lie. There are a lot of companies that won't correct a
problem in their software if there is not a "proof of concept". Personally
I like proof of concept tools - they speed up my testing of my computers,
my company computers and my clients' computers. They also help better
undestanding the vulnerability and identify if it's a real one or simply a
repetition of some old one.

things we can do to make the security industry better:

* dont post to public forums.  contact the vendor directly.  make
vendors more
  responsible for their products.


And what to do when they ignore you ? The mechanics of "full disclosure"
(or "posting to public foruns" as you put it) is that vendors will not
correct software problems just because they exist, but they'll do it to
protect theur image and reputation. Before "full disclosure" it wasn't
strange to have a software company like Sun to take years to produce a fix
for a security bug. I don't want to go back to that dark age.

* stop producing "proof of concept" code/tools, as these are more often
used to
  harm, rather than to heal.
* care more about security and less about money.

That's what I'm doing, unfortunately positions like yours make my job and
all of those in the security industry more difficult and more expensive,
making sure that we'll have less, not more security.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
  - Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
    - Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
    - Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
  - RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
    - RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
    - RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
  - RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One sockz loves you (Nov 10)
  - Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
    - Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
  - Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
  - Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One phc (Nov 11)
  - Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)

(Thread continues...)