openssl exploit code (e-secure-it owned)

[hellnbak () nmrc org (hellNbak)]

On Thu, 19 Sep 2002, Arjen De Landgraaf wrote:

> Thank you for taking the time to research our background,
> although a bit one-sided.
> Yes, a website got defaced a long time ago.  That is a fact.
> No-one is 100% secure (Richard Clarke), and we did learn from it.

You were defaced by a known security issue.  There was a patch available
yet you still got defaced.  So don't try and fall back on to the no one is
100% secure garbage because you were not even 50% secure when the
defacement happened.

> However, you could acknowledge that we were not the
> only one at the same time. Untold security companies
> and  sites were defaced  by PoizonB0x and others
> in that very same period. Including: SecurityNewsportal, CNet,
> Attrition, Lucent. Microsoft (18 times in total?), SANS,
> CERT,  SecurityFocus and many others.

Was SecurityFocus actually defaced?  I thought they wacked an add server
that then placed a hacked banner on the SF site.  I could be wrong though.

> If you also would have taken the effort to dig a bit further,
> you  would also have found that two weeks later IDG NZ
> published a correction on their article, as it contained
> factual errors. As it  happens with news media,
> the first article got spread around the world  pretty
> quickly, the correction did not.

In other words, you guys made a quote; "oh it was a honeypot" then
realized how stupid it sounded so had a retraction printed.

> from readers of this list, and they are all very positive.
> In fact, you are the only negative.  Even more particular,
> your review is extremely negative. Makes me wonder why.

Here is another negative one.  Your site it horrible to navigate through.

> Our logs show no evidence that you actually went into
> the database to "do your review", and I must therefore ask
> questions on the objectivity of the "review" you conducted.

So your database includes a list of every known IP address that Eric might
have used?

> I challenge you to show any other online single free source with
> more complete information, any other free portal that enables
> a complete check-up on any and each IT infrastructure component,
> incl routers, firewalls, databases, O/S's etc etc. in a practical
> way.   Where an IT professional can check on all  components
> of their IT infrastructure on potential vulnerabilities and patches.

There is one coming.  Although it is different than yours. Its not being
used to sell a service and there are no fees associated with it.

> You mentioned that the data is a week old.
> Heh, we just got it on the air last Sunday, give us a break. We
> have already had many thousands of hits within a few days.  Managing
> performance is a more important issue. Anyway, the data was
> at the time of your "review" only 2 days old.

I thought you guys only did weekly updates?  Can I do a dump of the entire
database for my use?

> These subscribers are very happy to pay for the added value we
> provide to them in our E-Secure-IT alerting service.

There is the kicker.  You are not a free service.  So don't pretend to be
one.

> The actual E-Secure-DB database component is now available to
> the global IT and business community.   Free.

As a marketing ploy to sell your other services.  At least be honest about
it.

> We believe that this initiative can make a powerful and positive
> difference to the IT professionals all over the world.

You are right, it probably will but don't pretend that you are not a
business and that you don't have the motive of also making money off of
this venture.  That is where the problem is, in my mind anyways.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-