Re: Symantec Change Posting Criteria (was Re: Administrivia)

[<cepacolmax () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your points are excellent - thanks. I was one of the individuals that
responded to the original question. My post was denied, though it used
no foul language, and violated the list charter in no way.

Its good to see that my reaction to this moderator's sudden bout of nerves
was not singular.

I wonder of it has something to do with the fact that CORE is a major
advertiser on the security focus site, and my review was less than glowing?

For those who are interested, here is the text of my original response
to Mr. Wolf's request for information about the real-world perofrmance
of the CORE Impact tool:
<quote>
We're testing the app in-house right now. I'd have to give it a 5 out

of 10.

There is some potential here - the interface is nice, and it is appealing

to have an outside shop researching/developing new exploits.

The existing exploits are fairly well documented. Info is included as

to what service the exploits attacks, and how.

The tool lends itself nicely to a structured methodology, so that repeated

evaluations and evaluations of large numbers of hosts are sure to be

apples:apples comparisons from one test to the next.

Also, the CORE team has been very willing to help, and very accommodating.


However, there are some issues. You can't evaluate a host until you have

run network discovery and found it, and network discovery is limited

to ping sweeps, arp, tcp scans, and sniffing. There is no way to evaluate

a host that does not get picked up by one of these tools.

Exploits are a bit limited, and mostly cater to testing IIS. We have

a great deal of HP-UX & Solaris on our network, so this is not a very

good match at present. Also, The rate at which new exploits are delivered

currently leaves something to be desired. We've been testing the Impact

for a month now, and I haven't seen any new exploits appear in the list.

Also, the list of exploits seems to be entirely webserver oriented. There

are simply no exploit for routers or firewalls or any other component

of a common network.

There are also some bugs in the software - it doesn't seem be consistently

able to recognize the NIC - One time you start the app, and all is well.

The next time you start, you may get a "network interface not found"

warning. Sometimes this can be corrected just by telling the app which

card to use, but on some installations the list of NICs within the app

is blank, even though other apps can see and use it. In this particular

case, the NIC is not something highly irregular - just an old Intel PCI

NIC.

Fingerprinting is also somewhat lacking. I just downloaded an update

today, but Impact still cannot ID half the windows boxes on my test network.


Finally, there is the fact that we have yet to compromise a single host

using this tool. My next step is to tailor-make a vulnerable box for

one of the provided exploits, and see if Impact can penetrate it. I'll

keep you posted, if you like.
</quote>


Regards,
cMax



On Mon, 07 Jul 2003 12:51:42 -0700 Gwendolynn ferch Elydyr <gwen () reptiles org>
wrote:
> I've CC'd this email to full-disclosure, so that those folks that
> aren't
> on pen-test are aware of the policy change to posting requirements
> on
> that list - and potentially to more of the securityfocus lists.
> It's
> interesting to note that the only list that appears to have an exemption
> from this type of policy or arbitrary action is bugtraq.
>
> On Mon, 7 Jul 2003, Alfred Huger wrote:
> > Recently someone posted a question regarding a product (CORE Impact)
> to
> > the list. These types of posts always make me leery because this
> industry,
> > being what it is, rarely has anything nice to say about anything.
> Being a
> > product vendor myself I am particularly aware of how ugly people
> can be.
> > Often, if not always, when these come out the competitors to the
> product
> > generate email addresses elsewhere and have their way. Or the
> vendor
> > itself does the same thing and pumps their product.
>
> When I first read this posting, I went and checked the headers,
> to see
> if it was a forgery. The style seemed rather unlike AH, and the
> content
> was (at best) distressing. To my chagrin, this actually appears
> to be
> valid email.
>
> > The list has 13,000 + people on it. Many of them decision makers
> so I need
> > to be fairly careful about this. So here are the ground rules
> moving
> > forward:
> >
> > 1.   If you want to post about a product  positive or negative you
> > cannot do so from a Huhsmail or other such account.
> >
> > 2.   If you plan to post use your real name or do not post.
> >
> > 3.   Be polite  period.
> >
> > 4.   Do not use this as a forum to take shots at your competitor
> or I
> > will see you and your company banned from every list we have here
> (except
> > Bugtraq).
>
> I have to ask.
>
> Why?
>
> Did the Symantec lawyers have a sudden bout of panic about potential
> defamation lawsuits? Are there so many posts to the list that contain
> problematic content?
>
> This isn't full-disclosure, the last time I checked. To the best
> of
> my knowledge, pen-test is a moderated list. Surely the moderator
> is
> capable of noting the difference between "Your product sukz0rs"
> and
> "The product proved unable to stand up to traffic above 100Mhz"
> - and
> of passing the appropriate posting through, whether it has "John
> Doe"
> or "thunderfallingdown" attached to it as a moniker.
>
> Beyond that, threats seem inappropriate. "...I will see you and
> your
> company banned from every list we have..." Has Symantec stooped
> to this
> level, or is this personal opinion.
>
> I lament the former list - and the free flow of useful information.
>
> cheers!
> ==========================================================================
> "A cat spends her life conflicted between a deep, passionate and
> profound
> desire for fish and an equally deep, passionate and profound desire
> to
> avoid getting wet.  This is the defining metaphor of my life right
> now."
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj8KI7MACgkQ6muvpb42jIC4YACgmVN5BwetaWlWXW2bh5fLB1yxZc0A
oLPXGP8CNQvi3Et9yNeMUbiRyVXg
=DNhd
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html