Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

[Jason Stout <jstout () 0x4a com>]

On Thu, Feb 12, 2004 at 12:56:59AM -0600, Paul Tinsley wrote:
<snip>
> Show me one competitor that releases such detail at day 0 of patch release.
It took me less than 5 minutes to find an advisory from one of eeye's 
major competitors who released an advisory WITHOUT a vendor patch being
available.

> > When we - or our competitors - do not have full details on a
> > vulnerability, we have to reverse engineer the patch to do so. And, we
> > all do this. 
> I am sorry that you have to do what you get paid to do.  Would it be an 
> unreasonable thing to consider a gentlemans agreement between assessment 
> vendors to share network behavioral fingerprints for vulns such as 
> these?  The finder still gets credit, the vendor still gets to help his 
> clients, and next time he isn't the one to find it he still gets to help 
> his clients.  Seems like a decent deal to me...
Yes it would be unreasonable. Early notification which in turn creates
superior products is what justifies the money spent on R&D by these 
companies. Why should a security company who has two employees doing
vulnerability research be privy to the same information of a competitor
who employs 10+ researchers? 

On top of that, I think you fail to realize that some assessment vendors
already have agreements in place with "certain large companies" who 
provide them with advanced notification.

Often times, a "network behavioral fingerprint" provides enough 
information to exploit the condition. In your magical little world, who
gets the information and who doesn't? How do your prevent the info from
reaching the wrong hands? CERT's tried this and failed.

> > So, people complaining about us releasing all of the details... They
> > simply are ignorant of what must be done in this process. They like to
> > scream and shout about how a worm will be coming and such, nevermind
> > that they don't even understand our advisories in the first place.
> Don't hold yourself in such high reguard to believe that people the 
> likes of me cannot comprehend your bulletins, you would be wrong.
Proportionately speaking, I think the majority of people reading their
advisory don't fully understand the technical details behind it. I know
I don't. If your one of the few minority who can, good for you. Drew
never called you out directly. He was making a blanket statement
which in my opinion is quite accurate.

<snip>

Regards,
Jason Stout

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html