Full Disclosure mailing list archives
Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
From: Jason Stout <jstout () 0x4a com>
Date: Thu, 12 Feb 2004 15:10:40 -0500
On Thu, Feb 12, 2004 at 12:56:59AM -0600, Paul Tinsley wrote: <snip>
Show me one competitor that releases such detail at day 0 of patch release.
It took me less than 5 minutes to find an advisory from one of eeye's major competitors who released an advisory WITHOUT a vendor patch being available.
When we - or our competitors - do not have full details on a vulnerability, we have to reverse engineer the patch to do so. And, we all do this.I am sorry that you have to do what you get paid to do. Would it be an unreasonable thing to consider a gentlemans agreement between assessment vendors to share network behavioral fingerprints for vulns such as these? The finder still gets credit, the vendor still gets to help his clients, and next time he isn't the one to find it he still gets to help his clients. Seems like a decent deal to me...
Yes it would be unreasonable. Early notification which in turn creates superior products is what justifies the money spent on R&D by these companies. Why should a security company who has two employees doing vulnerability research be privy to the same information of a competitor who employs 10+ researchers? On top of that, I think you fail to realize that some assessment vendors already have agreements in place with "certain large companies" who provide them with advanced notification. Often times, a "network behavioral fingerprint" provides enough information to exploit the condition. In your magical little world, who gets the information and who doesn't? How do your prevent the info from reaching the wrong hands? CERT's tried this and failed.
So, people complaining about us releasing all of the details... They simply are ignorant of what must be done in this process. They like to scream and shout about how a worm will be coming and such, nevermind that they don't even understand our advisories in the first place.Don't hold yourself in such high reguard to believe that people the likes of me cannot comprehend your bulletins, you would be wrong.
Proportionately speaking, I think the majority of people reading their advisory don't fully understand the technical details behind it. I know I don't. If your one of the few minority who can, good for you. Drew never called you out directly. He was making a blanket statement which in my opinion is quite accurate. <snip> Regards, Jason Stout _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 11)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Paul Tinsley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Gregory A. Gilliss (Feb 12)
- Re: <to various comments>EEYE: Microsoft ASN.1 ... Ake Nordin (Feb 13)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Jason Stout (Feb 12)
- [Full-Disclosure] RE: [kinda-but-not-really-Full-disclosure-so-we-feel-warm-and-fuzzy] Re: <to various comments>EEYE: Microsoft ASN.1 ... Brett Moore (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Gregory A. Gilliss (Feb 12)
- <Possible follow-ups>
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Brian Eckman (Feb 12)
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Kenton Smith (Feb 12)
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Paul Tinsley (Feb 12)