RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Paul Tinsley
> Sent: Wednesday, February 11, 2004 10:57 PM
> To: Drew Copley
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Re: Re: <to various 
> comments>EEYE: Microsoft ASN.1 ...
>
> Drew Copley wrote:
>
> > Without replying to each troll, individually, I thought maybe some 
> > people would like to see some answers to some notes.
> Most of these are from me, so I will personally respond to 
> those that apply.  And believe it or not, this is not a 
> troll, I really wanted to see people's viewpoints on this 
> subject. 


Somehow, I find this hard to believe.



> > These are my own comments, I speak for myself.
> >
> > Question: "Why release all of the details"
> This statement is not an accurate paraphrase, I didn't say 
> why release them all.  I said why release them all on day 0 
> of the patch release.
>
> > Answer: Polls show this is what administrators what. This is 
> one reason 
> > we do this. Another reason we do this is simple, we use the details 
> > ourselves. We use the details to create signatures for our 
> > vulnerability assessment tool and firewall. Security administrators 
> > then download these signatures and use them to check for 
> patches or to 
> > protect systems which can not yet be patched.
> Administrators don't need this crap to fix their boxes, they 
> simply need the exploit vectors, the possible mitigation 
> steps, and the potential severity of the vulnerability. 

<snip>

I have gone over this a few times with some others. I believe I already
said it here. You seem to be unable to either hear it or believe it. 

In no particuliar order:

One, the polls show that more want it then not.

Two, we sell products which secure their boxes. We have a lot of
customers. Our competitors do the same thing. Altogether, we are the
industry. We have to know what the security hole was, so do our
competitors. Then, we can protect against this. So can they. 

Three, we don't give out exploit code. You can't make an exploit from
our advisory. I don't know you, I don't know who you are. But, frankly,
not that many people can even write exploit code. With these bugs, you
would have to be able to not only write the exploit code but also
understand the cryptographic references and their implementations in the
Window's OS. It isn't all that hard. But, it turns out, that the guys
who can write exploit code also can reverse engineer patches... They can
also understand our advisories, but they can also find their own bugs.

Okay?

Real world.

But, I don't think you understand that. Why should I go on. It isn't
rocket science. But, you are saying, "I know, I know". And, you do not
know. That is when people can neither learn nor understand.

Now, as a brief disclaimer... Security, being able to do these things is
not something that requires someone to have a tumor in their brain that
makes their IQ magically go up a thousand points. It requires only
desire. This means a predisposition. You have to be willing and wanting
to sit there and work through these things.

So, you really have no excuse not to understand these things.

You are a Monday morning quarterback. 





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html