RE: Re: Re: <to various comments>EEYE: MicrosoftASN.1 ...

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Kenton Smith [mailto:ksmith () chartwelltechnology com] 
> Sent: Thursday, February 12, 2004 11:55 AM
> To: Drew Copley
> Cc: Paul Tinsley; full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Re: Re: <to various 
> comments>EEYE: MicrosoftASN.1 ...
>
> Mr. Copley,
>
> I'm not an Eeye customer nor do I necessarily share the views 
> of the original poster. However, if I were you I'd quit while 
> you're ahead.
> This sort of tone from a representative of the company 
> doesn't reflect well on the company in general. Whether the 
> poster is knowledgeable or not, a professional or not, a 
> troller or not, insults from a company representative, in my 
> view, will bias my opinion towards that company as a whole. 
> If I purchase an Eeye product and ask what the representative 
> thinks is a stupid question, will I get a constructive answer 
> to help me or will I get laughed off the phone? I don't know, 
> and now I wonder.

I am not a sales representative, however I am extremely patient and
always have been with users of our software (or my own, or anyone
else's). For years I have taken a lot of time to help people through
technical problems. And, I surely do not even mind taking a lot of
abuse. I believe in taking abuse as a matter of personal policy.

This individual did not ask a stupid question. 

I think that is apparent to everyone.

Further, again, my opinions are my own. I will tell you the truth.
Perhaps to a fault, in this case. Though, I think maybe it will help him
on his way down the years.

Regardless, I had already set my mind not to deal with anymore trolls.



> There are enough people who respond with insults on this 
> list, it'd be nice if we didn't see it from corporate 
> representatives as well.
>
> Kenton
>
> On Thu, 2004-02-12 at 12:17, Drew Copley wrote:
> > > -----Original Message-----
> > > From: full-disclosure-admin () lists netsys com
> > > [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Paul 
> > > Tinsley
> > > Sent: Wednesday, February 11, 2004 10:57 PM
> > > To: Drew Copley
> > > Cc: full-disclosure () lists netsys com
> > > Subject: Re: [Full-disclosure] Re: Re: <to various
> > > comments>EEYE: Microsoft ASN.1 ...
> > >
> > > Drew Copley wrote:
> > >
> > > > Without replying to each troll, individually, I thought 
> maybe some 
> > > > people would like to see some answers to some notes.
> > > Most of these are from me, so I will personally respond to those 
> > > that apply.  And believe it or not, this is not a troll, I really 
> > > wanted to see people's viewpoints on this subject.
> >
> >
> > Somehow, I find this hard to believe.
> >
> >
> >
> > > > These are my own comments, I speak for myself.
> > > >
> > > > Question: "Why release all of the details"
> > > This statement is not an accurate paraphrase, I didn't say
> > > why release them all.  I said why release them all on day 0
> > > of the patch release.
> > >
> > > > Answer: Polls show this is what administrators what. This is
> > > one reason
> > > > we do this. Another reason we do this is simple, we use 
> the details
> > > > ourselves. We use the details to create signatures for our
> > > > vulnerability assessment tool and firewall. Security 
> administrators
> > > > then download these signatures and use them to check for
> > > patches or to
> > > > protect systems which can not yet be patched.
> > > Administrators don't need this crap to fix their boxes, they
> > > simply need the exploit vectors, the possible mitigation
> > > steps, and the potential severity of the vulnerability.
> >
> > <snip>
> >
> > I have gone over this a few times with some others. I 
> believe I already
> > said it here. You seem to be unable to either hear it or believe it.
> >
> > In no particuliar order:
> >
> > One, the polls show that more want it then not.
> >
> > Two, we sell products which secure their boxes. We have a lot of
> > customers. Our competitors do the same thing. Altogether, we are the
> > industry. We have to know what the security hole was, so do our
> > competitors. Then, we can protect against this. So can they.
> >
> > Three, we don't give out exploit code. You can't make an 
> exploit from
> > our advisory. I don't know you, I don't know who you are. 
> But, frankly,
> > not that many people can even write exploit code. With 
> these bugs, you
> > would have to be able to not only write the exploit code but also
> > understand the cryptographic references and their 
> implementations in the
> > Window's OS. It isn't all that hard. But, it turns out, 
> that the guys
> > who can write exploit code also can reverse engineer 
> patches... They can
> > also understand our advisories, but they can also find 
> their own bugs.
> > Okay?
> >
> > Real world.
> >
> > But, I don't think you understand that. Why should I go on. It isn't
> > rocket science. But, you are saying, "I know, I know". And, 
> you do not
> > know. That is when people can neither learn nor understand.
> >
> > Now, as a brief disclaimer... Security, being able to do 
> these things is
> > not something that requires someone to have a tumor in 
> their brain that
> > makes their IQ magically go up a thousand points. It requires only
> > desire. This means a predisposition. You have to be willing 
> and wanting
> > to sit there and work through these things.
> >
> > So, you really have no excuse not to understand these things.
> >
> > You are a Monday morning quarterback.
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html