Full Disclosure mailing list archives
RE: Re: Re: <to various comments>EEYE: MicrosoftASN.1 ...
From: "Drew Copley" <dcopley () eeye com>
Date: Thu, 12 Feb 2004 12:01:28 -0800
-----Original Message----- From: Kenton Smith [mailto:ksmith () chartwelltechnology com] Sent: Thursday, February 12, 2004 11:55 AM To: Drew Copley Cc: Paul Tinsley; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Re: <to various comments>EEYE: MicrosoftASN.1 ... Mr. Copley, I'm not an Eeye customer nor do I necessarily share the views of the original poster. However, if I were you I'd quit while you're ahead. This sort of tone from a representative of the company doesn't reflect well on the company in general. Whether the poster is knowledgeable or not, a professional or not, a troller or not, insults from a company representative, in my view, will bias my opinion towards that company as a whole. If I purchase an Eeye product and ask what the representative thinks is a stupid question, will I get a constructive answer to help me or will I get laughed off the phone? I don't know, and now I wonder.
I am not a sales representative, however I am extremely patient and always have been with users of our software (or my own, or anyone else's). For years I have taken a lot of time to help people through technical problems. And, I surely do not even mind taking a lot of abuse. I believe in taking abuse as a matter of personal policy. This individual did not ask a stupid question. I think that is apparent to everyone. Further, again, my opinions are my own. I will tell you the truth. Perhaps to a fault, in this case. Though, I think maybe it will help him on his way down the years. Regardless, I had already set my mind not to deal with anymore trolls.
There are enough people who respond with insults on this list, it'd be nice if we didn't see it from corporate representatives as well. Kenton On Thu, 2004-02-12 at 12:17, Drew Copley wrote:-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Paul Tinsley Sent: Wednesday, February 11, 2004 10:57 PM To: Drew Copley Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley wrote:Without replying to each troll, individually, I thoughtmaybe somepeople would like to see some answers to some notes.Most of these are from me, so I will personally respond to those that apply. And believe it or not, this is not a troll, I really wanted to see people's viewpoints on this subject.Somehow, I find this hard to believe.These are my own comments, I speak for myself. Question: "Why release all of the details"This statement is not an accurate paraphrase, I didn't say why release them all. I said why release them all on day 0 of the patch release.Answer: Polls show this is what administrators what. This isone reasonwe do this. Another reason we do this is simple, we usethe detailsourselves. We use the details to create signatures for our vulnerability assessment tool and firewall. Securityadministratorsthen download these signatures and use them to check forpatches or toprotect systems which can not yet be patched.Administrators don't need this crap to fix their boxes, they simply need the exploit vectors, the possible mitigation steps, and the potential severity of the vulnerability.<snip> I have gone over this a few times with some others. Ibelieve I alreadysaid it here. You seem to be unable to either hear it or believe it. In no particuliar order: One, the polls show that more want it then not. Two, we sell products which secure their boxes. We have a lot of customers. Our competitors do the same thing. Altogether, we are the industry. We have to know what the security hole was, so do our competitors. Then, we can protect against this. So can they. Three, we don't give out exploit code. You can't make anexploit fromour advisory. I don't know you, I don't know who you are.But, frankly,not that many people can even write exploit code. Withthese bugs, youwould have to be able to not only write the exploit code but also understand the cryptographic references and theirimplementations in theWindow's OS. It isn't all that hard. But, it turns out,that the guyswho can write exploit code also can reverse engineerpatches... They canalso understand our advisories, but they can also findtheir own bugs.Okay? Real world. But, I don't think you understand that. Why should I go on. It isn't rocket science. But, you are saying, "I know, I know". And,you do notknow. That is when people can neither learn nor understand. Now, as a brief disclaimer... Security, being able to dothese things isnot something that requires someone to have a tumor intheir brain thatmakes their IQ magically go up a thousand points. It requires only desire. This means a predisposition. You have to be willingand wantingto sit there and work through these things. So, you really have no excuse not to understand these things. You are a Monday morning quarterback. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Re: <to various comments>EEYE: MicrosoftASN.1 ... Drew Copley (Feb 12)