Re: iDefense: Solution or Problem?

[VX Dude <vxdude2003 () yahoo com>]

Just a quick thought for a business plan.

1) Start off with a low investment of $1200.
2) Buy a couple chunks of Entersys source code from
SCC
3) Find vulnerabilities and write 0-day exploits
4) give 0day to your investors
5) sell 0day to iDefense (or Sourcefire hahahahaha)
for $300 a pop
6) Use profits of sale to buy more chunks of
sourcecode
7) Repeat steps 3-6 until complete
8) Release code as "open source" dimishing its
corporate value
9) make a business using this "open source" IDS and
compete with Sourcefire hahahahaha
10) Release IPO =D

Now, I'm no lawyer, but Hollywood has taught me that
its probably illegal to _knowingly_ buy illegal goods
(such as entersys source), but! is it illegal for
iDefense to buy the research from illegal bought
goods?

-vx

_______________________________________________
Full-Disclosure - We suck it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html

--- idefense () hushmail com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Michael, you claim that this is a typo, but is it
> really? Even if this
> is a typo, how do you explain waiting over a month
> to contact the vendor?
> How do you explain past times when iDefense waited
> over a year to notify
> a vendor? How does this relate to the iDefense
> disclosure policy?
>
> http://www.idefense.com/legal_disclosure.jsp
> iDEFENSE will responsibly inform vendors as soon as
> possible after having
> learned of a problem with their product(s) or
> service(s).
>
> Note: ".. will responsibly inform vendors as soon as
> possible after having
> learned of a problem". There is absolutely no
> debating that this is pure
> marketing fluff and not how iDefense operates. Look
> at their history
> of vulnerability disclosure and their timelines for
> proof. The real question
> becomes, just how unethical and how greedy iDefense
> really is! Further,
>
>  are they now rewriting history to desperately
> protect their already
> dark image? Witness:
http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html
> Adobe Reader 6.0 Filename Handler Buffer Overflow
> Vulnerability
> VII. DISCLOSURE TIMELINE
> 02/02/2003 Exploit discovered by iDEFENSE
> 03/11/2004 Initial vendor notification
>
> Did iDefense sit on this vulnerability for 17
> months? Shortly before
> or after Cary Barker pointed this out on
> Full-Disclosure
(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html),
> iDefense
> seems to have had a change of heart!
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
> 02/02/2004  Exploit discovered by iDEFENSE
> 03/11/2004  Initial vendor notification
>
> The first and understandable reaction (excuse) would
> be "iDefense had
> a typo", but once again, digging into their past
> vulnerabilities, is
> that really the case?! Even if THIS advisory had a
> typo, how about some
> others this year?!
http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
> 04/03/2003  Vulnerability acquired by iDEFENSE
> 07/08/2004  Public disclosure
http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
> 04/05/03  Vulnerability acquired by iDEFENSE
> 05/17/04  Public disclosure
http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
> April 2, 2003 Exploit acquired by iDEFENSE
> May 12, 2004  Coordinated public disclosure
>
> Sitting on vulnerabilities for a year before
> notifying the vendors is
> not what 'white hat' hackers do. These aren't the
> actions of a reputable
> security company. Combine this with the fact you
> sell this information
> to people in foreign companies and governments,
> including some that are
> "harboring terrorists" (according to our government)
> makes your actions
> potentially criminal. What, you haven't checked your
> client list carefully?
> Selling vulnerability information to terrorist
> nations isn't very friendly
> to the US!
>
> Looking back at your 2004 advisories (and some in
> 2003), could anyone
> at iDefense explain how their responsible disclosure
> policy applies?
> Here is a general idea of their disclosure process
> and time frames:
>
> Advisory  Discovery  Publish  Vend Notify  Publish
> Time
> 07.12.04  03-02-02   04-07-12 13 mo  7 d   17 mo 10
> d
> 07.09.04  04-06-29   04-07-09        7 d         10
> d
> 07.08.04  03-04-03   04-07-08 14 mo 26 d   15 mo  5
> d
> 07.01.04  03-09-27   04-07-01  8 mo  7 d    9 mo  4
> d
> 06.23.04  04-04-21   04-06-23       14 d    2 mo  2
> d
> 06.21.04  04-02-26   04-06-21  3 mo 13 d    3 mo 25
> d
> 06.10.04  04-04-14   04-06-10       28 d    1 mo 26
> d
> 06.08.04  04-04-27   04-06-07       22 d    1 mo 10
> d
> 06.07.04  03-04-05   04-05-17 13 mo  2 d   13 mo 12
> d
> 05.27.04  04-02-18   04-05-27       20 d    3 mo  9
> d
> 05.26.04  04-02-18   04-05-26       20 d    3 mo  8
> d
> 05.12.04  03-04-02   04-05-12 12 mo  5 d   13 mo 10
> d
> 04.15.04  03-12-08   04-04-15  1 mo 16 d    5 mo  7
> d
> 04.14.04  04-01-09   04-04-14  1 mo 11 d    3 mo  5
> d
> 04.13.04  04-01-12   04-04-13        5 d    2 mo 24
> d
> 04.05.04  04-01-09   04-04-05  1 mo 16 d    2 mo 26
> d
> 03.19.04  04-01-13   04-03-19       24 d    2 mo  5
> d
> 03.09.04  03-10-10   04-03-11  1 mo  2 d    5 mo  1
> d
> 03.02.04  04-01-22   04-03-02       25 d    1 mo 10
> d
> 02.27.04  04-01-13   04-02-27       26 d    1 mo 14
> d
> 02.27.04  04-02-04   04-02-27        6 d         23
> d
> 02.23.04  03-12-08   04-02-23  1 mo 21 d    2 mo 15
> d
> 02.17.04  03-10-31   04-02-17  4 mo  2 d    4 mo 19
> d
> 02.12.04  04-02-09   04-02-12        0 d          3
> d
> 02.10.04  04-01-09   04-02-10       24 d    1 mo  1
> d
> 02.04.04  03-12-08   04-02-02  1 mo 21 d    1 mo 24
> d
> 09.25.03  03-02-25   ?                 8 mo  0 d    ?
> 07.29.03  03-04-20   03-07-29  2 mo 11 d    3 mo  9
> d
> 07.01.03  03-03-11   03-07-01  3 mo  0 d    3 mo 19
> d
> 05.22.03  02-12-31   03-05-22  4 mo 17 d    5 mo 22
> d
> 02.12.03  02-10-31   03-02-12  2 mo 29 d    3 mo 13
> d
> 02.03.03  02-01-11   03-02-10 12 mo  9 d   12 mo 29
> d
>
> "iDEFENSE will responsibly inform vendors as soon as
> possible after having
> learned of a problem with their product(s) or
> service(s)."
>
> Five different times, iDefense sat on a
> vulnerability for OVER A YEAR.
> They routinely wait one or more months to notify the
> vendor. Is that
> "as soon as possible"? Of course not, that would
> hurt the bottom line.
>
>
> Sincerely,
> Dark Elf
>
>
>
> References
>
> 07.12.04 - Adobe Reader 6.0 Filename Handler Buffer
> Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
> 02/02/2004  Exploit discovered by iDEFENSE
> 03/11/2004  Initial vendor notification
> 03/11/2004  Initial vendor response
> 03/11/2004  iDEFENSE clients notified
> 06/07/2004  Vendor update released
> 07/12/2004  Public Disclosure
> * original full-disc post listed 02/02/2003
> discovery date
>
>
> 07.09.04 - wvWare Library Buffer Overflow
> Vulnerability
http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities
> 06/29/2004  Initial vendor contact
> 07/06/2004  Vendor response
=== message truncated ===



                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html