Re: Google Groups e-mail disclosure in plain text

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

n3td3v wrote:
[...]
> Furthermore, Secunia are the biggest "scene whore" professional
> website in the industry.

Uhh, dude... the scene and the industry are essentially two different
things.  There's no such thing as a "professional scene whore" unless
you're a) delusional or b) in Vegas.

> Theres nothing on their site that wasn't available via other public sources.

DUH.  It's called *competition*.  Should my neighborhood dollar store go
out of business because, DUH, it's all available at Wal-Mart anyway?
No.  We call those monopolies.  In the software industry, we call this
monopoly Microsoft.

Since you're so anti-corporate and all, you should already *know* that.
 That really takes an anti-corporate personality (or a lifetime in a
cave) to call me "pro-Microsoft", now doesn't it?  Especially amongst
people here, I'm a pretty tough-to-please Microsoft critic.

> With Secunia, its all about republish, republish, republish peoples shiz.

You're slighting Secunia.  At least Secunia does SOME original research.
 Further, the service that Secunia provides is one of centralization and
organization.  There are hundreds of points of delivery and discussion
for original research, Secunia itself being one of them.  Secunia,
SecurityTracker, and a whole load of other similar services make an
entire business out of mining those sources of information, *verifying*
it (and believe me, I've seen flat-out wrong vuln reports before), and
presenting it in a consistent, usable format.

Is it a simple, almost trivial chore?  Probably.  Is it tedious and time
consuming?  You bet.

If you'd ever administered a network with a few hundred or so machines
with (if you're lucky) a handful of other people on your staff, you'd
know.  Each individual business or institution with assets to secure
cannot feasibly afford the costs of doing independent intel gathering,
even with something as basic as an alerting service.  Otherwise, folk
like Secunia wouldn't have a market.

> And you want everyone to thank them for "secure" hosting? Don't kid a kidder...

Yeah... secure enough.  And, oh by the way... it's free.  Didn't your
mommy teach you how to say "thank you" like a good little boy when
strangers do nice things for you?

Or do you just extort favors from people with your six-machine botnet
from the latest Google Groups spam run?  We're really shakin' now.

> If they did something special with their website like Securityfocus
> does, then I might be able to bare their illegal footer message spam

"Illegal"?  What planet/drug are you on?  There's a small problem with
your "legal theory" here.  Secunia's sneaky footer insertion attack that
renders e-mails to F-D oh-so-totally useless has a perfectly legal
explanation, you see.  THEY OWN THE SERVER.  As in, you know, bought it,
paid for it, and maintain it?

I hope that's not too complicated for you.

Next time you feel like criticizing Secunia (or anyone else), try
finding a criticism that makes sense.

> and their scene whore republication of advisories they claim are
> Secunia exclusives.

I'm not going to be one to defend Secunia here, but I don't think they
claim that the raw information in MOST of their advisories is
"exclusive".  Granted, they sometimes make mistakes on crediting sources
and supplementing information, but I haven't heard them make a claim
that something public was "exclusive".  Even in the case of their own
research, they publicize it for the community and other normative
sources rip it off in turn.

The only semi-exclusive work they do (to my knowledge) is the data
plotting (charting, graphing, etc.) that examines a few trends (number
of advisories, risk levels of vulnerabilities, patches available, etc.)
for specific products.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFERgI+fp4vUrVETTgRAwqTAJ45cA9Xb93BnK6JpTN8TwImjXJZBQCgkaGc
jwrXILQi9IRBDd0M34hfY3c=
=ZZ3q
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/