Re: 0-day exploit..do i hear $1000?

[RT <roelof () sensepost com>]

RFP said:

+I work for a company that was in business before I ever published anything
+as RFP.  I've been there for years now.

I stand corrected. Read in an e-zine that you are a "security consultant".
Assumed it was your own company.

+I sit around an absorb myself in various security related challenges.  In
+the end, I have tools, research and information which I choose to share,
+to promote further research.

So do we. We just also want to make a living doing it. We don't rape the
industry - we contribute where we can.

+If I was truly a sell-out, why the hell would I release my tools and
+research to the world?  It would be worth more to me as exclusive
+proprietary intellectual property used as a service to paying customers.

RFP, the way I see this business is like this. You do your job, try to do it
better that the dude next door, build cutting edge technology, release it to
the public (as its stupid to think that no-one else will get it anyhow) and use
it to get your company name out there, while you contributing to the industry
as a whole. Does that mean selling out? I hope not.

As soon as you keep stuff to yourself (in terms of pen-testing etc.) you are
not acting in the spirit of the 'net...not so?

 +Unfortunately, the world doesn't always work how everyone expects it to.
+And in the end, why should people sacrifice their lives and free time just
+to continuously pump 0day research into an industry where, if they don't
+profit from it, everyone else will?  Hell, sensepost.com is a security
+services company...are you saying that *every* tool you use is 100%
+developed by an employee of sensepost?

No for sure not. It was kinda my point that people release tools and those
tools are used by people in the industry. We get the money - while other people
spend time writing them - I do understand the frustration. As I mentioned
before - the challenge is to make money, write some code and keep your brain in
shape at the same time. Sensepost also writes tools - and we publish those - we
think that we are contributing to the rest of the industry.

+So I've sold out because I share my research with others, but
+sensepost.com can take tools like nmap et al and use them to make a profit
+as a security service, and that's ok?

Immm..I don't get the "sold out" part. I am not saying that making a profit
using other people's tools is wrong. Is it? Don't we all contribute to share
tools - to make it easier for others to do their job better? Sensepost release
all tools that we use, and those we have build for our own use - to share with
others. Give and take...

It could be that you misunderstood my previous email.
Anyhow...

Regards,
Roelof.
------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com            +27 83 448 6996
http://www.sensepost.com        http://www.hackrack.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/