RE: Scanners and unpublished vulnerabilities - Full Disclosure

["Marc Maiffret" <marc () eeye com>]

not sure if my last email got through to the list where i apologized for my
dumbass email i sent earlier. was out of line and not very well thought out.
that was me fucking up :-] apologies again. back to my hole.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
| Sent: Tuesday, May 28, 2002 6:43 PM
| To: Marc Maiffret; Drew; pen-test () securityfocus com
| Subject: RE: Scanners and unpublished vulnerabilities - Full Disclosure
|
|
| At 04:20 PM 5/28/2002, Marc Maiffret wrote:
|  >I couldn't agree more. I personally see it as a ploy touting
| the fact that
|  >their purchasable product will now and then be able to look for some
|  >vulnerabilities that other products wont be able to.
|
| Hey Marc- hope all is well...
|
| I have to say that I'm confused... Are you speaking from the
| perspective of
| the pot or the kettle?  Sorry, I had to ;)   But before you get
| all pissed
| at me, let me say that the only reason I have considered buying *your*
| product when I can get stuff like URLScan or the comparable
| soon-to-be-available product from JD Glaser for *free* is for this very
| reason you call a "ploy."  For instance, the latest issues with IIS were,
| at the time of your bulletin, protected by your SecureIIS product.  It is
| not a ploy, it is value added.
|
|  >I think its irresponsible to try to pawn off a marketing scheme
| as something
|  >that will help benefit the security community, or help the process of
|  >getting vulnerabilities fixed.
|
| Yet you include sample exploit code with your notifications, and you give
| away "free" scanners to check for blank SA passwords.  You are
| knee-deep in
| it, brudda!
|
|  >Giving out details of any nature, before their is a patch, is
| never the best
|  >route and should be used as a last resort, not a first.
|  >
|  >I also do not agree with the statements about people not being able to
|  >figure out exact details of the vulnerabilities based on the "VNA"'s.
|
| Don't equate yourself with "people."  You may be able to, but not your
| average Joe.  And certainly not the people who have to use a tool
| to see if
| they have a blank SA pwd.  But, with that said, let's take the text (from
| memory) of the SQL VNA.  Block TCP 1433 and UDP 1434, and make sure you
| have proper firewall rules in place.  What is the exploit?
|
|  > Now sometimes that wont be enough information however when you go
|  >make a scanning tool that knows how to pinpoint the flaw its
| only a matter
|  >of time to reverse engineer that tool to figure out how it
| identifies the
|  >flaw and then drill that down further to pinpoint the vulnerability.
|
| I couldn't reverse engineer my toaster, so I would fall back on a simple
| sniff.  But yes, I would then get a leg up on the sploit.  But so
| what?  People who paid for the product, or who had a fink, could
| get their
| hands on it.  Credit for discovery is not an issue, so it would only be
| those who would write an exploit.  As you well know, if
| Litchfield has the
| bug, chances are other people have it too.  If the vendor gets off their
| arse, then it is better for me.
|
|
|  > I am not saying I agree with that, but for people like David who have
| are good at
|  >finding vulnerabilities, it only makes sense to try to figure out how to
|  >make a living off of that talnet... wrong or right no opinion.
|
| "talnet?"  I think your fingers have been trained ;)
|
|
|  >I do see it
|  >as being a big problem, and totally unethical, if you start to
| manipulate
| t>he situation into being one of a strong arm style tactic where
| its "give me
|  >money, so you stay protected"
|
| You've gone too far here.  NGSSoftware is not attacking people, or
| threatening to if they don't "pay up."  If anything, it is a
| message to the
| vendors not to sit on a critical security bug for 8 months while
| they take
| advantage of someone else's good graces.
|
|  >.... equating it to store owners having to pay
|  >off local thugs so they don't go bashing their place up. Not that I am
|  >saying this is what is happening here.
|
| Then what are you saying?  Why bring up an non-sequitur analogy?
|
|  >Once again, I just think this is a
|  >really poor marketing ploy. But hey its working... were all
| discussing it,
|  >as dumb as it all is.
|
| Let's put this in perspective.  You supplied exploit code for the idq
| vulnerability.  All manner of folk blamed you (incorrectly) for Code Red
| for the exact same reasons you are now saying are faulty with the
| VNA.  You
| have a job because you are a bad-ass!  Your company makes money
| *strictly*
| due to the fact that you perceive problems with other people's products,
| and provide  solutions from them.  What do you think the customer
| is paying
| for?  I don't only want protection from 0 day exploits, it is what I
| *expect*!!  I don't need protection from 6 month old bugs- I need
| protection from the people like you and David that are not professional.
|
| And that is what I will get when I buy your products.  If anyone
| should get
| behind this, I would think it would be you.
|
| Cheers, dude.  See ya at Blackhat.
|
| Tim
|
|
|
| ------------------------------------------------------------------
| ----------
| This list is provided by the SecurityFocus Security Intelligence
| Alert (SIA)
| Service. For more information on SecurityFocus' SIA service which
| automatically alerts you to the latest security vulnerabilities
| please see:
| https://alerts.securityfocus.com/
|
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/