From: Marc Maiffret (marc@eeye.com)
Date: Tue May 28 2002 - 19:20:21 EDT
I couldn't agree more. I personally see it as a ploy touting the fact that
their purchasable product will now and then be able to look for some
vulnerabilities that other products wont be able to.
I think its irresponsible to try to pawn off a marketing scheme as something
that will help benefit the security community, or help the process of
getting vulnerabilities fixed.
Giving out details of any nature, before their is a patch, is never the best
route and should be used as a last resort, not a first.
I also do not agree with the statements about people not being able to
figure out exact details of the vulnerabilities based on the "VNA"'s.
If you publish details saying XYZ product has a flaw, this is how you work
around it, and here is a product which can scan your network for it, then
people will FOR SURE be able to pinpoint the flaw and start widely
exploiting it while we all wait for a vendor patch. How? Most of the time it
only takes the information on how to work around a vulnerability, to figure
out what the vulnerability is or at the very very least where to start
looking. Now sometimes that wont be enough information however when you go
make a scanning tool that knows how to pinpoint the flaw its only a matter
of time to reverse engineer that tool to figure out how it identifies the
flaw and then drill that down further to pinpoint the vulnerability.
With all of that being said there is the debate on whether or not making
money off of vulnerabilities is a bad thing? A researcher finds a flaw, why
should they not be able to give that information to paying customers (under
NDA) while the researcher waits for a vendor to fix the vulnerability? I am
not saying I agree with that, but for people like David who have are good at
finding vulnerabilities, it only makes sense to try to figure out how to
make a living off of that talnet... wrong or right no opinion. I do see it
as being a big problem, and totally unethical, if you start to manipulate
the situation into being one of a strong arm style tactic where its "give me
money, so you stay protected" .... equating it to store owners having to pay
off local thugs so they don't go bashing their place up. Not that I am
saying this is what is happening here. Once again, I just think this is a
really poor marketing ploy. But hey its working... were all discussing it,
as dumb as it all is.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: Drew [mailto:simonis@myself.com]
| Sent: Tuesday, May 28, 2002 12:42 PM
| To: pen-test@securityfocus.com
| Subject: Re: Scanners and unpublished vulnerabilities - Full Disclosure
|
|
| Alfred Huger wrote:
| >
| > Heya all,
| >
| > Most of you who are long time users of this list know I tend to avoid
| > conversations on-list about full-disclosure. I'm of the opinion it's a
| > religious discussion with little or no merit for debate given
| that people
| > are unlikely to move from their current position.
| >
| > Having said this every now and then something does occur within our
| > industry to spur discussion. In this case I came across something which
| > directly impacts the Pen-Testing arena and I would like to throw it out
| > for open discussion. The event in question is a new Vendor Notification
| > Alert Scheme the folks over at NGSSoftware announced yesterday. The
| > announcement can (and should be) read at:
| >
| > http://www.nextgenss.com/news/vna.html
| >
|
|
| Seems to me like a thinly vieled marketing announcment. Worked, too.
|
| I don't notice anything _too_ radically seperated from well known
| vulnerability disclosure methods, with the singular exception that
| they do not make accomodations for a responsive vendor who has not
| yet released a patch, which is on contrast to the RFPolicy, a well
| known disclosure roadmap, and the referenced Christey-Wysopal policy.
|
| I read it as "Buy our scanner and you'll have access to vulnerabilities
| others don't yet have".
|
|
| -Ds
|
| ------------------------------------------------------------------
| ----------
| This list is provided by the SecurityFocus Security Intelligence
| Alert (SIA)
| Service. For more information on SecurityFocus' SIA service which
| automatically alerts you to the latest security vulnerabilities
| please see:
| https://alerts.securityfocus.com/
|
|
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT