From: Raju Mathur (raju@linux-delhi.org)
Date: Tue May 28 2002 - 22:50:51 EDT
>>>>> "Alfred" == Alfred Huger <ah@securityfocus.com> writes:
Alfred> [snip]
>> What it boils down to is the rest of us will have the
>> information, just a little later. I suppose part of the
>> controversy is that NGSSoftware is presumably going to benefit
>> from holding back information, i.e. if you want to check for
>> the vulns they found, you have to buy their product.
Alfred> Yep, that is what I suspected most people would take
Alfred> umbrage with. In this case however I think NGSSoftware is
Alfred> perfectly within their rights. Firstly I do think their
Alfred> motives are above board. Having said this I see nothing
Alfred> wrong with it even if their motives are purely
Doesn't appear that way to me. Their motives appear quite commercial
(I won't repeat the arguments made by other list members here) and
there is no reason why SecurityFocus, pen-test or bugtraq should
provide them with a platform to propagate their products and services.
They're have the freedom under law to hoard their vulnerability
database for the benefit fo their customers, and we have the
corresponding freedom to boycott them, ignore them or prevent them
from hijacking a public full-disclosure forum for their own ends.
Alfred> commercial. The Internet like anywhere is driven off
Alfred> business concerns. If NGSSoftware can provide a valuable
Alfred> service by alerting their customer base of flaws in
Alfred> production software - power to them. This is after all
Alfred> about paying the rent. I understand that a fair number of
Alfred> folks in this industry are still waiting for the Great
Alfred> Leap Forward to sweep us all into some digital eutopia
Alfred> where information wants to be free and where breaking into
Alfred> someones computer can be painted in a benevolent light
Alfred> (you know - just trying to help). I am not buying. I'd
I missed the connection between free information and freedom to crack
here unless the latter is just a red herring to divert attention from
the former?
Alfred> take advance notice from NGSSoftware over idealism. One
Alfred> keeps me my job while the other makes for good coffee shop
Alfred> banter but little else.
Since mailing lists embody the free information aspect of the
Internet, in effect you're saying that PEN-TEST, VULN-DEV and BUGTRAQ
are `coffee-shop banter' while your other concerns are what are of
primary importance to you. I find that quite disturbing, and if that
really is the case I'd suggest that SecurityFocus hand over the mantle
of running this list to another individual or, if this is the
prevalent thinking in the company, another organisation.
>> This isn't new, either. A few years ago at a previous
>> employer, I was a licensed user of ISS' Internet Scanner. They
>> had a check for a statd bug (which came to my attention because
>> it was getting positive matches) that I could find no public
>> documentation on. I.e. I was doing an internal penetration
>> test, and having a potential hole, I wanted to go ahead and
>> exploit it fully.
Alfred> Yes and ISS is not alone there. It's been done by other
Alfred> scanner vendors. SNI in particular did this a few
Alfred> times. We also alerted our customers about vulnerabilties
Alfred> we had in the pipes with vendors as a matter of course.
Precedents are not an argument for continuing a flawed policy.
Alfred> [snip]
Alfred> I should cap this out by saying that my above opinions are
Alfred> my own.
Regards,
-- Raju
--
Raju Mathur raju@kandalaya.org http://kandalaya.org/
It is the mind that moves
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT