From: Alfred Huger (ah@securityfocus.com)
Date: Wed May 29 2002 - 01:00:36 EDT
Alfred> Yep, that is what I suspected most people would take
Alfred> umbrage with. In this case however I think NGSSoftware is
Alfred> perfectly within their rights. Firstly I do think their
Alfred> motives are above board. Having said this I see nothing
Alfred> wrong with it even if their motives are purely
>Doesn't appear that way to me. Their motives appear quite commercial
I won't belabor my previous point about this being a non-issue. Their
motives in this case are largely immaterial; it's the net effect that
needs to be evaluated.
>there is no reason why SecurityFocus, pen-test or bugtraq should
>provide them with a platform to propagate their products and services.
This topic was not brought here by them but by me.
>They're have the freedom under law to hoard their vulnerability
>database for the benefit fo their customers
Well I'm glad you at least agree their customers are receiving a benefit
from it.
>and we have the
>corresponding freedom to boycott them, ignore them or prevent them
We? Are you referring to the royal we? Or are you referring to a body of
consumers which you represent?
>rom hijacking a public full-disclosure forum for their own ends.
First off, this is not a full disclosure list for bug reporting. The VNA
issues have never so far as I understand been posted to Bugtraq, the only
dedicated full disclosure list we run here at SecurityFocus.
Alfred> commercial. The Internet like anywhere is driven off
Alfred> business concerns. If NGSSoftware can provide a valuable
Alfred> service by alerting their customer base of flaws in
Alfred> production software - power to them. This is after all
Alfred> about paying the rent. I understand that a fair number of
Alfred> folks in this industry are still waiting for the Great
Alfred> Leap Forward to sweep us all into some digital utopia
Alfred> where information wants to be free and where breaking into
Alfred> someone's computer can be painted in a benevolent light
Alfred> (you know - just trying to help). I am not buying. I'd
>I missed the connection between free information and freedom to crack
>here unless the latter is just a red herring to divert attention from
>the former?
You post indicates to me that you're bright enough not to need a basic
dissection on this. If I'm wrong I'll be happy to be pedantic with you off
list.
Alfred> take advance notice from NGSSoftware over idealism. One
Alfred> keeps me my job while the other makes for good coffee shop
Alfred> banter but little else.
>Since mailing lists embody the free information aspect of the
>internet, in effect you're saying that PEN-TEST, VULN-DEV and BUGTRAQ
Really? As dictated by whom? Might this be the royal we again? The lists
you mention were founded around principles of open discussion. They were
not built around some moral construct about maintaining 'free information'
or liberty or anything so vaunted. Just open discussion.
>are `coffee-shop banter' while your other concerns are what are of
Hardly, my comments were (quite clearly) directed at not opting for a
misplaced idealism over a pragmatic approach to a real problem. I suspect
you are being argumentative here and not actually obtuse.
>I find that quite disturbing, and if that
If you find that disturbing life outside of work must be down right
hellish.
>really is the case I'd suggest that SecurityFocus hand over the mantle
>of running this list to another individual or, if this is the
>prevalent thinking in the company, another organization.
Really? I'll be sure to take that into consideration. This actually was
the part of your post that got my attention. I always get a bit put back
when people like yourself make comments like this. When I founded
SecurityFocus, before I brought a single person on board, I had a very
clear conception of what I was to build. I've done that, the scary part is
people like yourself assuming I (or the dreaded 'we' in this case) owe you
something. We are still entirely within our stated goals as a company - I
suggest you read them before assuming I've abrogated some sacred trust to
you and should therefore hand over the last 4 years of my life to you as
recompense. This company is about information - commercial and otherwise
if that's not palatable to you then move on - we have nothing to offer
you.
Alfred> Yes and ISS is not alone there. It's been done by other
Alfred> scanner vendors. SNI in particular did this a few
Alfred> times. We also alerted our customers about vulnerabilities
Alfred> we had in the pipes with vendors as a matter of course.
>Precedents are not an argument for continuing a flawed policy.
Nope, provided the premise is flawed which you've yet to actually address.
Now before you reply, take a second and a deep breath and compose
something like a rational argument based around points not emotional gut
reactions and vague statements.
-al
VP Engineering
SecurityFocus
"Vae Victis"
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT