Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fwd: Information on MS99-022
From: deraison () CVS NESSUS ORG (Renaud Deraison)
Date: Mon, 5 Jul 1999 10:07:41 +0200

On Mon, 5 Jul 1999, Darren Reed wrote:

What comes to my mind, is that the Microsoft is giving the scoop of the
test of the vulnerability to the ISCA's IDC members.

And the problem with that is?  What should be important is that the
information about the problem became public, allowing people to become
aware of the problem and how to fix it.

But as somone else pointed out in this very same list, it's not always
possible to determine whether there is a problem or not in another way
than actually testing the flaw (intusion tests are an exemple)

What does this mean ? You have to _sell_ your security products to have
security informations from the vendors, or else they won't even consider
you are writing security tools ?

It's well recognised that Microsoft has a dim view of the "Open Source"
movement due to the way it perceives it as being a threat to its own
products so getting them to support it seems very unlikely.

but the domain microsoft.com has been number one in terms of download and
site frequentation at nessus.org :) During a time,  they were downloading
each new version of the product and coming back very frequently. Now, I
can not say whether they were actually using Nessus or not, but well, I
think that they were not storing their downloads in /dev/null ;))

And I have not heard of any Microsoft made security scanner anyway.
(not yet at least :). So, where's the threat in this field ?

Anyway, what does it matter to you, if your product is free?  It has no
value so whether or not it can detect X makes no real difference if there
is a patch available to resolve X.

I'm trying to make an up-to-date tool. Some people use it and feel safe if
no error is reported (which is a bad attitude anyway).

I don't want to make it the premier security scanner around, however I
want to keep it up-to-date. That's my goal. Just because some people are
using it and trusting its results. And it disgusts me to see that because
ISS or NAI or whatever are charging money for the same kind of tool,
they'll get more informations from the vendors than me. After all, they
have enough money to have teams like the X-Force who would have found the
vulnerability anyway, so what's the point ?

This attitude shows the lack of ethic of several companies which claim
they are interested in security. Because no matter how knowledgeable you
are, you will have to pay to determine if you are vulnerable or not.

Now you're catching on.  Security is a market of some value, today, not
like it was back in the early 90's when things like FWTK/Satan were written
and given away.

I disagree with that too. I'm not the only weirdo on this planet who is
giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains
and many more.

Sure it is security by obscurity, but do you get any more

It's not security by obscurity. It's pure marketting. If this kind of
attitude is tolerated, then everyone will do the same and you'll see
commercial arrangements popping up in the upcoming years. And this is evil
because the more bugs the software makers make, the more money they'll get
from their partners. Just like the virii industry which is suspected to
fund virii writers.

details in patches from Sun that manage to roll out prior to being all
over bugtraq?  I don't know of any vendor that has a full-disclosure policy,
only hackers and other posters to bugtraq.  For vendors there may well be
legal implications of them giving out information to people who could use
that information to break into systems.  At least by going through the ICSA
they're dealing with a body that is arguably reputable so some sort of due
diligence could be argued.

What I say is : either give the details to the world, or just keep them
for yourself. Don't give them to a restricted set of so-called  'security
software makers'

                                   -- Renaud

Renaud Deraison <deraison () cvs nessus org>
The Nessus Project -- http://www.nessus.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]