mailing list archives
Re: Stuff you might have missed in the CANVAS Ecosystem
From: "Mohammad Hosein" <mhtajik () gmail com>
Date: Thu, 16 Oct 2008 12:10:15 +0330
most of the 0days - if not all - are targeting very rare software like Novel
stuff and when you buy Canvas you buy 3 month worth of updates not a year .
like Parity mentioned in his email i'd like the developers know that a more
flexible licensing model and price would help them with a new market consist
of freelancers and individuals who are in the pentest business and do not
have huge load of cash the same as they dont earn such money easy like a
company can do with an enterprise-grade pentest project .
On Thu, Oct 16, 2008 at 2:27 AM, Dean Pierce <piercede () pdx edu> wrote:
If they even listed the affected software, wouldn't the vendor just buy
up the module and fix the 0day? It would be interesting to see a list
of older vulnerabilities, and maybe some mention their reliability just
to see how it stacks up against other exploitation frameworks.
Anyway, when you buy CANVAS, the most important thing you get is every
exploit they come up with for the next year, so not even the researchers
know what it is you are really buying.
Speaking as a freelancer, this is a constant challenge for me. Among the
research costs I can't really pass directly on to customers, there's stuff
CanSec: ~ $1800.00 (Maybe if I wasn't too lazy to submit a talk...)
MSDN subscription: another couple grand
So instead of going to CanSec, I stick to the inexpensive conferences
(Shmoocon, Toorcon, etc). And I buy MS products @ the MSFT company store as
needs require. And I just do without cool stuff like Bindiff. :(
Anyway, I guess I'm chiming in here to suggest to Dragos & Halvar & others
that I'd love to buy their products / services, but paying full price is
just not economical for an indy player like myself. They could easily
capture additional revenue from the little market segment that's made up of
guys like me (go read Joel Spolsky's essay on differential pricing called
Camels & Rubber Duckies for hints). I'm not sure there's enough people in
my position to justify their going to the trouble, but I wish they would.
Dailydave mailing list
Dailydave () lists immunitysec com