Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Chris Wysopal)
Date: Fri, 19 Jul 2002 20:38:21 +0000 (GMT)

On Fri, 19 Jul 2002 haiku () hushmail com wrote:

Or better, thousands per advisory when a consultant for a certain
company shows up to audit networks.  What's @stake's billable rate
these days?

As a consulting company that publishes vulnerability information and tools,
we contribute to the pool that we drink out of.

First and foremost, let me say this list is complete dogshit.  I'd like
to go on the record with my opinion being that moderated mailing lists
are a good thing.  It keeps all the fucking whining to a minimum.  You
think I actually care that your information is being resold?  No!  I
just want the information, delivery medium negotiable.  I could give a
fat rats ass if you get credit, either.  That's one thing I can say for
any vulnerability database; at least I don't have to listen to a bunch
of punkasses and their incessant boohooing; instead, I get just the
pertinent information.  At the end of the day, I don't give a fuck who
you are, or how great you think you are; I care that my systems are
secure, and that's the bottom line.

So would you use a non-profit database that was populated by the
vulnerability reporters themselves? That is what I am proposing.

Second, I've been amazed at what big fucking morons the "esteemed
hackers" in the community are.  Especially Chris and Jay.  Wow!  I
thought you guys were really intelligent, and to some extent, had a
moderate amount of respect for you two.  The only thing I've seen from
any of you at this point is hidden agenda.  You guys are truely
disgusting.  You guys set the bar for low.  Proof that nothing is ever
what it seems.

For wanting a public vulnerability database?  This is what the security
community is currently missing in a public and open format. There are open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE.  But there
is no public vuln database.  Why is everything else good to have
non-commercial alternatives for except a vuln database?  The open source
tools could tie into it.

supply for the sake of creating something for the common good.  The
first person that comes to mind is Renaud Deraison.  Yeah, you guys are
fucking brilliant, right?  Make the information copyrighted, so he
can't continue to work on a FREE project continually exploited, and at
least try to sell support so he can pay the fucking rent?  Jesus.

I certainly didn't mention restricting information.  A public vulnerability
database would require the information to be open so that it could be in
the database.

And let's not even talk about Marty Roesch.  If there's another person
that knows something about giving heart and soul to a project, and
continually getting exploited, he's our man.  He runs a great project,
and I'll bet not a single one of you whining bitches hasn't used it,
and if you consult, haven't provided it as a "solution" that you
charged some company billable hours for.  So now you want to take the
information that he needs as well, and restrict him from it?  Looks to
me like he's finally getting his company off the ground, and you guys
want to fuck him now too?

@stake employees have contributed to the Snort project. I actually was
using Snort earlier today on a product pen test.  It's great.  Marty has
created something wonderful. A public vulnerability database would enhance
Snort not hurt it.  We don't really do implementation work but we have
recommended to some of our customers that they install Snort.

seperate them.  I still nearly fall off my chair with laughter when I
visualize Chris sucking up to MS, and trying to push the "responsible
disclosure" agenda while moderating an allegedly "full disclosure"
list, and posting to others.  You're a man of many faces, Chris, all of
them in twos.  I'll not even pick on Jay; I really feel pity on him.

You can support the First Amendment and still limit what you personally say
and write.  I choose not to be vulgar in my list postings and I might even
advocate for others to not be vulgar but I would never want to ban that
langauge.  I think it is a benfit to security if people can patch their
boxes before exploits are written.  Nothing is a single bullet solution but
I think that certain disclosure practices can help make this happen.
Obviously a lot has to be done better on the vendor side.  So while
advocating for people to follow certain disclosure practices I still don't
think there should be a law restricting free speech.  Once someone has
chosen to publish information they are going to publish it.  It is better
for the community that VulnWatch approve these messages so that everyone
can get the information at the same time.


Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]