mailing list archives
Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Chris Wysopal)
Date: Sat, 20 Jul 2002 22:28:18 +0000 (GMT)
On Fri, 19 Jul 2002 haiku () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
As a consulting company that publishes vulnerability information and tools,
we contribute to the pool that we drink out of.
Oh. So this is your argument. You contribute to it, therefore you may
use it? Wait .... I thought you said the information should be free
for non-commercial use. Does not taking from the pool to use within a
company constitute commercial use? Genius! So, the "do as I say and
not as I do" applies here? What other double-standards are we also
applying in this discussion?
Please show where I said that vulnerability information or tools should be
restricted to non-commercial use only. That was Jay. I suggested a public
vulnerability database. I have been involved in the research, writing, or
coordination of dozens and dozens of advisories for over 7 years. In not
one case were these advisories restricted in any way. I might add that
there was no advertising or other fluff. Just technical information.
So, now that we've clarified that there is, in fact, a double-standard
here, this would explain why a certain vicious rumor about the @stake
toolkit that somehow found the light of day contains not only many,
many publicly available exploits, but also some 0day that the vendors
have yet to fix. Tell me, Chris, I'm a little confused how this
applies to both "Responsible Disclosure" and "information being free
for non-commercial use." From my take, there's nothing responsible
You have clarified nothing. You are inventing controversy where there is
Let me know about which specific files have 0day information in them that
we are supposedly distributing and I will investigate. We have nothing to
Again the non-commercial use is something that Jay was talking about. We
give out the @stake Pocket Security Toolkits at trade shows so obviously
they are for commercial use too.
What about the folks that don't speak English as a first language, or
no English whatsoever?
I don't undersatnd the point here.
In short, yeah, you could say I'm skeptical. And what's going to stop
other information security companies from using it anyway? If the data
is freely available, it's there for the harvest. If you want to
prevent it from being exploited by outside parties, you have to neuter
it to where there's no details whatsoever. Then, it becomes roughly
tits on a boar.
I never proposed restricting the use of the public vulnerability database.
FYI, as I recall, the information in the Bugtraq Database is freely
available to the public through their web site anyways. Perhaps you
may have overlooked this.
Sure and it is the best one out there. That doesn't mean another database
that allowed mirroring of the database itself and was updated by the
vulnerability reporters and editted by the community couldn't be better.
Maybe it won't be better. Why not discuss it rationally without flying off
the handle with accusations of hidden agendas that never materialize?
The open source tools could tie into it. Open Source != Non-Commercial.
And your point is?
Ok, as I recall, Renaud was at least making a little money off his
project by offering support, while the rest of these pentest dirtbags
exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit
had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm
wrong here, but first, doesn't this mean that Renaud would no longer be
able to offer commercial support for his product? I think so.
We never charged any money for the @stake toolkit. I am not exactly sure
why you think I am proposing anything that would restrict Renaud from
making money charging support?
And I believe the same applies to Marty, as Sourcefire is offering
commercial products built on Snort. Gee, what a fucking HUGE hole in
your logic. And, you additionally fuck them in the process. Good job.
Again I never said anything about restricting the use of vulnerability
Ok, so you have a database that can be used commercially, or you don't.
Notice how there's no fucking in-between? And what if a person wants
to use the "non-commercial database" in their commercial product?
Does this now require a licensing fee? Or do you just turn them away?
This has sham written all over it.
No it has your confusion written all over it.
think there should be a law restricting free speech. Once someone has
chosen to publish information they are going to publish it. It is better
for the community that VulnWatch approve these messages so that everyone
can get the information at the same time.
I really wish you weren't so two-faced, paradoxial, and self-righteous.
And on that note, how does this make VulnWatch any different from any
other security mailing list? Securiteam does the same thing. This
list allegedly does the same thing. Bugtraq does the same thing.
How is this two-faced? SecurityFocus/Symantec just announced a similar
dual policy. Once policy for vulnerability information that Symantec
researchers originate and control the release of and another policy for the
moderation of the Bugtraq disclosure list. Once someone decides to publish
information it will be published. Some researchers even run their own
lists and now there is an unmoderated disclosure list. Bugtraq or
Vulnwatch wouldn't be stopping anything by not approving disclosure
Bottom-line, there's going to be people that make money off security
information whether you like it or not. @Stake does. SecurityFocus
does. ISS does. NAI does. Even CERT does. Welcome to the capitalist
world; leave your agendas and egos at the door. Any company that uses
information/software provided by them tends to make money, as they
spend less time down due to security incidents. Funny how economics
work, isn't it?
Again I never said to not let commercial entities make money off security
information. I simply stated the economics of the vulnerability database
case. I now realize you are the one with the ego problem and the agenda
issues. As you know I work at a commercial venture in the security industry
this paragraph above is a bit patronizing don't you think?
Well I hope I cleared up some of your misunderstandings.
- Symantec Buys SecurityFocus, among others., (continued)