Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: iDefense: Solution or Problem?
From: VX Dude <vxdude2003 () yahoo com>
Date: Wed, 14 Jul 2004 07:56:37 -0700 (PDT)

Just a quick thought for a business plan.

1) Start off with a low investment of $1200.
2) Buy a couple chunks of Entersys source code from
SCC
3) Find vulnerabilities and write 0-day exploits
4) give 0day to your investors
5) sell 0day to iDefense (or Sourcefire hahahahaha)
for $300 a pop
6) Use profits of sale to buy more chunks of
sourcecode
7) Repeat steps 3-6 until complete
8) Release code as "open source" dimishing its
corporate value
9) make a business using this "open source" IDS and
compete with Sourcefire hahahahaha
10) Release IPO =D

Now, I'm no lawyer, but Hollywood has taught me that
its probably illegal to _knowingly_ buy illegal goods
(such as entersys source), but! is it illegal for
iDefense to buy the research from illegal bought
goods?

-vx

_______________________________________________
Full-Disclosure - We suck it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html

--- idefense () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Michael, you claim that this is a typo, but is it
really? Even if this
is a typo, how do you explain waiting over a month
to contact the vendor?
How do you explain past times when iDefense waited
over a year to notify
a vendor? How does this relate to the iDefense
disclosure policy?

http://www.idefense.com/legal_disclosure.jsp
iDEFENSE will responsibly inform vendors as soon as
possible after having
learned of a problem with their product(s) or
service(s).

Note: ".. will responsibly inform vendors as soon as
possible after having
learned of a problem". There is absolutely no
debating that this is pure
marketing fluff and not how iDefense operates. Look
at their history
of vulnerability disclosure and their timelines for
proof. The real question
becomes, just how unethical and how greedy iDefense
really is! Further,

 are they now rewriting history to desperately
protect their already
dark image? Witness:


http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html
Adobe Reader 6.0 Filename Handler Buffer Overflow
Vulnerability
VII. DISCLOSURE TIMELINE
02/02/2003 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification

Did iDefense sit on this vulnerability for 17
months? Shortly before
or after Cary Barker pointed this out on
Full-Disclosure

(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html),
iDefense
seems to have had a change of heart!


http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification

The first and understandable reaction (excuse) would
be "iDefense had
a typo", but once again, digging into their past
vulnerabilities, is
that really the case?! Even if THIS advisory had a
typo, how about some
others this year?!


http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003  Vulnerability acquired by iDEFENSE
07/08/2004  Public disclosure


http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03  Vulnerability acquired by iDEFENSE
05/17/04  Public disclosure


http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003 Exploit acquired by iDEFENSE
May 12, 2004  Coordinated public disclosure

Sitting on vulnerabilities for a year before
notifying the vendors is
not what 'white hat' hackers do. These aren't the
actions of a reputable
security company. Combine this with the fact you
sell this information
to people in foreign companies and governments,
including some that are
"harboring terrorists" (according to our government)
makes your actions
potentially criminal. What, you haven't checked your
client list carefully?
Selling vulnerability information to terrorist
nations isn't very friendly
to the US!

Looking back at your 2004 advisories (and some in
2003), could anyone
at iDefense explain how their responsible disclosure
policy applies?
Here is a general idea of their disclosure process
and time frames:

Advisory  Discovery  Publish  Vend Notify  Publish
Time
07.12.04  03-02-02   04-07-12 13 mo  7 d   17 mo 10
d
07.09.04  04-06-29   04-07-09        7 d         10
d
07.08.04  03-04-03   04-07-08 14 mo 26 d   15 mo  5
d
07.01.04  03-09-27   04-07-01  8 mo  7 d    9 mo  4
d
06.23.04  04-04-21   04-06-23       14 d    2 mo  2
d
06.21.04  04-02-26   04-06-21  3 mo 13 d    3 mo 25
d
06.10.04  04-04-14   04-06-10       28 d    1 mo 26
d
06.08.04  04-04-27   04-06-07       22 d    1 mo 10
d
06.07.04  03-04-05   04-05-17 13 mo  2 d   13 mo 12
d
05.27.04  04-02-18   04-05-27       20 d    3 mo  9
d
05.26.04  04-02-18   04-05-26       20 d    3 mo  8
d
05.12.04  03-04-02   04-05-12 12 mo  5 d   13 mo 10
d
04.15.04  03-12-08   04-04-15  1 mo 16 d    5 mo  7
d
04.14.04  04-01-09   04-04-14  1 mo 11 d    3 mo  5
d
04.13.04  04-01-12   04-04-13        5 d    2 mo 24
d
04.05.04  04-01-09   04-04-05  1 mo 16 d    2 mo 26
d
03.19.04  04-01-13   04-03-19       24 d    2 mo  5
d
03.09.04  03-10-10   04-03-11  1 mo  2 d    5 mo  1
d
03.02.04  04-01-22   04-03-02       25 d    1 mo 10
d
02.27.04  04-01-13   04-02-27       26 d    1 mo 14
d
02.27.04  04-02-04   04-02-27        6 d         23
d
02.23.04  03-12-08   04-02-23  1 mo 21 d    2 mo 15
d
02.17.04  03-10-31   04-02-17  4 mo  2 d    4 mo 19
d
02.12.04  04-02-09   04-02-12        0 d          3
d
02.10.04  04-01-09   04-02-10       24 d    1 mo  1
d
02.04.04  03-12-08   04-02-02  1 mo 21 d    1 mo 24
d
09.25.03  03-02-25   ?                 8 mo  0 d    ?
07.29.03  03-04-20   03-07-29  2 mo 11 d    3 mo  9
d
07.01.03  03-03-11   03-07-01  3 mo  0 d    3 mo 19
d
05.22.03  02-12-31   03-05-22  4 mo 17 d    5 mo 22
d
02.12.03  02-10-31   03-02-12  2 mo 29 d    3 mo 13
d
02.03.03  02-01-11   03-02-10 12 mo  9 d   12 mo 29
d

"iDEFENSE will responsibly inform vendors as soon as
possible after having
learned of a problem with their product(s) or
service(s)."

Five different times, iDefense sat on a
vulnerability for OVER A YEAR.
They routinely wait one or more months to notify the
vendor. Is that
"as soon as possible"? Of course not, that would
hurt the bottom line.


Sincerely,
Dark Elf



References

07.12.04 - Adobe Reader 6.0 Filename Handler Buffer
Overflow Vulnerability

http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification
03/11/2004  Initial vendor response
03/11/2004  iDEFENSE clients notified
06/07/2004  Vendor update released
07/12/2004  Public Disclosure
* original full-disc post listed 02/02/2003
discovery date


07.09.04 - wvWare Library Buffer Overflow
Vulnerability

http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities
06/29/2004  Initial vendor contact
07/06/2004  Vendor response

=== message truncated ===



                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]