Re: Fwd: Information on MS99-022

[deraison () CVS NESSUS ORG (Renaud Deraison)]

On Mon, 5 Jul 1999, Darren Reed wrote:

> > What comes to my mind, is that the Microsoft is giving the scoop of the
> > test of the vulnerability to the ISCA's IDC members.
>
> And the problem with that is?  What should be important is that the
> information about the problem became public, allowing people to become
> aware of the problem and how to fix it.

But as somone else pointed out in this very same list, it's not always
possible to determine whether there is a problem or not in another way
than actually testing the flaw (intusion tests are an exemple)

> [...]
> > What does this mean ? You have to _sell_ your security products to have
> > security informations from the vendors, or else they won't even consider
> > you are writing security tools ?
>
> It's well recognised that Microsoft has a dim view of the "Open Source"
> movement due to the way it perceives it as being a threat to its own
> products so getting them to support it seems very unlikely.

but the domain microsoft.com has been number one in terms of download and
site frequentation at nessus.org :) During a time,  they were downloading
each new version of the product and coming back very frequently. Now, I
can not say whether they were actually using Nessus or not, but well, I
think that they were not storing their downloads in /dev/null ;))

And I have not heard of any Microsoft made security scanner anyway.
(not yet at least :). So, where's the threat in this field ?

> Anyway, what does it matter to you, if your product is free?  It has no
> value so whether or not it can detect X makes no real difference if there
> is a patch available to resolve X.

I'm trying to make an up-to-date tool. Some people use it and feel safe if
no error is reported (which is a bad attitude anyway).

I don't want to make it the premier security scanner around, however I
want to keep it up-to-date. That's my goal. Just because some people are
using it and trusting its results. And it disgusts me to see that because
ISS or NAI or whatever are charging money for the same kind of tool,
they'll get more informations from the vendors than me. After all, they
have enough money to have teams like the X-Force who would have found the
vulnerability anyway, so what's the point ?

> [...]
> > This attitude shows the lack of ethic of several companies which claim
> > they are interested in security. Because no matter how knowledgeable you
> > are, you will have to pay to determine if you are vulnerable or not.
>
> Now you're catching on.  Security is a market of some value, today, not
> like it was back in the early 90's when things like FWTK/Satan were written
> and given away.

I disagree with that too. I'm not the only weirdo on this planet who is
giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains
and many more.

> Sure it is security by obscurity, but do you get any more

It's not security by obscurity. It's pure marketting. If this kind of
attitude is tolerated, then everyone will do the same and you'll see
commercial arrangements popping up in the upcoming years. And this is evil
because the more bugs the software makers make, the more money they'll get
from their partners. Just like the virii industry which is suspected to
fund virii writers.

> details in patches from Sun that manage to roll out prior to being all
> over bugtraq?  I don't know of any vendor that has a full-disclosure policy,
> only hackers and other posters to bugtraq.  For vendors there may well be
> legal implications of them giving out information to people who could use
> that information to break into systems.  At least by going through the ICSA
> they're dealing with a body that is arguably reputable so some sort of due
> diligence could be argued.

What I say is : either give the details to the world, or just keep them
for yourself. Don't give them to a restricted set of so-called  'security
software makers'

                                   -- Renaud

--
Renaud Deraison <deraison () cvs nessus org>
The Nessus Project -- http://www.nessus.org