From: arjen.de.landgraaf at cologic.co.nz (Arjen De Landgraaf)
Subject: openssl exploit code (e-secure-it owned)

Erik,

Thank you for your contributions in your email replies.
If you don't mind, I would like to address them here:

1. Re the PoizonB0x defacement.

Thank you for taking the time to research our background, 
although a bit one-sided.
Yes, a website got defaced a long time ago.  That is a fact.  
No-one is 100% secure (Richard Clarke), and we did learn from it.

However, you could acknowledge that we were not the 
only one at the same time. Untold security companies 
and  sites were defaced  by PoizonB0x and others 
in that very same period. Including: SecurityNewsportal, CNet, 
Attrition, Lucent. Microsoft (18 times in total?), SANS, 
CERT,  SecurityFocus and many others.

I assume your comments at the time to SecurityFocus
were similar as your comments to us yesterday?

If you also would have taken the effort to dig a bit further,
you  would also have found that two weeks later IDG NZ
published a correction on their article, as it contained 
factual errors. As it  happens with news media, 
the first article got spread around the world  pretty 
quickly, the correction did not.

2. Your review of the www.e-secure-db.us vulnerability
database:

Your "review" contained one sentence: the database is crap.

Interesting is that we have had many, many comments
from readers of this list, and they are all very positive.
In fact, you are the only negative.  Even more particular,
your review is extremely negative. Makes me wonder why.

I read from your website (www.mindsec.com) that you
conduct reviews and your title is "Writer, Vendor Relations"

Our logs show no evidence that you actually went into
the database to "do your review", and I must therefore ask
questions on the objectivity of the "review" you conducted.

I challenge you to show any other online single free source with
more complete information, any other free portal that enables
a complete check-up on any and each IT infrastructure component,
incl routers, firewalls, databases, O/S's etc etc. in a practical
way.   Where an IT professional can check on all  components 
of their IT infrastructure on potential vulnerabilities and patches.

3. Your comment on the data

You mentioned that the data is a week old.
Heh, we just got it on the air last Sunday, give us a break. We 
have already had many thousands of hits within a few days.  Managing 
performance is a more important issue. Anyway, the data was 
at the time of your "review" only 2 days old.

We improved E-Secure-IT and the E-Secure-DB database over the 
last two years, with many international Asia Pacific corporate
subscribers giving us awesome feedback on where we could 
improve and how it  can best work for them. 
These subscribers are very happy to pay for the added value we
provide to them in our E-Secure-IT alerting service.

The actual E-Secure-DB database component is now available to 
the global IT and business community.   Free.

We do this as a contribution to the global IT community;
we have taken this initiative to AT LEAST be able to make a 
(even small)  positive difference to a worldwide incredibly 
stifling situation: that we all have to rely on Information 
Technology and communication  infrastructures, but that the 
foundation of IT is inherently insecure.

In fact, the US government document, "The National
Strategy to Secure Cyberspace" , released today, is 
inviting and welcoming private initiatives such as ours.  

"Richard Clarke is urging users to take responsibility for 
increasing cybersecurity.    Alan Paller of the  SANS Institute 
agreed "Those  who don't [bolster security]  put all the 
rest of us at risk."

"National Security Agency (NSA)  Richard George of the 
Security Evaluation Group  believes security would improve 
if "users are aware enough of security to employ the 
technology that's available."  George also believes  that 
software vendors will not  provide  adequate security,  
and user vigilance will be necessary  to maintain patches 
and system security."

We have released this database to contribute to the ( probably 
more than 5-10 million )  overworked IT admins in the "real world' 
in the USA, as well as Europe, Asia, Pacific, etc. who do not 
have the luxury of time or  resources  to sit behind their pc 
half the day  tracking possible vulnerabilities.  

It is the "re-inventing the wheel" a million times a day, having to
track potential vulnerabilities on hundreds of disparate sources
that is incredibly wasteful to our global society.  Where
highly paid IT Security Professionals all have to do the same 
over and over again.

Their bosses actually want them to do something about the 
other 50 or so pressing daily IT issues that a business 
has.  And how their bosses still think is that IT security is not 
a real issue, and does not contribute to the business' bottom line.  

We believe that this initiative can make a powerful and positive 
difference to the IT professionals all over the world.

Arjen
Co-Logic Security
www.e-secure-db.us


-----Original Message-----
From: Erik Parker [mailto:eparker@...dsec.com]
Sent: Wednesday, 18 September 2002 10:08 a.m.
To: Arjen De Landgraaf
Cc: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] openssl exploit code (e-secure-it owned)



Just wanted to make note, I hope your initiative for your database has more
effort than your initiative to secure own boxes.

http://defaced.alldas.org/mirror/2001/06/15/www.e-secure-it.co.nz/

tsk tsk, owned by PoizonB0x? Forgot to lock down frontpage? I hate that.

http://www.attrition.org/errata/sec-co/co-logic01.html

Co-Logic owned..

Nice article too, http://www.theregister.co.uk/content/55/20255.html

I'd like to meet the engineer who thought a honey pot on the same network as
your production servers was a good idea

> We have taken the initiative to place a completely free,
> very extensive and complete ICT security vulnerability
> database on the web, for the IT security world to
> use as a possible resource.

Powered by blists - more mailing lists