lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2007 12:06:06 -0800
From: Blue Boar <BlueBoar@...evco.com>
To: Simon Smith <simon@...soft.com>
Cc: "K F (lists)" <kf_lists@...italmunition.com>,
	Untitled <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge

Simon Smith wrote:
> Blue Boar, 
>     Simply put, and with all due respect, you're wrong.

About? I see basically two assertions in my note; 1) that I would sell
to iDefense or TippingPoint. Surely you're not going to tell me what I
would do? And 2) That iDefense isn't doing the same thing that Blackhats
are. Is the latter one the one you disagree with?

> Furthermore I don't
> appreciate you directly or indirectly suggesting that these exploits are
> being sold on the black market, that will never happen on my watch, ever!

If you look carefully, you'll see I was replying to Kevin, who did make
a comparison to selling to blackhats. I hadn't even seen your note at
the point, and I wasn't replying to you, and I didn't quote anything you
wrote.

So I assume you think I was saying that your company is selling to
blackhats. I wouldn't think you were. Certainly you don't mean to claim
that, in general, the entire market never sells to blackhats, nor that
you have any control over what others do.

>     More importantly, the company that I am working with is no different
> than iDefense. In fact, they both sell their exploits and harvested research
> to the same people. The only real difference is in the amount of money that
> the researcher realizes when the transactions are complete. This difference
> is a direct result of low corporate overhead.
> 
>     Lastly, all transactions require that the researcher engage the company
> that I work with in a tight contract. This contract ensures that both
> parties are legitimate and also protects both parties. They don't do that on
> the black market do they?

So, is the problem that I didn't realize you guys also bought vulns, and
that you pay more? No, I had no idea that you did. I guess some better
marketing is in order. The quarterly challenge thing is pretty good for
publicity, maybe you guys should do one of those.

					BB

Powered by blists - more mailing lists