| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: weld at vulnwatch.org (Chris Wysopal) Subject: Symantec Buys SecurityFocus, among others.... On Fri, 19 Jul 2002 haiku@...hmail.com wrote: > Or better, thousands per advisory when a consultant for a certain > company shows up to audit networks. What's @stake's billable rate > these days? As a consulting company that publishes vulnerability information and tools, we contribute to the pool that we drink out of. > First and foremost, let me say this list is complete dogshit. I'd like > to go on the record with my opinion being that moderated mailing lists > are a good thing. It keeps all the fucking whining to a minimum. You > think I actually care that your information is being resold? No! I > just want the information, delivery medium negotiable. I could give a > fat rats ass if you get credit, either. That's one thing I can say for > any vulnerability database; at least I don't have to listen to a bunch > of punkasses and their incessant boohooing; instead, I get just the > pertinent information. At the end of the day, I don't give a fuck who > you are, or how great you think you are; I care that my systems are > secure, and that's the bottom line. > So would you use a non-profit database that was populated by the vulnerability reporters themselves? That is what I am proposing. > Second, I've been amazed at what big fucking morons the "esteemed > hackers" in the community are. Especially Chris and Jay. Wow! I > thought you guys were really intelligent, and to some extent, had a > moderate amount of respect for you two. The only thing I've seen from > any of you at this point is hidden agenda. You guys are truely > disgusting. You guys set the bar for low. Proof that nothing is ever > what it seems. For wanting a public vulnerability database? This is what the security community is currently missing in a public and open format. There are open source NIDS, vuln scanners, and other security tools. There are public security mailing lists. There is a public vuln dictionary, CVE. But there is no public vuln database. Why is everything else good to have non-commercial alternatives for except a vuln database? The open source tools could tie into it. > > supply for the sake of creating something for the common good. The > first person that comes to mind is Renaud Deraison. Yeah, you guys are > fucking brilliant, right? Make the information copyrighted, so he > can't continue to work on a FREE project continually exploited, and at > least try to sell support so he can pay the fucking rent? Jesus. I certainly didn't mention restricting information. A public vulnerability database would require the information to be open so that it could be in the database. > And let's not even talk about Marty Roesch. If there's another person > that knows something about giving heart and soul to a project, and > continually getting exploited, he's our man. He runs a great project, > and I'll bet not a single one of you whining bitches hasn't used it, > and if you consult, haven't provided it as a "solution" that you > charged some company billable hours for. So now you want to take the > information that he needs as well, and restrict him from it? Looks to > me like he's finally getting his company off the ground, and you guys > want to fuck him now too? @stake employees have contributed to the Snort project. I actually was using Snort earlier today on a product pen test. It's great. Marty has created something wonderful. A public vulnerability database would enhance Snort not hurt it. We don't really do implementation work but we have recommended to some of our customers that they install Snort. > seperate them. I still nearly fall off my chair with laughter when I > visualize Chris sucking up to MS, and trying to push the "responsible > disclosure" agenda while moderating an allegedly "full disclosure" > list, and posting to others. You're a man of many faces, Chris, all of > them in twos. I'll not even pick on Jay; I really feel pity on him. You can support the First Amendment and still limit what you personally say and write. I choose not to be vulgar in my list postings and I might even advocate for others to not be vulgar but I would never want to ban that langauge. I think it is a benfit to security if people can patch their boxes before exploits are written. Nothing is a single bullet solution but I think that certain disclosure practices can help make this happen. Obviously a lot has to be done better on the vendor side. So while advocating for people to follow certain disclosure practices I still don't think there should be a law restricting free speech. Once someone has chosen to publish information they are going to publish it. It is better for the community that VulnWatch approve these messages so that everyone can get the information at the same time. -Chris > haiku > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ > Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg= > =ANWm > -----END PGP SIGNATURE----- > > > Communicate in total privacy. > Get your free encrypted email at https://www.hushmail.com/?l=2 > > Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure >
Powered by blists - more mailing lists