| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <107A63CDD8FCD511BA9F0050BAB07BA82DE543@NHEX1101> From: arjen.de.landgraaf at cologic.co.nz (Arjen De Landgraaf) Subject: openssl exploit code (e-secure-it owned) Erik, Thank you for your contributions in your email replies. If you don't mind, I would like to address them here: 1. Re the PoizonB0x defacement. Thank you for taking the time to research our background, although a bit one-sided. Yes, a website got defaced a long time ago. That is a fact. No-one is 100% secure (Richard Clarke), and we did learn from it. However, you could acknowledge that we were not the only one at the same time. Untold security companies and sites were defaced by PoizonB0x and others in that very same period. Including: SecurityNewsportal, CNet, Attrition, Lucent. Microsoft (18 times in total?), SANS, CERT, SecurityFocus and many others. I assume your comments at the time to SecurityFocus were similar as your comments to us yesterday? If you also would have taken the effort to dig a bit further, you would also have found that two weeks later IDG NZ published a correction on their article, as it contained factual errors. As it happens with news media, the first article got spread around the world pretty quickly, the correction did not. 2. Your review of the www.e-secure-db.us vulnerability database: Your "review" contained one sentence: the database is crap. Interesting is that we have had many, many comments from readers of this list, and they are all very positive. In fact, you are the only negative. Even more particular, your review is extremely negative. Makes me wonder why. I read from your website (www.mindsec.com) that you conduct reviews and your title is "Writer, Vendor Relations" Our logs show no evidence that you actually went into the database to "do your review", and I must therefore ask questions on the objectivity of the "review" you conducted. I challenge you to show any other online single free source with more complete information, any other free portal that enables a complete check-up on any and each IT infrastructure component, incl routers, firewalls, databases, O/S's etc etc. in a practical way. Where an IT professional can check on all components of their IT infrastructure on potential vulnerabilities and patches. 3. Your comment on the data You mentioned that the data is a week old. Heh, we just got it on the air last Sunday, give us a break. We have already had many thousands of hits within a few days. Managing performance is a more important issue. Anyway, the data was at the time of your "review" only 2 days old. We improved E-Secure-IT and the E-Secure-DB database over the last two years, with many international Asia Pacific corporate subscribers giving us awesome feedback on where we could improve and how it can best work for them. These subscribers are very happy to pay for the added value we provide to them in our E-Secure-IT alerting service. The actual E-Secure-DB database component is now available to the global IT and business community. Free. We do this as a contribution to the global IT community; we have taken this initiative to AT LEAST be able to make a (even small) positive difference to a worldwide incredibly stifling situation: that we all have to rely on Information Technology and communication infrastructures, but that the foundation of IT is inherently insecure. In fact, the US government document, "The National Strategy to Secure Cyberspace" , released today, is inviting and welcoming private initiatives such as ours. "Richard Clarke is urging users to take responsibility for increasing cybersecurity. Alan Paller of the SANS Institute agreed "Those who don't [bolster security] put all the rest of us at risk." "National Security Agency (NSA) Richard George of the Security Evaluation Group believes security would improve if "users are aware enough of security to employ the technology that's available." George also believes that software vendors will not provide adequate security, and user vigilance will be necessary to maintain patches and system security." We have released this database to contribute to the ( probably more than 5-10 million ) overworked IT admins in the "real world' in the USA, as well as Europe, Asia, Pacific, etc. who do not have the luxury of time or resources to sit behind their pc half the day tracking possible vulnerabilities. It is the "re-inventing the wheel" a million times a day, having to track potential vulnerabilities on hundreds of disparate sources that is incredibly wasteful to our global society. Where highly paid IT Security Professionals all have to do the same over and over again. Their bosses actually want them to do something about the other 50 or so pressing daily IT issues that a business has. And how their bosses still think is that IT security is not a real issue, and does not contribute to the business' bottom line. We believe that this initiative can make a powerful and positive difference to the IT professionals all over the world. Arjen Co-Logic Security www.e-secure-db.us -----Original Message----- From: Erik Parker [mailto:eparker@...dsec.com] Sent: Wednesday, 18 September 2002 10:08 a.m. To: Arjen De Landgraaf Cc: full-disclosure@...ts.netsys.com Subject: RE: [Full-Disclosure] openssl exploit code (e-secure-it owned) Just wanted to make note, I hope your initiative for your database has more effort than your initiative to secure own boxes. http://defaced.alldas.org/mirror/2001/06/15/www.e-secure-it.co.nz/ tsk tsk, owned by PoizonB0x? Forgot to lock down frontpage? I hate that. http://www.attrition.org/errata/sec-co/co-logic01.html Co-Logic owned.. Nice article too, http://www.theregister.co.uk/content/55/20255.html I'd like to meet the engineer who thought a honey pot on the same network as your production servers was a good idea > We have taken the initiative to place a completely free, > very extensive and complete ICT security vulnerability > database on the web, for the IT security world to > use as a possible resource.
Powered by blists - more mailing lists