[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMRC.666.6.66.0209191045454.6512-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: openssl exploit code (e-secure-it owned)
On Thu, 19 Sep 2002, Arjen De Landgraaf wrote:
> Thank you for taking the time to research our background,
> although a bit one-sided.
> Yes, a website got defaced a long time ago. That is a fact.
> No-one is 100% secure (Richard Clarke), and we did learn from it.
You were defaced by a known security issue. There was a patch available
yet you still got defaced. So don't try and fall back on to the no one is
100% secure garbage because you were not even 50% secure when the
defacement happened.
> However, you could acknowledge that we were not the
> only one at the same time. Untold security companies
> and sites were defaced by PoizonB0x and others
> in that very same period. Including: SecurityNewsportal, CNet,
> Attrition, Lucent. Microsoft (18 times in total?), SANS,
> CERT, SecurityFocus and many others.
Was SecurityFocus actually defaced? I thought they wacked an add server
that then placed a hacked banner on the SF site. I could be wrong though.
> If you also would have taken the effort to dig a bit further,
> you would also have found that two weeks later IDG NZ
> published a correction on their article, as it contained
> factual errors. As it happens with news media,
> the first article got spread around the world pretty
> quickly, the correction did not.
In other words, you guys made a quote; "oh it was a honeypot" then
realized how stupid it sounded so had a retraction printed.
> from readers of this list, and they are all very positive.
> In fact, you are the only negative. Even more particular,
> your review is extremely negative. Makes me wonder why.
Here is another negative one. Your site it horrible to navigate through.
> Our logs show no evidence that you actually went into
> the database to "do your review", and I must therefore ask
> questions on the objectivity of the "review" you conducted.
So your database includes a list of every known IP address that Eric might
have used?
> I challenge you to show any other online single free source with
> more complete information, any other free portal that enables
> a complete check-up on any and each IT infrastructure component,
> incl routers, firewalls, databases, O/S's etc etc. in a practical
> way. Where an IT professional can check on all components
> of their IT infrastructure on potential vulnerabilities and patches.
There is one coming. Although it is different than yours. Its not being
used to sell a service and there are no fees associated with it.
> You mentioned that the data is a week old.
> Heh, we just got it on the air last Sunday, give us a break. We
> have already had many thousands of hits within a few days. Managing
> performance is a more important issue. Anyway, the data was
> at the time of your "review" only 2 days old.
I thought you guys only did weekly updates? Can I do a dump of the entire
database for my use?
> These subscribers are very happy to pay for the added value we
> provide to them in our E-Secure-IT alerting service.
There is the kicker. You are not a free service. So don't pretend to be
one.
> The actual E-Secure-DB database component is now available to
> the global IT and business community. Free.
As a marketing ploy to sell your other services. At least be honest about
it.
> We believe that this initiative can make a powerful and positive
> difference to the IT professionals all over the world.
You are right, it probably will but don't pretend that you are not a
business and that you don't have the motive of also making money off of
this venture. That is where the problem is, in my mind anyways.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I don't intend to offend, I offend with my intent"
hellNbak@...c.org
http://www.nmrc.org/~hellnbak
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Powered by blists - more mailing lists