lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: dcopley at eeye.com (Drew Copley)
Subject: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

Without replying to each troll, individually, I thought maybe some
people would like to see some answers to some notes.

These are my own comments, I speak for myself. 

Question: "Why release all of the details"

Answer: Polls show this is what administrators what. This is one reason
we do this. Another reason we do this is simple, we use the details
ourselves. We use the details to create signatures for our vulnerability
assessment tool and firewall. Security administrators then download
these signatures and use them to check for patches or to protect systems
which can not yet be patched.

It does not matter if it is eEye you are talking about in this scenario,
or one of our competitors. This is the "behind the scenes" picture of
what happens when a patch is released. 

When we - or our competitors - do not have full details on a
vulnerability, we have to reverse engineer the patch to do so. And, we
all do this. 

So, people complaining about us releasing all of the details... They
simply are ignorant of what must be done in this process. They like to
scream and shout about how a worm will be coming and such, nevermind
that they don't even understand our advisories in the first place.


And if this does not make it all incredibly clear, let's spell it out
for them: we can reverse engineer the patches and have to... If virus
writers want to, they can, too, as well.

Question/Comment: "Wow, Microsoft kept this for six months!"

Answer: People have not been paying attention. Look at our advisories.
We have reported dates and release dates. Microsoft's average is now
getting to be about six months. It used to be three months. Here and
there they would do a six month patch. Now, the full average is creeping
towards there.

It is akin to a backdoor in their OS. It is shameful. It drives away
some researchers who don't want to wait six months. It puts a grave
responsibility on every software vendor. How many "backdoors" do you
really think the NSA has [to use a popular urban myth]? How many
"backdoors" do you think your typical security company has?

Question/Comment: "What is this thing with rapping?"

Answer: We have had these kinds of things in our advisories since we
started releasing them way back when. 

Derek, at times, feels the need to bust a rhyme. 

You are not going to stop him.

And, I have tried. Knives, ropes, pits, strangulation. He is quite wily.

Question/Comment: "You Guys Are Doing This For the Money and Fame! "

Answer: If we were doing this from corrupt motives we would be in the
Bahamas right now. Come on. Don't be stupid. 


 


Powered by blists - more mailing lists