lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD9C4349@hermes.eCompany.gov>
From: dcopley at eeye.com (Drew Copley)
Subject: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Paul Tinsley
> Sent: Wednesday, February 11, 2004 10:57 PM
> To: Drew Copley
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Re: <to various 
> comments>EEYE: Microsoft ASN.1 ...
> 
> Drew Copley wrote:
> 
> >Without replying to each troll, individually, I thought maybe some 
> >people would like to see some answers to some notes.
> >
> >
> Most of these are from me, so I will personally respond to 
> those that apply.  And believe it or not, this is not a 
> troll, I really wanted to see people's viewpoints on this 
> subject. 


Somehow, I find this hard to believe.



> >These are my own comments, I speak for myself.
> >
> >Question: "Why release all of the details"
> >
> >
> This statement is not an accurate paraphrase, I didn't say 
> why release them all.  I said why release them all on day 0 
> of the patch release.
> 
> >Answer: Polls show this is what administrators what. This is 
> one reason 
> >we do this. Another reason we do this is simple, we use the details 
> >ourselves. We use the details to create signatures for our 
> >vulnerability assessment tool and firewall. Security administrators 
> >then download these signatures and use them to check for 
> patches or to 
> >protect systems which can not yet be patched.
> >
> >
> Administrators don't need this crap to fix their boxes, they 
> simply need the exploit vectors, the possible mitigation 
> steps, and the potential severity of the vulnerability. 

<snip>

I have gone over this a few times with some others. I believe I already
said it here. You seem to be unable to either hear it or believe it. 

In no particuliar order:

One, the polls show that more want it then not.

Two, we sell products which secure their boxes. We have a lot of
customers. Our competitors do the same thing. Altogether, we are the
industry. We have to know what the security hole was, so do our
competitors. Then, we can protect against this. So can they. 

Three, we don't give out exploit code. You can't make an exploit from
our advisory. I don't know you, I don't know who you are. But, frankly,
not that many people can even write exploit code. With these bugs, you
would have to be able to not only write the exploit code but also
understand the cryptographic references and their implementations in the
Window's OS. It isn't all that hard. But, it turns out, that the guys
who can write exploit code also can reverse engineer patches... They can
also understand our advisories, but they can also find their own bugs.

Okay?

Real world.

But, I don't think you understand that. Why should I go on. It isn't
rocket science. But, you are saying, "I know, I know". And, you do not
know. That is when people can neither learn nor understand.

Now, as a brief disclaimer... Security, being able to do these things is
not something that requires someone to have a tumor in their brain that
makes their IQ magically go up a thousand points. It requires only
desire. This means a predisposition. You have to be willing and wanting
to sit there and work through these things.

So, you really have no excuse not to understand these things.

You are a Monday morning quarterback. 






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ