lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1076615688.5674.10.camel@linus.calgary.chartwelltechnology.com>
From: ksmith at chartwelltechnology.com (Kenton Smith)
Subject: Re: Re: <to various comments>EEYE: Microsoft
	ASN.1 ...

Mr. Copley,

I'm not an Eeye customer nor do I necessarily share the views of the
original poster. However, if I were you I'd quit while you're ahead.
This sort of tone from a representative of the company doesn't reflect
well on the company in general. Whether the poster is knowledgeable or
not, a professional or not, a troller or not, insults from a company
representative, in my view, will bias my opinion towards that company as
a whole. If I purchase an Eeye product and ask what the representative
thinks is a stupid question, will I get a constructive answer to help me
or will I get laughed off the phone? I don't know, and now I wonder.

There are enough people who respond with insults on this list, it'd be
nice if we didn't see it from corporate representatives as well.

Kenton

On Thu, 2004-02-12 at 12:17, Drew Copley wrote:
>  
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com 
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> > Paul Tinsley
> > Sent: Wednesday, February 11, 2004 10:57 PM
> > To: Drew Copley
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] Re: Re: <to various 
> > comments>EEYE: Microsoft ASN.1 ...
> > 
> > Drew Copley wrote:
> > 
> > >Without replying to each troll, individually, I thought maybe some 
> > >people would like to see some answers to some notes.
> > >
> > >
> > Most of these are from me, so I will personally respond to 
> > those that apply.  And believe it or not, this is not a 
> > troll, I really wanted to see people's viewpoints on this 
> > subject. 
> 
> 
> Somehow, I find this hard to believe.
> 
> 
> 
> > >These are my own comments, I speak for myself.
> > >
> > >Question: "Why release all of the details"
> > >
> > >
> > This statement is not an accurate paraphrase, I didn't say 
> > why release them all.  I said why release them all on day 0 
> > of the patch release.
> > 
> > >Answer: Polls show this is what administrators what. This is 
> > one reason 
> > >we do this. Another reason we do this is simple, we use the details 
> > >ourselves. We use the details to create signatures for our 
> > >vulnerability assessment tool and firewall. Security administrators 
> > >then download these signatures and use them to check for 
> > patches or to 
> > >protect systems which can not yet be patched.
> > >
> > >
> > Administrators don't need this crap to fix their boxes, they 
> > simply need the exploit vectors, the possible mitigation 
> > steps, and the potential severity of the vulnerability. 
> 
> <snip>
> 
> I have gone over this a few times with some others. I believe I already
> said it here. You seem to be unable to either hear it or believe it. 
> 
> In no particuliar order:
> 
> One, the polls show that more want it then not.
> 
> Two, we sell products which secure their boxes. We have a lot of
> customers. Our competitors do the same thing. Altogether, we are the
> industry. We have to know what the security hole was, so do our
> competitors. Then, we can protect against this. So can they. 
> 
> Three, we don't give out exploit code. You can't make an exploit from
> our advisory. I don't know you, I don't know who you are. But, frankly,
> not that many people can even write exploit code. With these bugs, you
> would have to be able to not only write the exploit code but also
> understand the cryptographic references and their implementations in the
> Window's OS. It isn't all that hard. But, it turns out, that the guys
> who can write exploit code also can reverse engineer patches... They can
> also understand our advisories, but they can also find their own bugs.
> 
> Okay?
> 
> Real world.
> 
> But, I don't think you understand that. Why should I go on. It isn't
> rocket science. But, you are saying, "I know, I know". And, you do not
> know. That is when people can neither learn nor understand.
> 
> Now, as a brief disclaimer... Security, being able to do these things is
> not something that requires someone to have a tumor in their brain that
> makes their IQ magically go up a thousand points. It requires only
> desire. This means a predisposition. You have to be willing and wanting
> to sit there and work through these things.
> 
> So, you really have no excuse not to understand these things.
> 
> You are a Monday morning quarterback. 
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ