[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD9C4391@hermes.eCompany.gov>
From: dcopley at eeye.com (Drew Copley)
Subject: Re: Re: <to various comments>EEYE: MicrosoftASN.1 ...
> -----Original Message-----
> From: Kenton Smith [mailto:ksmith@...rtwelltechnology.com]
> Sent: Thursday, February 12, 2004 11:55 AM
> To: Drew Copley
> Cc: Paul Tinsley; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: Re: <to various
> comments>EEYE: MicrosoftASN.1 ...
>
> Mr. Copley,
>
> I'm not an Eeye customer nor do I necessarily share the views
> of the original poster. However, if I were you I'd quit while
> you're ahead.
> This sort of tone from a representative of the company
> doesn't reflect well on the company in general. Whether the
> poster is knowledgeable or not, a professional or not, a
> troller or not, insults from a company representative, in my
> view, will bias my opinion towards that company as a whole.
> If I purchase an Eeye product and ask what the representative
> thinks is a stupid question, will I get a constructive answer
> to help me or will I get laughed off the phone? I don't know,
> and now I wonder.
I am not a sales representative, however I am extremely patient and
always have been with users of our software (or my own, or anyone
else's). For years I have taken a lot of time to help people through
technical problems. And, I surely do not even mind taking a lot of
abuse. I believe in taking abuse as a matter of personal policy.
This individual did not ask a stupid question.
I think that is apparent to everyone.
Further, again, my opinions are my own. I will tell you the truth.
Perhaps to a fault, in this case. Though, I think maybe it will help him
on his way down the years.
Regardless, I had already set my mind not to deal with anymore trolls.
>
> There are enough people who respond with insults on this
> list, it'd be nice if we didn't see it from corporate
> representatives as well.
>
> Kenton
>
> On Thu, 2004-02-12 at 12:17, Drew Copley wrote:
> >
> > > -----Original Message-----
> > > From: full-disclosure-admin@...ts.netsys.com
> > > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Paul
> > > Tinsley
> > > Sent: Wednesday, February 11, 2004 10:57 PM
> > > To: Drew Copley
> > > Cc: full-disclosure@...ts.netsys.com
> > > Subject: Re: [Full-Disclosure] Re: Re: <to various
> > > comments>EEYE: Microsoft ASN.1 ...
> > >
> > > Drew Copley wrote:
> > >
> > > >Without replying to each troll, individually, I thought
> maybe some
> > > >people would like to see some answers to some notes.
> > > >
> > > >
> > > Most of these are from me, so I will personally respond to those
> > > that apply. And believe it or not, this is not a troll, I really
> > > wanted to see people's viewpoints on this subject.
> >
> >
> > Somehow, I find this hard to believe.
> >
> >
> >
> > > >These are my own comments, I speak for myself.
> > > >
> > > >Question: "Why release all of the details"
> > > >
> > > >
> > > This statement is not an accurate paraphrase, I didn't say
> > > why release them all. I said why release them all on day 0
> > > of the patch release.
> > >
> > > >Answer: Polls show this is what administrators what. This is
> > > one reason
> > > >we do this. Another reason we do this is simple, we use
> the details
> > > >ourselves. We use the details to create signatures for our
> > > >vulnerability assessment tool and firewall. Security
> administrators
> > > >then download these signatures and use them to check for
> > > patches or to
> > > >protect systems which can not yet be patched.
> > > >
> > > >
> > > Administrators don't need this crap to fix their boxes, they
> > > simply need the exploit vectors, the possible mitigation
> > > steps, and the potential severity of the vulnerability.
> >
> > <snip>
> >
> > I have gone over this a few times with some others. I
> believe I already
> > said it here. You seem to be unable to either hear it or believe it.
> >
> > In no particuliar order:
> >
> > One, the polls show that more want it then not.
> >
> > Two, we sell products which secure their boxes. We have a lot of
> > customers. Our competitors do the same thing. Altogether, we are the
> > industry. We have to know what the security hole was, so do our
> > competitors. Then, we can protect against this. So can they.
> >
> > Three, we don't give out exploit code. You can't make an
> exploit from
> > our advisory. I don't know you, I don't know who you are.
> But, frankly,
> > not that many people can even write exploit code. With
> these bugs, you
> > would have to be able to not only write the exploit code but also
> > understand the cryptographic references and their
> implementations in the
> > Window's OS. It isn't all that hard. But, it turns out,
> that the guys
> > who can write exploit code also can reverse engineer
> patches... They can
> > also understand our advisories, but they can also find
> their own bugs.
> >
> > Okay?
> >
> > Real world.
> >
> > But, I don't think you understand that. Why should I go on. It isn't
> > rocket science. But, you are saying, "I know, I know". And,
> you do not
> > know. That is when people can neither learn nor understand.
> >
> > Now, as a brief disclaimer... Security, being able to do
> these things is
> > not something that requires someone to have a tumor in
> their brain that
> > makes their IQ magically go up a thousand points. It requires only
> > desire. This means a predisposition. You have to be willing
> and wanting
> > to sit there and work through these things.
> >
> > So, you really have no excuse not to understand these things.
> >
> > You are a Monday morning quarterback.
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Powered by blists - more mailing lists