| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: vxdude2003 at yahoo.com (VX Dude) Subject: iDefense: Solution or Problem? Just a quick thought for a business plan. 1) Start off with a low investment of $1200. 2) Buy a couple chunks of Entersys source code from SCC 3) Find vulnerabilities and write 0-day exploits 4) give 0day to your investors 5) sell 0day to iDefense (or Sourcefire hahahahaha) for $300 a pop 6) Use profits of sale to buy more chunks of sourcecode 7) Repeat steps 3-6 until complete 8) Release code as "open source" dimishing its corporate value 9) make a business using this "open source" IDS and compete with Sourcefire hahahahaha 10) Release IPO =D Now, I'm no lawyer, but Hollywood has taught me that its probably illegal to _knowingly_ buy illegal goods (such as entersys source), but! is it illegal for iDefense to buy the research from illegal bought goods? -vx _______________________________________________ Full-Disclosure - We suck it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- idefense@...hmail.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Michael, you claim that this is a typo, but is it > really? Even if this > is a typo, how do you explain waiting over a month > to contact the vendor? > How do you explain past times when iDefense waited > over a year to notify > a vendor? How does this relate to the iDefense > disclosure policy? > > http://www.idefense.com/legal_disclosure.jsp > iDEFENSE will responsibly inform vendors as soon as > possible after having > learned of a problem with their product(s) or > service(s). > > Note: ".. will responsibly inform vendors as soon as > possible after having > learned of a problem". There is absolutely no > debating that this is pure > marketing fluff and not how iDefense operates. Look > at their history > of vulnerability disclosure and their timelines for > proof. The real question > becomes, just how unethical and how greedy iDefense > really is! Further, > > are they now rewriting history to desperately > protect their already > dark image? Witness: > > http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html > Adobe Reader 6.0 Filename Handler Buffer Overflow > Vulnerability > VII. DISCLOSURE TIMELINE > 02/02/2003 Exploit discovered by iDEFENSE > 03/11/2004 Initial vendor notification > > Did iDefense sit on this vulnerability for 17 > months? Shortly before > or after Cary Barker pointed this out on > Full-Disclosure > (http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html), > iDefense > seems to have had a change of heart! > > http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities > 02/02/2004 Exploit discovered by iDEFENSE > 03/11/2004 Initial vendor notification > > The first and understandable reaction (excuse) would > be "iDefense had > a typo", but once again, digging into their past > vulnerabilities, is > that really the case?! Even if THIS advisory had a > typo, how about some > others this year?! > > http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities > 04/03/2003 Vulnerability acquired by iDEFENSE > 07/08/2004 Public disclosure > > http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities > 04/05/03 Vulnerability acquired by iDEFENSE > 05/17/04 Public disclosure > > http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities > April 2, 2003 Exploit acquired by iDEFENSE > May 12, 2004 Coordinated public disclosure > > Sitting on vulnerabilities for a year before > notifying the vendors is > not what 'white hat' hackers do. These aren't the > actions of a reputable > security company. Combine this with the fact you > sell this information > to people in foreign companies and governments, > including some that are > "harboring terrorists" (according to our government) > makes your actions > potentially criminal. What, you haven't checked your > client list carefully? > Selling vulnerability information to terrorist > nations isn't very friendly > to the US! > > Looking back at your 2004 advisories (and some in > 2003), could anyone > at iDefense explain how their responsible disclosure > policy applies? > Here is a general idea of their disclosure process > and time frames: > > Advisory Discovery Publish Vend Notify Publish > Time > 07.12.04 03-02-02 04-07-12 13 mo 7 d 17 mo 10 > d > 07.09.04 04-06-29 04-07-09 7 d 10 > d > 07.08.04 03-04-03 04-07-08 14 mo 26 d 15 mo 5 > d > 07.01.04 03-09-27 04-07-01 8 mo 7 d 9 mo 4 > d > 06.23.04 04-04-21 04-06-23 14 d 2 mo 2 > d > 06.21.04 04-02-26 04-06-21 3 mo 13 d 3 mo 25 > d > 06.10.04 04-04-14 04-06-10 28 d 1 mo 26 > d > 06.08.04 04-04-27 04-06-07 22 d 1 mo 10 > d > 06.07.04 03-04-05 04-05-17 13 mo 2 d 13 mo 12 > d > 05.27.04 04-02-18 04-05-27 20 d 3 mo 9 > d > 05.26.04 04-02-18 04-05-26 20 d 3 mo 8 > d > 05.12.04 03-04-02 04-05-12 12 mo 5 d 13 mo 10 > d > 04.15.04 03-12-08 04-04-15 1 mo 16 d 5 mo 7 > d > 04.14.04 04-01-09 04-04-14 1 mo 11 d 3 mo 5 > d > 04.13.04 04-01-12 04-04-13 5 d 2 mo 24 > d > 04.05.04 04-01-09 04-04-05 1 mo 16 d 2 mo 26 > d > 03.19.04 04-01-13 04-03-19 24 d 2 mo 5 > d > 03.09.04 03-10-10 04-03-11 1 mo 2 d 5 mo 1 > d > 03.02.04 04-01-22 04-03-02 25 d 1 mo 10 > d > 02.27.04 04-01-13 04-02-27 26 d 1 mo 14 > d > 02.27.04 04-02-04 04-02-27 6 d 23 > d > 02.23.04 03-12-08 04-02-23 1 mo 21 d 2 mo 15 > d > 02.17.04 03-10-31 04-02-17 4 mo 2 d 4 mo 19 > d > 02.12.04 04-02-09 04-02-12 0 d 3 > d > 02.10.04 04-01-09 04-02-10 24 d 1 mo 1 > d > 02.04.04 03-12-08 04-02-02 1 mo 21 d 1 mo 24 > d > 09.25.03 03-02-25 ? 8 mo 0 d ? > 07.29.03 03-04-20 03-07-29 2 mo 11 d 3 mo 9 > d > 07.01.03 03-03-11 03-07-01 3 mo 0 d 3 mo 19 > d > 05.22.03 02-12-31 03-05-22 4 mo 17 d 5 mo 22 > d > 02.12.03 02-10-31 03-02-12 2 mo 29 d 3 mo 13 > d > 02.03.03 02-01-11 03-02-10 12 mo 9 d 12 mo 29 > d > > "iDEFENSE will responsibly inform vendors as soon as > possible after having > learned of a problem with their product(s) or > service(s)." > > Five different times, iDefense sat on a > vulnerability for OVER A YEAR. > They routinely wait one or more months to notify the > vendor. Is that > "as soon as possible"? Of course not, that would > hurt the bottom line. > > > Sincerely, > Dark Elf > > > > References > > 07.12.04 - Adobe Reader 6.0 Filename Handler Buffer > Overflow Vulnerability > http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities > 02/02/2004 Exploit discovered by iDEFENSE > 03/11/2004 Initial vendor notification > 03/11/2004 Initial vendor response > 03/11/2004 iDEFENSE clients notified > 06/07/2004 Vendor update released > 07/12/2004 Public Disclosure > * original full-disc post listed 02/02/2003 > discovery date > > > 07.09.04 - wvWare Library Buffer Overflow > Vulnerability > http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities > 06/29/2004 Initial vendor contact > 07/06/2004 Vendor response > === message truncated === __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Powered by blists - more mailing lists