lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Jan 2007 15:17:16 -0500
From: Simon Smith <simon@...soft.com>
To: Blue Boar <BlueBoar@...evco.com>
Cc: Untitled <full-disclosure@...ts.grok.org.uk>, bugtraq@...urityfocus.com
Subject: Re: iDefense Q-1 2007 Challenge

Well, 
    I guess that miscommunication sums it up and I apologize (publicly) for
being such a snappy brat. For the record though, this isn't something that
the company markets at all. We've been doing this for a while and are very
selective about who we work with. Hence, why there is no real marketing.

    I wanted to test the waters and see what kind of response I could get
from the community. So far, its been very interesting.


On 1/16/07 3:06 PM, "Blue Boar" <BlueBoar@...evco.com> wrote:

> Simon Smith wrote:
>> Blue Boar, 
>>     Simply put, and with all due respect, you're wrong.
> 
> About? I see basically two assertions in my note; 1) that I would sell
> to iDefense or TippingPoint. Surely you're not going to tell me what I
> would do? And 2) That iDefense isn't doing the same thing that Blackhats
> are. Is the latter one the one you disagree with?
> 
>> Furthermore I don't
>> appreciate you directly or indirectly suggesting that these exploits are
>> being sold on the black market, that will never happen on my watch, ever!
> 
> If you look carefully, you'll see I was replying to Kevin, who did make
> a comparison to selling to blackhats. I hadn't even seen your note at
> the point, and I wasn't replying to you, and I didn't quote anything you
> wrote.
> 
> So I assume you think I was saying that your company is selling to
> blackhats. I wouldn't think you were. Certainly you don't mean to claim
> that, in general, the entire market never sells to blackhats, nor that
> you have any control over what others do.
> 
>>     More importantly, the company that I am working with is no different
>> than iDefense. In fact, they both sell their exploits and harvested research
>> to the same people. The only real difference is in the amount of money that
>> the researcher realizes when the transactions are complete. This difference
>> is a direct result of low corporate overhead.
>> 
>>     Lastly, all transactions require that the researcher engage the company
>> that I work with in a tight contract. This contract ensures that both
>> parties are legitimate and also protects both parties. They don't do that on
>> the black market do they?
> 
> So, is the problem that I didn't realize you guys also bought vulns, and
> that you pay more? No, I had no idea that you did. I guess some better
> marketing is in order. The quarterly challenge thing is pretty good for
> publicity, maybe you guys should do one of those.
> 
> BB


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ