Mailing List Archive

I hate to say this guys but with all due respect:

I told you so!

Steve Manzuik
Moderator - VulnWatch
www.vulnwatch.org


----- Original Message -----
From: "Charles 'core' Stevenson" <core@bokeoa.com>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, July 17, 2002 3:07 PM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....


> Isn't it great how the community is so nice in supporting the
> exploitation and misuse of proprietary exploit source code to further
> the large companies for-profit endeavours?
>
> peace,
> core
>
> securityguru@hushmail.com wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > FYI
> >
> > Symantec to Acquire SecurityFocus
> >
> > Offers Most Complete Security Early Warning System Available
> >
> > CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today
announced the acquisition of SecurityFocus for approximately US$75 million
in cash. With this acquisition, Symantec will offer customers the most
comprehensive, proactive early warning system across the broadest range of
threats. The transaction is expected to close by early to mid-August 2002.
> >
> > "SecurityFocus has established the most respected security community and
developed one of the leading early warning systems for customers around the
world," said John W. Thompson, Symantec chairman and chief executive
officer. "This acquisition will broaden Symantec's leadership in Internet
security response with the addition of the world's first global threat
management system, the most complete vulnerability database and customizable
alert services."
> >
> > "We have developed our global threat management systems to provide
customers with timely and actionable information relevant to their
individual networks," said Arthur Wong, SecurityFocus co-founder and chief
executive officer. "Combined with Symantec's world-class antivirus
expertise, industry-leading intrusion detection solutions and back-end
infrastructure, we can rapidly deploy the most comprehensive threat
management solutions to our global customers worldwide."
> >
> > SecurityFocus has developed the world's most comprehensive and
up-to-date database of vulnerabilities available. Symantec will continue to
license the Vulnerability Database to security product vendors, managed
service providers and other organizations that use it to create powerful new
security products and services for their customers.
> >
> > In addition, Symantec will continue to manage the Bugtraq mailing list
and the online security community under the SecurityFocus brand. It will
continue to offer a forum for objective reporting by security experts on the
latest IT threats and attacks as well as how to prevent security breaches.
> >
> > Symantec will also leverage the DeepSight line of global threat
management solutions. The DeepSight Threat Management System provides early
warning of attacks along with specific threat and patch information allowing
companies to proactively protect their networks. More than 15,000 partners
in more than 175 countries are registered to automatically provide a
constant stream of security data that is correlated and analyzed to identify
active attacks.
> >
> > DeepSight Analyzer gives IT professionals the ability to track and
manage incidents on their own networks by automatically correlating attacks
from a multitude of intrusion detection solutions. The product manages
threats by comparing incidents on their network against the Vulnerability
Database, tracking attacks to resolution and generating statistical incident
reports. Using information about suspicious network traffic and intrusions
submitted by anonymous users, SecurityFocus identifies patterns in attacks
that help serve as a threat-gauging system for the Internet community.
> >
> > By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive, customized
alert services for environment-specific vulnerabilities and malicious code
alerts. DeepSight Alert Services can be configured to ensure that customers
receive only alerts that are relevant to their networks, enabling them to
deploy patches or work-arounds before vulnerabilities can be exploited.
> > -----BEGIN PGP SIGNATURE-----
> > Version: Hush 2.1
> > Note: This signature can be verified at https://www.hushtools.com
> >
> > wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR
> > p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW
> > =LmOt
> > -----END PGP SIGNATURE-----
> >
> >
> > Communicate in total privacy.
> > Get your free encrypted email at https://www.hushmail.com/?l=2
> >
> > Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@lists.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure

Isn't it great how the community is so nice in supporting the
exploitation and misuse of proprietary exploit source code to further
the large companies for-profit endeavours?

peace,
core

securityguru@hushmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> FYI
>
> Symantec to Acquire SecurityFocus
>
> Offers Most Complete Security Early Warning System Available
>
> CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today announced the acquisition of SecurityFocus for approximately US$75 million in cash. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. The transaction is expected to close by early to mid-August 2002.
>
> "SecurityFocus has established the most respected security community and developed one of the leading early warning systems for customers around the world," said John W. Thompson, Symantec chairman and chief executive officer. "This acquisition will broaden Symantec's leadership in Internet security response with the addition of the world's first global threat management system, the most complete vulnerability database and customizable alert services."
>
> "We have developed our global threat management systems to provide customers with timely and actionable information relevant to their individual networks," said Arthur Wong, SecurityFocus co-founder and chief executive officer. "Combined with Symantec's world-class antivirus expertise, industry-leading intrusion detection solutions and back-end infrastructure, we can rapidly deploy the most comprehensive threat management solutions to our global customers worldwide."
>
> SecurityFocus has developed the world's most comprehensive and up-to-date database of vulnerabilities available. Symantec will continue to license the Vulnerability Database to security product vendors, managed service providers and other organizations that use it to create powerful new security products and services for their customers.
>
> In addition, Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand. It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches.
>
> Symantec will also leverage the DeepSight line of global threat management solutions. The DeepSight Threat Management System provides early warning of attacks along with specific threat and patch information allowing companies to proactively protect their networks. More than 15,000 partners in more than 175 countries are registered to automatically provide a constant stream of security data that is correlated and analyzed to identify active attacks.
>
> DeepSight Analyzer gives IT professionals the ability to track and manage incidents on their own networks by automatically correlating attacks from a multitude of intrusion detection solutions. The product manages threats by comparing incidents on their network against the Vulnerability Database, tracking attacks to resolution and generating statistical incident reports. Using information about suspicious network traffic and intrusions submitted by anonymous users, SecurityFocus identifies patterns in attacks that help serve as a threat-gauging system for the Internet community.
>
> By monitoring almost 11,000 distinct versions of more than 2,700 products from 1,300 vendors, SecurityFocus provides proactive, customized alert services for environment-specific vulnerabilities and malicious code alerts. DeepSight Alert Services can be configured to ensure that customers receive only alerts that are relevant to their networks, enabling them to deploy patches or work-arounds before vulnerabilities can be exploited.
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR
> p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW
> =LmOt
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

Jay,

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

That's exactly what needs to happen :)

> Let's face it: the for-profit companies have been leeching off the
> community for years and giving nothing back save for sponsorship of key
> escrow, further draconian legislation, and advocacy of a security cabal
> (which they would control) that would take free information and bundle it
> as a pay-for product/service.

Amen.

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Well said! I'm not sure I really have much to say except yes yes yes!

peace,
core

> - -Jay
>
> 1. About the only real effort I see from corporate security firms these
> days is whipping up FUD-filled press releases to scare the living
> bejeezus out of the masses about "cyber-terrorism" and other happy
> horseshit.
>
> ( ( _______
> )) )) .--"There's always time for a good cup of coffee"--. >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-'
> `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH
> Y4MHjqIe6qAM28/cSenTBTA=
> =9ErK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

On Thursday, July 18, 2002 16:39, Jay D. Dyson [mailto:jdyson@treachery.net] wrote:

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Allow me to recommend the use of a trivial encryption algorithm to protect
exploits and advisories such that any for-profit company must circumvent
it in order to use it for their own purposes. Perhaps distribute advisories
with the "do not copy" flag set on a .pdf. This would give DMCA protection
to the copyright and allow researchers to sue if their "protection measures"
are circumvented by companies looking to make money off of the research.

-E

----- Original Message -----
From: "Jay D. Dyson" <jdyson@treachery.net>
To: <full-disclosure@lists.netsys.com>
Sent: Thursday, July 18, 2002 9:39 PM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....

[snip]

> Indeed. And many of us did see this coming...yet few did anything
> about it. Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

[snip]

I'm also wondering what will happen to the pretty extensive vulnerability
database et al ?
Pay per sploit ?
;-)

Cheers,
JJ

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Jul 2002, Ed Moyle wrote:
> Allow me to recommend the use of a trivial encryption algorithm to protect
> exploits and advisories such that any for-profit company must circumvent
> it in order to use it for their own purposes. Perhaps distribute advisories
> with the "do not copy" flag set on a .pdf. This would give DMCA protection
> to the copyright and allow researchers to sue if their "protection measures"
> are circumvented by companies looking to make money off of the research.

That sounds good in theory, but in practice any sizable company would
devour us, regardless of what the law says. The law is immaterial next to
money.

- --
Mark Earnest
~~~~~~~~~~~~
Senior Systems Programmer
ASET/Emerging Technologies
Penn State University

Email: mxe20@psu.edu
Office Phone: 814-863-2064
Public Key - http://mearnest.oas.psu.edu/gpgkey.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE9Nzn2XIT9wt3I2GMRAkfLAKCk+7MZSbTBqL405BLf8DH1z57BQACeOXWH
JlJ+OmrHRuQz1KN84jiF0fE=
=LjdH
-----END PGP SIGNATURE-----

Jay D. Dyson wrote:
> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Interesting concept. How do you propose to copyright an idea? You can
decline to let someone mirror your exploit or advisory verbatim, but
there's nothing you can do to keep someone from reporting about a
vulnerability.

BB

also sprach Ed Moyle <emoyle@scsnet.csc.com> [2002.07.18.2313 +0200]:
> Allow me to recommend the use of a trivial encryption algorithm to protect
> exploits and advisories such that any for-profit company must circumvent
> it in order to use it for their own purposes. Perhaps distribute advisories
> with the "do not copy" flag set on a .pdf. This would give DMCA protection
> to the copyright and allow researchers to sue if their "protection measures"
> are circumvented by companies looking to make money off of the research.

Way Symantec were to use such a document, one that I created in the
sweat of my singletude. Do you think I'd have *any* chance on claiming
my rights???

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

1-800-psych: hello, welcome to the psychiatric hotline.
if you have multiple personalities, please press 3, 4, 5 and 6.

also sprach Jay D. Dyson <jdyson@treachery.net> [2002.07.18.2239 +0200]:
> Indeed. And many of us did see this coming...yet few did anything
> about it. Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

How many people are we by now?

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Right on. Let's just stick to this forum and not use Bugtraq anymore.
Or make your vulnerabilities available here 2 days before you post to
bugtraq (moderation only takes a day).

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

if you don't understand or are scared by any of
the above ask your parents or an adult to help you.

also sprach Nexus <nexus@patrol.i-way.co.uk> [2002.07.18.2325 +0200]:
> I'm also wondering what will happen to the pretty extensive vulnerability
> database et al ?

Is there anyone with the capabilities to extract a mirror?
(I'd notify webmaster@ before doing so...)

I can't provide the bandwidth or server space, unfortunately...

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

you're in college. you've made a mistake.

What about publishing and copyrighting the exploit? It's more legal
ammo to go after whoever uses it for malicious purposes.

Of course this doesn't *stop* the use of the exploit (discourages
perhaps?), it just increases the penalties when one gets caught using
it.


-Eric


On Thu, 18 Jul 2002, Blue Boar wrote:

> > Perhaps the best way to beat these cash hounds at their own game
> > is to start using a strictly not-for-profit licensing on all
released
> > advisories and proof-of-concept code which stipulates that
for-profit
> > companies may not use said information in any way.
>
> Interesting concept. How do you propose to copyright an idea?

The idea cannot be copyrighted[1], but the code (which includes
the exploit methodology) can be copyrighted with all the cursory terms
and conditions for use.


> You can decline to let someone mirror your exploit or advisory
verbatim,
> but there's nothing you can do to keep someone from reporting about a
> vulnerability.

Sure you can...especially under the auspices of the DMCA. Hell,
when you get down to it, all we need is one wild-eyed lawyer[2] on our
side who'll toss a flurry of lawsuits and we'll pretty much have the
corporate security firms by the short-and-curlies.

All kidding aside, I like the notion of encrypting the data and
putting stipulations on the decryption. Seems rather like poetic
justice
to me. Call it the Sklyarov cipher...

- -Jay

1. Ideas, names and phrases can be trademarked, however.

2. Maybe one with experience via the Church of Scientology, or the one
who brought us McDonald's coffee cups that now read "Allow to cool
before applying to genitals"...

( (
_______
)) )) .--"There's always time for a good cup of coffee"--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | =
|-'
`--' `--' `-- I'll be diplomatic...when I run out of ammo. --'
`------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE9N0pAGI2IHblM+8ERAlAnAJ9AbZ/g4I5cPUL3KogHYDjQK5p4VgCeN1pY
Q9sVUOYHOhysxYYetRqAzCo=
=+6qq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

On Fri, Jul 19, 2002 at 12:52:23AM +0200, martin f krafft wrote:
> Is there anyone with the capabilities to extract a mirror?
> (I'd notify webmaster@ before doing so...)

A friend of mine already mirrored it. Im not sure as to how well it
turned out since I havent had a chance to look at it yet, but it
appears that everything is there.

A dump of whatever database its in would be a much nicer method
of doing this.

> I can't provide the bandwidth or server space, unfortunately...

I can provide both the bandwidth and server space, but what would
the legal issues be with mirroring it? My lawyer wont even offer
any advice on this one.

Suggestions/advice anyone?

gdd@siliconinc.net

Jay D. Dyson wrote:
> The idea cannot be copyrighted[1], but the code (which includes
> the exploit methodology) can be copyrighted with all the cursory terms
> and conditions for use.

You can't copyright an algorithm, only an implementation. You need a
patent to protect an algorithm. Good luck patenting buffer overflows.

>>You can decline to let someone mirror your exploit or advisory verbatim,
>>but there's nothing you can do to keep someone from reporting about a
>>vulnerability.
> Sure you can...especially under the auspices of the DMCA. Hell,
> when you get down to it, all we need is one wild-eyed lawyer[2] on our
> side who'll toss a flurry of lawsuits and we'll pretty much have the
> corporate security firms by the short-and-curlies.

You think you can stop a news agency from reporting that there is a
vulnerability in product X, that works like Y and Z? I think you'll find
you're mistaken. I'd love to see it play out, though.

> 1. Ideas, names and phrases can be trademarked, however.

Not ideas. Names, yes.. but that just means someone has to call their
version of the exploit something different. And trademarks are expensive
to obtain and defend.

>
> 2. Maybe one with experience via the Church of Scientology, or the one
> who brought us McDonald's coffee cups that now read "Allow to cool
> before applying to genitals"...

Many people can be intimidated with a lawsuit. Seems like the groups in
particular you are concerned about aren't the ones to try threatening with
lawyers, though.

BB

Blue Boar replied to Jay D. Dyson:

> > The idea cannot be copyrighted[1], but the code (which includes
> > the exploit methodology) can be copyrighted with all the cursory terms
> > and conditions for use.
>
> You can't copyright an algorithm, only an implementation. You need a
> patent to protect an algorithm. Good luck patenting buffer overflows.
>
> >>You can decline to let someone mirror your exploit or advisory verbatim,
> >>but there's nothing you can do to keep someone from reporting about a
> >>vulnerability.
> > Sure you can...especially under the auspices of the DMCA. Hell,
> > when you get down to it, all we need is one wild-eyed lawyer[2] on our
> > side who'll toss a flurry of lawsuits and we'll pretty much have the
> > corporate security firms by the short-and-curlies.
>
> You think you can stop a news agency from reporting that there is a
> vulnerability in product X, that works like Y and Z? I think you'll find
> you're mistaken. I'd love to see it play out, though.
>
> > 1. Ideas, names and phrases can be trademarked, however.
>
> Not ideas. Names, yes.. but that just means someone has to call their
> version of the exploit something different. And trademarks are expensive
> to obtain and defend.

Release exploits with the vaguest of descriptions as to how they work
(lost for examples -- just copy'n'paste the "technical bits" of some
of the security bulletins from MS...). Have the _only_ PoC code a
compiled binary loaded with copyright notices forbidding reversing,
etc. Be sure to use some "encryption" (extremely trivial is OK as
complexity doesn't matter; can you say XOR?) in the PoC to "protect"
the important secret (generally the overflow "string" itself). Be
capricious in who you prosecute under the DMCA for incoporating
vulnerability detection of this flaw into their products. (Many
other "pro-reversing" laws allow reversing if doing so is the only
(practical) way to ensure compatibility or system inter-operation --
this should not be a defense against reversing a security
vulnerability exploit...)

> Many people can be intimidated with a lawsuit. Seems like the groups in
> particular you are concerned about aren't the ones to try threatening with
> lawyers, though.

Do you really care if you win lots of money in such a case, or just
that you win? I'm sure you'd find good lawyers who would take such
cases on a "no win no fee" basis so long as they got a sizable chunk
of ones they did win. They'd only have to win a few before you'd
made your point.

Of course, IANAL...


Regards,

Nick FitzGerald

On Thu, Jul 18, 2002 at 02:56:52PM -0600, Charles 'core' Stevenson wrote:
> Jay,
...
> That's exactly what needs to happen :)
...
> Amen.
...
> Well said! I'm not sure I really have much to say except yes yes yes!

I joined this list to see if it would serve any supplemental value to
Bugtraq and the other security-related resources out there. So far, all I
see is politics and criticism of Symantec and SecurityFocus. Am I mistaken
that this list was intended (and spammed/advertised) to be for full
disclosure security issues? If I am not mistaken, could such politics
related stuff be moved to a different list, as it seems to me that it is
politics and commercialism that you are complaining about in the first
place.

In other words, can't we just move on with it and stay on topic of the
list? Or was this list created to allow people to whine about SecurityFocus
and Symantec?

The answer to my question will assist me in my decision as to whether I
should advocate this mailing list or not.

Thanks,

--
Sean Kelly | PGP KeyID: 77042C7B
smkelly@zombie.org | http://www.zombie.org

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
> capricious in who you prosecute under the DMCA for incoporating
> vulnerability detection of this flaw into their products. (Many
> other "pro-reversing" laws allow reversing if doing so is the only
> (practical) way to ensure compatibility or system inter-operation --
> this should not be a defense against reversing a security
> vulnerability exploit...)


But how could you stop one from simply setting up a sniffer to "see"
what the exploit does on the network or monitor the local system to see
what is done? I am all for people releasing exploit code, I see no
reason not to, but trying to protect it is a waste of time as there are
a million ways, legal ways, around it.

Sean Kelly wrote:
> I joined this list to see if it would serve any supplemental value to
> Bugtraq and the other security-related resources out there. So far, all I
> see is politics and criticism of Symantec and SecurityFocus. Am I mistaken
> that this list was intended (and spammed/advertised) to be for full
> disclosure security issues? If I am not mistaken, could such politics
> related stuff be moved to a different list, as it seems to me that it is
> politics and commercialism that you are complaining about in the first
> place.
>
> In other words, can't we just move on with it and stay on topic of the
> list? Or was this list created to allow people to whine about SecurityFocus
> and Symantec?

That's what you get with an unmoderated list. People complain about things
and send flames. Then they complain about the complaining, and flame people
for sending flames. This is the first unmoderated list I've subscribed to
in years (out of curiosity.) There's a reason. :)

BB

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
> capricious in who you prosecute under the DMCA for incoporating
> vulnerability detection of this flaw into their products. (Many
> other "pro-reversing" laws allow reversing if doing so is the only
> (practical) way to ensure compatibility or system inter-operation --
> this should not be a defense against reversing a security
> vulnerability exploit...)

This and other 'Protect your code with the DMCA' ideas are interesting.
So we lock down our exploits with crappy encryption, hope someone uses
them, and sue. Hopefully we win, and we get a nice check.

And the DMCA has just been upheld in court.

We establish case law that indicates the DMCA is valid law, that
it's even supported by Open Source / Full Disclosure advocates.
Next time another Dimitry gets slapped with it, what are we going
to fall back on?

Although amusing to use the 'tools of the enemy', by using them
successfully you strengthen how they can be used against you.
I think this is a bad idea...


--
Brian Hatch Friends help you move.
Systems and Real friends help
Security Engineer you move bodies.
www.buildinglinuxvpns.net

Every message PGP signed

On Thursday, July 18, 2002 22:57, Brian Hatch wrote:

> This and other 'Protect your code with the DMCA' ideas are
interesting.
> So we lock down our exploits with crappy encryption, hope someone uses
> them, and sue. Hopefully we win, and we get a nice check.

> And the DMCA has just been upheld in court.

It does make a point about the stupidity of the DMCA, though... Win or
lose, there is victory. If you win, somebody stealing your work gets
slapped. If you lose, the DMCA is weakened.

However, I spent some time thinking about this yesterday, and I've come
to the conclusion that I *want* the "good guys" to be able to scan for
exploits. If, through my actions, I make it harder for somebody to
defend their network or whatever from attack, I don't want that. That's
the reason I think most people post vulnerabilities anyway: they want to
help the community rather than hurt it. It is just a shame that many
companies don't have the same morality, and simultaneously make it
harder
for the good guys to fight the good fight and make money off of the work
that people are freely donating. It is a problem in my opinion. I
don't
care if I don't get any credit or cash from research; that's not why I
do
it in the first place. Instead it is about giving back to a community
that has given freely to me...

-E

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
Ummm surely just sniffing the exploit string being sent, will reveal the
string itself in 99% of cases (remote exploits that is). Is watching the
data a program sends across a network reverse engineering??

Regards
James

On Thu, 18 Jul 2002, Jay D. Dyson wrote:

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Even if you put a copyright notice on your advisories and give permission
for non-profits to redistribute, the for-profits will just reword the
information for their database. It usually takes several days to research
and create an advisory and many hours of working with the vendor to get
them to fix it. The vuln reporter gets some street cred. The for-profit
retypes the information and probably makes a few thousand dollars PER
ADVISORY. And several for-profits are doing this.


> Let's face it: the for-profit companies have been leeching off the
> community for years and giving nothing back save for sponsorship of key
> escrow, further draconian legislation, and advocacy of a security cabal
> (which they would control) that would take free information and bundle it
> as a pay-for product/service.

The only way to stop the leeching is to have a free vulnerability database.
There could be a site where vuln reporters could enter the information into
the database themselves. This database would always be the most up to date
and the most accurate. If there was a standardized vuln reporting format
perhaps the import to the databse could be automated. Mirroring of the
database around the world would be encouraged.

I would love VulnWatch to be able to do this. Any volunteers?

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Agreed. I have struggled with the model that exists for many years. It
seems the only way to make money off of vuln information is to sell a
database and the people selling them do not pay the vulnerability
reporters for their effort. Let's face it. There would be no security
information business without all the people donating their knowledge for
free.

Of all the vuln database companies SecurityFocus has been the best at
giving back to the community and they say this won't change. Even so a
completely non-corporate and free vuln database would be something good for
the community.

-Chris


> - -Jay
>
> 1. About the only real effort I see from corporate security firms these
> days is whipping up FUD-filled press releases to scare the living
> bejeezus out of the masses about "cyber-terrorism" and other happy
> horseshit.
>
> ( ( _______
> )) )) .--"There's always time for a good cup of coffee"--. >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-'
> `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH
> Y4MHjqIe6qAM28/cSenTBTA=
> =9ErK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From the Haiku Hacker for Mr. Wysopal:

Houses
- ----------
Fat Checks Are Good Biz
They buy warm houses for March
Is yours made of glass?

>Even if you put a copyright notice on your advisories and give permission
>for non-profits to redistribute, the for-profits will just reword the
>information for their database. It usually takes several days to research
>and create an advisory and many hours of working with the vendor to get
>them to fix it. The vuln reporter gets some street cred. The for-profit
>retypes the information and probably makes a few thousand dollars PER
>ADVISORY. And several for-profits are doing this.

Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days?

>The only way to stop the leeching is to have a free vulnerability database.
>There could be a site where vuln reporters could enter the information into
>the database themselves. This database would always be the most up to date
>and the most accurate. If there was a standardized vuln reporting format
>perhaps the import to the databse could be automated. Mirroring of the
>database around the world would be encouraged.
>
>I would love VulnWatch to be able to do this. Any volunteers?

I'll not even touch this. I could make fun of several hypocrits on this list, but like anybody in the industry that actually contributes, I have a regular job; one that doesn't involve stroking and petting my ego. KTHX.

>Agreed. I have struggled with the model that exists for many years. It
>seems the only way to make money off of vuln information is to sell a
>database and the people selling them do not pay the vulnerability
>reporters for their effort. Let's face it. There would be no security
>information business without all the people donating their knowledge for
>free.
>
>Of all the vuln database companies SecurityFocus has been the best at
>giving back to the community and they say this won't change. Even so a
>completely non-corporate and free vuln database would be something good for
>the community.

Ok. I've been a passive observer on this list since receiving an unsoliticed email from the purveyors. I must admit, this has been one of the most educational experiences I've had in my time in this industry. Look at some of the names here: Jay Dyson, Steve Manzuik, Chris Wysopal, KF, Blue Boar, Len Rose. Notable hackers.

Now, it's time to cut the shit.

First and foremost, let me say this list is complete dogshit. I'd like to go on the record with my opinion being that moderated mailing lists are a good thing. It keeps all the fucking whining to a minimum. You think I actually care that your information is being resold? No! I just want the information, delivery medium negotiable. I could give a fat rats ass if you get credit, either. That's one thing I can say for any vulnerability database; at least I don't have to listen to a bunch of punkasses and their incessant boohooing; instead, I get just the pertinent information. At the end of the day, I don't give a fuck who you are, or how great you think you are; I care that my systems are secure, and that's the bottom line.

Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are. Especially Chris and Jay. Wow! I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you two. The only thing I've seen from any of you at this point is hidden agenda. You guys are truely disgusting. You guys set the bar for low. Proof that nothing is ever what it seems.

Third, I can't believe that not a single one of you dickless, amoebic, mental-myopics has even BOTHERED to look at the other people in this "industry" that are regularly exploited, and use the information we supply for the sake of creating something for the common good. The first person that comes to mind is Renaud Deraison. Yeah, you guys are fucking brilliant, right? Make the information copyrighted, so he can't continue to work on a FREE project continually exploited, and at least try to sell support so he can pay the fucking rent? Jesus.

And let's not even talk about Marty Roesch. If there's another person that knows something about giving heart and soul to a project, and continually getting exploited, he's our man. He runs a great project, and I'll bet not a single one of you whining bitches hasn't used it, and if you consult, haven't provided it as a "solution" that you charged some company billable hours for. So now you want to take the information that he needs as well, and restrict him from it? Looks to me like he's finally getting his company off the ground, and you guys want to fuck him now too?

I can't believe the amount of fucking "idealists" we have here that think they know how to fix the fucking world by fucking the people that actually do some good in it. Fuck each and every one of you. I can only hope that one day, you finally dislodge your head from your ass and realize the ramifications of your self-serving agenda. I have my doubts about it happening, though.

Furthermore, I'm thankful to see that people like Chris and Jay have actually come out of the closet to show what fucking miserable, narcissistic, ugly people they really are. It's high-time that we finally get an idea of the wheat and chaff in this industry, and seperate them. I still nearly fall off my chair with laughter when I visualize Chris sucking up to MS, and trying to push the "responsible disclosure" agenda while moderating an allegedly "full disclosure" list, and posting to others. You're a man of many faces, Chris, all of them in twos. I'll not even pick on Jay; I really feel pity on him.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
=ANWm
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

> Houses
> - ----------
> Fat Checks Are Good Biz
> They buy warm houses for March
> Is yours made of glass?

OK, so now the idiots who don't have the necessary social skills to get
paying jobs start tossing rocks at those who work for a living. Yeah, fat
checks are a good biz you are damn right, and what is wrong with that? If
you are good at something, go get a job doing that which you are good at.
How can you fault someone for that? Weld Pond has contributed more to the
security industry in general than half the fucks on this list INCLUDING
ME! It is no surprise that his skill are in demand, do you expect him to
flip burgers for a living?

I have had my shares of run-ins with the guys at Security Focus but do you
think I fault them for getting $75million. Shit no, I hope after the VCs
are done with them that Al and the crew each put a million or so in their
pocket. I may not agree with everything SF has done or is going to do but
that is their choice and you can't fault them for making money.


> Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days?

The difference here is that the consultant you are talking about in this
case WROTE THE FUCKING ADVISORY. Stop bitching and start contributing.
Why is everyone so against security consultants that have a clue? Whats a
matter your script kiddie tools aren't as effective anymore? Jealous that
you just can't seem to make a big discovery yourself? (heh, I know I am)

What we should be bitching about are the moronic (usually big 5)
consulting companies that have no clue and rely on FUD and commercial
products to do their work for them.

> I'll not even touch this. I could make fun of several hypocrits on this
> list, but like anybody in the industry that actually contributes, I have
> a regular job; one that doesn't involve stroking and petting my ego.


What does wanting to contribute a free vulnerability database have to do
with petting ones ego? This is about keeping the information free and
helping EVERYONE in the industry. Oh yeah, I forgot, this means that
people might actually start patching boxes making your s'kiddiot tools not
work. This in-fighting and finger pointing is complete bullshit gweeds
style. Why not work together for a common good?

> Now, it's time to cut the shit.

I agree.

> First and foremost, let me say this list is complete dogshit. I'd
> like to go on the record with my opinion being that moderated mailing
> lists are a good thing. It keeps all the fucking whining to a minimum.

Again, I agree, moderation prevents abuse. But, moderation also makes
certain people whine that they are being censored.....blah..cry me a
river.

> Second, I've been amazed at what big fucking morons the "esteemed hackers"
> in the community are. Especially Chris and Jay.
> Wow! I thought you guys were really intelligent, and to some extent,
> The only thing I've seen from any of you at this point is hidden agenda.
> You guys are truely disgusting. You guys set the bar for low. Proof
> that nothing is ever what it seems.

Explain what you feel this hidden agenda is? I consider both Jay and
Chris to not only be true hackers but to also be friends. So other than a
bit of common sense what is the hidden agenda?

> And let's not even talk about Marty Roesch. If there's another person
> that knows something about giving heart and soul to a project, and
> continually getting exploited, he's our man. He runs a great project,

If anything, ALL of us should be writing and contributing more NEssuss
signatures for stuff.

> Furthermore, I'm thankful to see that people like Chris and Jay have
> actually come out of the closet to show what fucking miserable,
> narcissistic, ugly people they really are. It's high-time that we
> finally get an idea of the wheat and chaff in this industry, and
> seperate them. I still nearly fall off my chair with laughter when
> I visualize Chris sucking up to MS, and trying to push the
> "responsible disclosure" agenda while moderating an allegedly
> "full disclosure" list, and posting to others. You're a man of
> many faces, Chris, all of them in twos. I'll not even pick on Jay;
> I really feel pity on him.

Now this is a load of shit. Responsible Full Disclosure means working
with a vendor to get something fixed and then releasing and advisory - NOT
blindsiding a vendor with one days notice or no notice at all. What is
wrong with Chris, a moderator of VulnWatch, getting invovled in the whole
responsible full disclosure thing? I would rather have him involved
because he has a clue than some moron like Russ Cooper or even worse the
MS people alone.

As for VulnWatch -- vulnwatch is full disclosure a post has never been
rejected based on the status of a vendor. Yeah, they encourage people to
work with vendors but they don't force it. I KNOW THIS FOR A FACT!

Its time for the so called community to put up or shut up.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

On Fri, 19 Jul 2002 haiku@hushmail.com wrote:

> Or better, thousands per advisory when a consultant for a certain
> company shows up to audit networks. What's @stake's billable rate
> these days?

As a consulting company that publishes vulnerability information and tools,
we contribute to the pool that we drink out of.

> First and foremost, let me say this list is complete dogshit. I'd like
> to go on the record with my opinion being that moderated mailing lists
> are a good thing. It keeps all the fucking whining to a minimum. You
> think I actually care that your information is being resold? No! I
> just want the information, delivery medium negotiable. I could give a
> fat rats ass if you get credit, either. That's one thing I can say for
> any vulnerability database; at least I don't have to listen to a bunch
> of punkasses and their incessant boohooing; instead, I get just the
> pertinent information. At the end of the day, I don't give a fuck who
> you are, or how great you think you are; I care that my systems are
> secure, and that's the bottom line.
>

So would you use a non-profit database that was populated by the
vulnerability reporters themselves? That is what I am proposing.


> Second, I've been amazed at what big fucking morons the "esteemed
> hackers" in the community are. Especially Chris and Jay. Wow! I
> thought you guys were really intelligent, and to some extent, had a
> moderate amount of respect for you two. The only thing I've seen from
> any of you at this point is hidden agenda. You guys are truely
> disgusting. You guys set the bar for low. Proof that nothing is ever
> what it seems.

For wanting a public vulnerability database? This is what the security
community is currently missing in a public and open format. There are open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE. But there
is no public vuln database. Why is everything else good to have
non-commercial alternatives for except a vuln database? The open source
tools could tie into it.

>
> supply for the sake of creating something for the common good. The
> first person that comes to mind is Renaud Deraison. Yeah, you guys are
> fucking brilliant, right? Make the information copyrighted, so he
> can't continue to work on a FREE project continually exploited, and at
> least try to sell support so he can pay the fucking rent? Jesus.

I certainly didn't mention restricting information. A public vulnerability
database would require the information to be open so that it could be in
the database.

> And let's not even talk about Marty Roesch. If there's another person
> that knows something about giving heart and soul to a project, and
> continually getting exploited, he's our man. He runs a great project,
> and I'll bet not a single one of you whining bitches hasn't used it,
> and if you consult, haven't provided it as a "solution" that you
> charged some company billable hours for. So now you want to take the
> information that he needs as well, and restrict him from it? Looks to
> me like he's finally getting his company off the ground, and you guys
> want to fuck him now too?

@stake employees have contributed to the Snort project. I actually was
using Snort earlier today on a product pen test. It's great. Marty has
created something wonderful. A public vulnerability database would enhance
Snort not hurt it. We don't really do implementation work but we have
recommended to some of our customers that they install Snort.

> seperate them. I still nearly fall off my chair with laughter when I
> visualize Chris sucking up to MS, and trying to push the "responsible
> disclosure" agenda while moderating an allegedly "full disclosure"
> list, and posting to others. You're a man of many faces, Chris, all of
> them in twos. I'll not even pick on Jay; I really feel pity on him.

You can support the First Amendment and still limit what you personally say
and write. I choose not to be vulgar in my list postings and I might even
advocate for others to not be vulgar but I would never want to ban that
langauge. I think it is a benfit to security if people can patch their
boxes before exploits are written. Nothing is a single bullet solution but
I think that certain disclosure practices can help make this happen.
Obviously a lot has to be done better on the vendor side. So while
advocating for people to follow certain disclosure practices I still don't
think there should be a law restricting free speech. Once someone has
chosen to publish information they are going to publish it. It is better
for the community that VulnWatch approve these messages so that everyone
can get the information at the same time.

-Chris



> haiku
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
> Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
> =ANWm
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>