Mailing List Archive

I hate to say this guys but with all due respect:

I told you so!

Steve Manzuik
Moderator - VulnWatch
www.vulnwatch.org


----- Original Message -----
From: "Charles 'core' Stevenson" <core@bokeoa.com>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, July 17, 2002 3:07 PM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....


> Isn't it great how the community is so nice in supporting the
> exploitation and misuse of proprietary exploit source code to further
> the large companies for-profit endeavours?
>
> peace,
> core
>
> securityguru@hushmail.com wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > FYI
> >
> > Symantec to Acquire SecurityFocus
> >
> > Offers Most Complete Security Early Warning System Available
> >
> > CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today
announced the acquisition of SecurityFocus for approximately US$75 million
in cash. With this acquisition, Symantec will offer customers the most
comprehensive, proactive early warning system across the broadest range of
threats. The transaction is expected to close by early to mid-August 2002.
> >
> > "SecurityFocus has established the most respected security community and
developed one of the leading early warning systems for customers around the
world," said John W. Thompson, Symantec chairman and chief executive
officer. "This acquisition will broaden Symantec's leadership in Internet
security response with the addition of the world's first global threat
management system, the most complete vulnerability database and customizable
alert services."
> >
> > "We have developed our global threat management systems to provide
customers with timely and actionable information relevant to their
individual networks," said Arthur Wong, SecurityFocus co-founder and chief
executive officer. "Combined with Symantec's world-class antivirus
expertise, industry-leading intrusion detection solutions and back-end
infrastructure, we can rapidly deploy the most comprehensive threat
management solutions to our global customers worldwide."
> >
> > SecurityFocus has developed the world's most comprehensive and
up-to-date database of vulnerabilities available. Symantec will continue to
license the Vulnerability Database to security product vendors, managed
service providers and other organizations that use it to create powerful new
security products and services for their customers.
> >
> > In addition, Symantec will continue to manage the Bugtraq mailing list
and the online security community under the SecurityFocus brand. It will
continue to offer a forum for objective reporting by security experts on the
latest IT threats and attacks as well as how to prevent security breaches.
> >
> > Symantec will also leverage the DeepSight line of global threat
management solutions. The DeepSight Threat Management System provides early
warning of attacks along with specific threat and patch information allowing
companies to proactively protect their networks. More than 15,000 partners
in more than 175 countries are registered to automatically provide a
constant stream of security data that is correlated and analyzed to identify
active attacks.
> >
> > DeepSight Analyzer gives IT professionals the ability to track and
manage incidents on their own networks by automatically correlating attacks
from a multitude of intrusion detection solutions. The product manages
threats by comparing incidents on their network against the Vulnerability
Database, tracking attacks to resolution and generating statistical incident
reports. Using information about suspicious network traffic and intrusions
submitted by anonymous users, SecurityFocus identifies patterns in attacks
that help serve as a threat-gauging system for the Internet community.
> >
> > By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive, customized
alert services for environment-specific vulnerabilities and malicious code
alerts. DeepSight Alert Services can be configured to ensure that customers
receive only alerts that are relevant to their networks, enabling them to
deploy patches or work-arounds before vulnerabilities can be exploited.
> > -----BEGIN PGP SIGNATURE-----
> > Version: Hush 2.1
> > Note: This signature can be verified at https://www.hushtools.com
> >
> > wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR
> > p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW
> > =LmOt
> > -----END PGP SIGNATURE-----
> >
> >
> > Communicate in total privacy.
> > Get your free encrypted email at https://www.hushmail.com/?l=2
> >
> > Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@lists.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure

Isn't it great how the community is so nice in supporting the
exploitation and misuse of proprietary exploit source code to further
the large companies for-profit endeavours?

peace,
core

securityguru@hushmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> FYI
>
> Symantec to Acquire SecurityFocus
>
> Offers Most Complete Security Early Warning System Available
>
> CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today announced the acquisition of SecurityFocus for approximately US$75 million in cash. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. The transaction is expected to close by early to mid-August 2002.
>
> "SecurityFocus has established the most respected security community and developed one of the leading early warning systems for customers around the world," said John W. Thompson, Symantec chairman and chief executive officer. "This acquisition will broaden Symantec's leadership in Internet security response with the addition of the world's first global threat management system, the most complete vulnerability database and customizable alert services."
>
> "We have developed our global threat management systems to provide customers with timely and actionable information relevant to their individual networks," said Arthur Wong, SecurityFocus co-founder and chief executive officer. "Combined with Symantec's world-class antivirus expertise, industry-leading intrusion detection solutions and back-end infrastructure, we can rapidly deploy the most comprehensive threat management solutions to our global customers worldwide."
>
> SecurityFocus has developed the world's most comprehensive and up-to-date database of vulnerabilities available. Symantec will continue to license the Vulnerability Database to security product vendors, managed service providers and other organizations that use it to create powerful new security products and services for their customers.
>
> In addition, Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand. It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches.
>
> Symantec will also leverage the DeepSight line of global threat management solutions. The DeepSight Threat Management System provides early warning of attacks along with specific threat and patch information allowing companies to proactively protect their networks. More than 15,000 partners in more than 175 countries are registered to automatically provide a constant stream of security data that is correlated and analyzed to identify active attacks.
>
> DeepSight Analyzer gives IT professionals the ability to track and manage incidents on their own networks by automatically correlating attacks from a multitude of intrusion detection solutions. The product manages threats by comparing incidents on their network against the Vulnerability Database, tracking attacks to resolution and generating statistical incident reports. Using information about suspicious network traffic and intrusions submitted by anonymous users, SecurityFocus identifies patterns in attacks that help serve as a threat-gauging system for the Internet community.
>
> By monitoring almost 11,000 distinct versions of more than 2,700 products from 1,300 vendors, SecurityFocus provides proactive, customized alert services for environment-specific vulnerabilities and malicious code alerts. DeepSight Alert Services can be configured to ensure that customers receive only alerts that are relevant to their networks, enabling them to deploy patches or work-arounds before vulnerabilities can be exploited.
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR
> p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW
> =LmOt
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

Jay,

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

That's exactly what needs to happen :)

> Let's face it: the for-profit companies have been leeching off the
> community for years and giving nothing back save for sponsorship of key
> escrow, further draconian legislation, and advocacy of a security cabal
> (which they would control) that would take free information and bundle it
> as a pay-for product/service.

Amen.

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Well said! I'm not sure I really have much to say except yes yes yes!

peace,
core

> - -Jay
>
> 1. About the only real effort I see from corporate security firms these
> days is whipping up FUD-filled press releases to scare the living
> bejeezus out of the masses about "cyber-terrorism" and other happy
> horseshit.
>
> ( ( _______
> )) )) .--"There's always time for a good cup of coffee"--. >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-'
> `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH
> Y4MHjqIe6qAM28/cSenTBTA=
> =9ErK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

On Thursday, July 18, 2002 16:39, Jay D. Dyson [mailto:jdyson@treachery.net] wrote:

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Allow me to recommend the use of a trivial encryption algorithm to protect
exploits and advisories such that any for-profit company must circumvent
it in order to use it for their own purposes. Perhaps distribute advisories
with the "do not copy" flag set on a .pdf. This would give DMCA protection
to the copyright and allow researchers to sue if their "protection measures"
are circumvented by companies looking to make money off of the research.

-E

----- Original Message -----
From: "Jay D. Dyson" <jdyson@treachery.net>
To: <full-disclosure@lists.netsys.com>
Sent: Thursday, July 18, 2002 9:39 PM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....

[snip]

> Indeed. And many of us did see this coming...yet few did anything
> about it. Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

[snip]

I'm also wondering what will happen to the pretty extensive vulnerability
database et al ?
Pay per sploit ?
;-)

Cheers,
JJ

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Jul 2002, Ed Moyle wrote:
> Allow me to recommend the use of a trivial encryption algorithm to protect
> exploits and advisories such that any for-profit company must circumvent
> it in order to use it for their own purposes. Perhaps distribute advisories
> with the "do not copy" flag set on a .pdf. This would give DMCA protection
> to the copyright and allow researchers to sue if their "protection measures"
> are circumvented by companies looking to make money off of the research.

That sounds good in theory, but in practice any sizable company would
devour us, regardless of what the law says. The law is immaterial next to
money.

- --
Mark Earnest
~~~~~~~~~~~~
Senior Systems Programmer
ASET/Emerging Technologies
Penn State University

Email: mxe20@psu.edu
Office Phone: 814-863-2064
Public Key - http://mearnest.oas.psu.edu/gpgkey.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE9Nzn2XIT9wt3I2GMRAkfLAKCk+7MZSbTBqL405BLf8DH1z57BQACeOXWH
JlJ+OmrHRuQz1KN84jiF0fE=
=LjdH
-----END PGP SIGNATURE-----

Jay D. Dyson wrote:
> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Interesting concept. How do you propose to copyright an idea? You can
decline to let someone mirror your exploit or advisory verbatim, but
there's nothing you can do to keep someone from reporting about a
vulnerability.

BB

also sprach Ed Moyle <emoyle@scsnet.csc.com> [2002.07.18.2313 +0200]:
> Allow me to recommend the use of a trivial encryption algorithm to protect
> exploits and advisories such that any for-profit company must circumvent
> it in order to use it for their own purposes. Perhaps distribute advisories
> with the "do not copy" flag set on a .pdf. This would give DMCA protection
> to the copyright and allow researchers to sue if their "protection measures"
> are circumvented by companies looking to make money off of the research.

Way Symantec were to use such a document, one that I created in the
sweat of my singletude. Do you think I'd have *any* chance on claiming
my rights???

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

1-800-psych: hello, welcome to the psychiatric hotline.
if you have multiple personalities, please press 3, 4, 5 and 6.

also sprach Jay D. Dyson <jdyson@treachery.net> [2002.07.18.2239 +0200]:
> Indeed. And many of us did see this coming...yet few did anything
> about it. Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

How many people are we by now?

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Right on. Let's just stick to this forum and not use Bugtraq anymore.
Or make your vulnerabilities available here 2 days before you post to
bugtraq (moderation only takes a day).

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

if you don't understand or are scared by any of
the above ask your parents or an adult to help you.

also sprach Nexus <nexus@patrol.i-way.co.uk> [2002.07.18.2325 +0200]:
> I'm also wondering what will happen to the pretty extensive vulnerability
> database et al ?

Is there anyone with the capabilities to extract a mirror?
(I'd notify webmaster@ before doing so...)

I can't provide the bandwidth or server space, unfortunately...

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

you're in college. you've made a mistake.

What about publishing and copyrighting the exploit? It's more legal
ammo to go after whoever uses it for malicious purposes.

Of course this doesn't *stop* the use of the exploit (discourages
perhaps?), it just increases the penalties when one gets caught using
it.


-Eric


On Thu, 18 Jul 2002, Blue Boar wrote:

> > Perhaps the best way to beat these cash hounds at their own game
> > is to start using a strictly not-for-profit licensing on all
released
> > advisories and proof-of-concept code which stipulates that
for-profit
> > companies may not use said information in any way.
>
> Interesting concept. How do you propose to copyright an idea?

The idea cannot be copyrighted[1], but the code (which includes
the exploit methodology) can be copyrighted with all the cursory terms
and conditions for use.


> You can decline to let someone mirror your exploit or advisory
verbatim,
> but there's nothing you can do to keep someone from reporting about a
> vulnerability.

Sure you can...especially under the auspices of the DMCA. Hell,
when you get down to it, all we need is one wild-eyed lawyer[2] on our
side who'll toss a flurry of lawsuits and we'll pretty much have the
corporate security firms by the short-and-curlies.

All kidding aside, I like the notion of encrypting the data and
putting stipulations on the decryption. Seems rather like poetic
justice
to me. Call it the Sklyarov cipher...

- -Jay

1. Ideas, names and phrases can be trademarked, however.

2. Maybe one with experience via the Church of Scientology, or the one
who brought us McDonald's coffee cups that now read "Allow to cool
before applying to genitals"...

( (
_______
)) )) .--"There's always time for a good cup of coffee"--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | =
|-'
`--' `--' `-- I'll be diplomatic...when I run out of ammo. --'
`------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE9N0pAGI2IHblM+8ERAlAnAJ9AbZ/g4I5cPUL3KogHYDjQK5p4VgCeN1pY
Q9sVUOYHOhysxYYetRqAzCo=
=+6qq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

On Fri, Jul 19, 2002 at 12:52:23AM +0200, martin f krafft wrote:
> Is there anyone with the capabilities to extract a mirror?
> (I'd notify webmaster@ before doing so...)

A friend of mine already mirrored it. Im not sure as to how well it
turned out since I havent had a chance to look at it yet, but it
appears that everything is there.

A dump of whatever database its in would be a much nicer method
of doing this.

> I can't provide the bandwidth or server space, unfortunately...

I can provide both the bandwidth and server space, but what would
the legal issues be with mirroring it? My lawyer wont even offer
any advice on this one.

Suggestions/advice anyone?

gdd@siliconinc.net

Jay D. Dyson wrote:
> The idea cannot be copyrighted[1], but the code (which includes
> the exploit methodology) can be copyrighted with all the cursory terms
> and conditions for use.

You can't copyright an algorithm, only an implementation. You need a
patent to protect an algorithm. Good luck patenting buffer overflows.

>>You can decline to let someone mirror your exploit or advisory verbatim,
>>but there's nothing you can do to keep someone from reporting about a
>>vulnerability.
> Sure you can...especially under the auspices of the DMCA. Hell,
> when you get down to it, all we need is one wild-eyed lawyer[2] on our
> side who'll toss a flurry of lawsuits and we'll pretty much have the
> corporate security firms by the short-and-curlies.

You think you can stop a news agency from reporting that there is a
vulnerability in product X, that works like Y and Z? I think you'll find
you're mistaken. I'd love to see it play out, though.

> 1. Ideas, names and phrases can be trademarked, however.

Not ideas. Names, yes.. but that just means someone has to call their
version of the exploit something different. And trademarks are expensive
to obtain and defend.

>
> 2. Maybe one with experience via the Church of Scientology, or the one
> who brought us McDonald's coffee cups that now read "Allow to cool
> before applying to genitals"...

Many people can be intimidated with a lawsuit. Seems like the groups in
particular you are concerned about aren't the ones to try threatening with
lawyers, though.

BB

Blue Boar replied to Jay D. Dyson:

> > The idea cannot be copyrighted[1], but the code (which includes
> > the exploit methodology) can be copyrighted with all the cursory terms
> > and conditions for use.
>
> You can't copyright an algorithm, only an implementation. You need a
> patent to protect an algorithm. Good luck patenting buffer overflows.
>
> >>You can decline to let someone mirror your exploit or advisory verbatim,
> >>but there's nothing you can do to keep someone from reporting about a
> >>vulnerability.
> > Sure you can...especially under the auspices of the DMCA. Hell,
> > when you get down to it, all we need is one wild-eyed lawyer[2] on our
> > side who'll toss a flurry of lawsuits and we'll pretty much have the
> > corporate security firms by the short-and-curlies.
>
> You think you can stop a news agency from reporting that there is a
> vulnerability in product X, that works like Y and Z? I think you'll find
> you're mistaken. I'd love to see it play out, though.
>
> > 1. Ideas, names and phrases can be trademarked, however.
>
> Not ideas. Names, yes.. but that just means someone has to call their
> version of the exploit something different. And trademarks are expensive
> to obtain and defend.

Release exploits with the vaguest of descriptions as to how they work
(lost for examples -- just copy'n'paste the "technical bits" of some
of the security bulletins from MS...). Have the _only_ PoC code a
compiled binary loaded with copyright notices forbidding reversing,
etc. Be sure to use some "encryption" (extremely trivial is OK as
complexity doesn't matter; can you say XOR?) in the PoC to "protect"
the important secret (generally the overflow "string" itself). Be
capricious in who you prosecute under the DMCA for incoporating
vulnerability detection of this flaw into their products. (Many
other "pro-reversing" laws allow reversing if doing so is the only
(practical) way to ensure compatibility or system inter-operation --
this should not be a defense against reversing a security
vulnerability exploit...)

> Many people can be intimidated with a lawsuit. Seems like the groups in
> particular you are concerned about aren't the ones to try threatening with
> lawyers, though.

Do you really care if you win lots of money in such a case, or just
that you win? I'm sure you'd find good lawyers who would take such
cases on a "no win no fee" basis so long as they got a sizable chunk
of ones they did win. They'd only have to win a few before you'd
made your point.

Of course, IANAL...


Regards,

Nick FitzGerald

On Thu, Jul 18, 2002 at 02:56:52PM -0600, Charles 'core' Stevenson wrote:
> Jay,
...
> That's exactly what needs to happen :)
...
> Amen.
...
> Well said! I'm not sure I really have much to say except yes yes yes!

I joined this list to see if it would serve any supplemental value to
Bugtraq and the other security-related resources out there. So far, all I
see is politics and criticism of Symantec and SecurityFocus. Am I mistaken
that this list was intended (and spammed/advertised) to be for full
disclosure security issues? If I am not mistaken, could such politics
related stuff be moved to a different list, as it seems to me that it is
politics and commercialism that you are complaining about in the first
place.

In other words, can't we just move on with it and stay on topic of the
list? Or was this list created to allow people to whine about SecurityFocus
and Symantec?

The answer to my question will assist me in my decision as to whether I
should advocate this mailing list or not.

Thanks,

--
Sean Kelly | PGP KeyID: 77042C7B
smkelly@zombie.org | http://www.zombie.org

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
> capricious in who you prosecute under the DMCA for incoporating
> vulnerability detection of this flaw into their products. (Many
> other "pro-reversing" laws allow reversing if doing so is the only
> (practical) way to ensure compatibility or system inter-operation --
> this should not be a defense against reversing a security
> vulnerability exploit...)


But how could you stop one from simply setting up a sniffer to "see"
what the exploit does on the network or monitor the local system to see
what is done? I am all for people releasing exploit code, I see no
reason not to, but trying to protect it is a waste of time as there are
a million ways, legal ways, around it.

Sean Kelly wrote:
> I joined this list to see if it would serve any supplemental value to
> Bugtraq and the other security-related resources out there. So far, all I
> see is politics and criticism of Symantec and SecurityFocus. Am I mistaken
> that this list was intended (and spammed/advertised) to be for full
> disclosure security issues? If I am not mistaken, could such politics
> related stuff be moved to a different list, as it seems to me that it is
> politics and commercialism that you are complaining about in the first
> place.
>
> In other words, can't we just move on with it and stay on topic of the
> list? Or was this list created to allow people to whine about SecurityFocus
> and Symantec?

That's what you get with an unmoderated list. People complain about things
and send flames. Then they complain about the complaining, and flame people
for sending flames. This is the first unmoderated list I've subscribed to
in years (out of curiosity.) There's a reason. :)

BB

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
> capricious in who you prosecute under the DMCA for incoporating
> vulnerability detection of this flaw into their products. (Many
> other "pro-reversing" laws allow reversing if doing so is the only
> (practical) way to ensure compatibility or system inter-operation --
> this should not be a defense against reversing a security
> vulnerability exploit...)

This and other 'Protect your code with the DMCA' ideas are interesting.
So we lock down our exploits with crappy encryption, hope someone uses
them, and sue. Hopefully we win, and we get a nice check.

And the DMCA has just been upheld in court.

We establish case law that indicates the DMCA is valid law, that
it's even supported by Open Source / Full Disclosure advocates.
Next time another Dimitry gets slapped with it, what are we going
to fall back on?

Although amusing to use the 'tools of the enemy', by using them
successfully you strengthen how they can be used against you.
I think this is a bad idea...


--
Brian Hatch Friends help you move.
Systems and Real friends help
Security Engineer you move bodies.
www.buildinglinuxvpns.net

Every message PGP signed

On Thursday, July 18, 2002 22:57, Brian Hatch wrote:

> This and other 'Protect your code with the DMCA' ideas are
interesting.
> So we lock down our exploits with crappy encryption, hope someone uses
> them, and sue. Hopefully we win, and we get a nice check.

> And the DMCA has just been upheld in court.

It does make a point about the stupidity of the DMCA, though... Win or
lose, there is victory. If you win, somebody stealing your work gets
slapped. If you lose, the DMCA is weakened.

However, I spent some time thinking about this yesterday, and I've come
to the conclusion that I *want* the "good guys" to be able to scan for
exploits. If, through my actions, I make it harder for somebody to
defend their network or whatever from attack, I don't want that. That's
the reason I think most people post vulnerabilities anyway: they want to
help the community rather than hurt it. It is just a shame that many
companies don't have the same morality, and simultaneously make it
harder
for the good guys to fight the good fight and make money off of the work
that people are freely donating. It is a problem in my opinion. I
don't
care if I don't get any credit or cash from research; that's not why I
do
it in the first place. Instead it is about giving back to a community
that has given freely to me...

-E

> Release exploits with the vaguest of descriptions as to how they work
> (lost for examples -- just copy'n'paste the "technical bits" of some
> of the security bulletins from MS...). Have the _only_ PoC code a
> compiled binary loaded with copyright notices forbidding reversing,
> etc. Be sure to use some "encryption" (extremely trivial is OK as
> complexity doesn't matter; can you say XOR?) in the PoC to "protect"
> the important secret (generally the overflow "string" itself). Be
Ummm surely just sniffing the exploit string being sent, will reveal the
string itself in 99% of cases (remote exploits that is). Is watching the
data a program sends across a network reverse engineering??

Regards
James

On Thu, 18 Jul 2002, Jay D. Dyson wrote:

> Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Even if you put a copyright notice on your advisories and give permission
for non-profits to redistribute, the for-profits will just reword the
information for their database. It usually takes several days to research
and create an advisory and many hours of working with the vendor to get
them to fix it. The vuln reporter gets some street cred. The for-profit
retypes the information and probably makes a few thousand dollars PER
ADVISORY. And several for-profits are doing this.


> Let's face it: the for-profit companies have been leeching off the
> community for years and giving nothing back save for sponsorship of key
> escrow, further draconian legislation, and advocacy of a security cabal
> (which they would control) that would take free information and bundle it
> as a pay-for product/service.

The only way to stop the leeching is to have a free vulnerability database.
There could be a site where vuln reporters could enter the information into
the database themselves. This database would always be the most up to date
and the most accurate. If there was a standardized vuln reporting format
perhaps the import to the databse could be automated. Mirroring of the
database around the world would be encouraged.

I would love VulnWatch to be able to do this. Any volunteers?

> Look, I have nothing against someone trying to make a buck. That
> is the cornerstone of the capitalist system. What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Agreed. I have struggled with the model that exists for many years. It
seems the only way to make money off of vuln information is to sell a
database and the people selling them do not pay the vulnerability
reporters for their effort. Let's face it. There would be no security
information business without all the people donating their knowledge for
free.

Of all the vuln database companies SecurityFocus has been the best at
giving back to the community and they say this won't change. Even so a
completely non-corporate and free vuln database would be something good for
the community.

-Chris


> - -Jay
>
> 1. About the only real effort I see from corporate security firms these
> days is whipping up FUD-filled press releases to scare the living
> bejeezus out of the masses about "cyber-terrorism" and other happy
> horseshit.
>
> ( ( _______
> )) )) .--"There's always time for a good cup of coffee"--. >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-'
> `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH
> Y4MHjqIe6qAM28/cSenTBTA=
> =9ErK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From the Haiku Hacker for Mr. Wysopal:

Houses
- ----------
Fat Checks Are Good Biz
They buy warm houses for March
Is yours made of glass?

>Even if you put a copyright notice on your advisories and give permission
>for non-profits to redistribute, the for-profits will just reword the
>information for their database. It usually takes several days to research
>and create an advisory and many hours of working with the vendor to get
>them to fix it. The vuln reporter gets some street cred. The for-profit
>retypes the information and probably makes a few thousand dollars PER
>ADVISORY. And several for-profits are doing this.

Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days?

>The only way to stop the leeching is to have a free vulnerability database.
>There could be a site where vuln reporters could enter the information into
>the database themselves. This database would always be the most up to date
>and the most accurate. If there was a standardized vuln reporting format
>perhaps the import to the databse could be automated. Mirroring of the
>database around the world would be encouraged.
>
>I would love VulnWatch to be able to do this. Any volunteers?

I'll not even touch this. I could make fun of several hypocrits on this list, but like anybody in the industry that actually contributes, I have a regular job; one that doesn't involve stroking and petting my ego. KTHX.

>Agreed. I have struggled with the model that exists for many years. It
>seems the only way to make money off of vuln information is to sell a
>database and the people selling them do not pay the vulnerability
>reporters for their effort. Let's face it. There would be no security
>information business without all the people donating their knowledge for
>free.
>
>Of all the vuln database companies SecurityFocus has been the best at
>giving back to the community and they say this won't change. Even so a
>completely non-corporate and free vuln database would be something good for
>the community.

Ok. I've been a passive observer on this list since receiving an unsoliticed email from the purveyors. I must admit, this has been one of the most educational experiences I've had in my time in this industry. Look at some of the names here: Jay Dyson, Steve Manzuik, Chris Wysopal, KF, Blue Boar, Len Rose. Notable hackers.

Now, it's time to cut the shit.

First and foremost, let me say this list is complete dogshit. I'd like to go on the record with my opinion being that moderated mailing lists are a good thing. It keeps all the fucking whining to a minimum. You think I actually care that your information is being resold? No! I just want the information, delivery medium negotiable. I could give a fat rats ass if you get credit, either. That's one thing I can say for any vulnerability database; at least I don't have to listen to a bunch of punkasses and their incessant boohooing; instead, I get just the pertinent information. At the end of the day, I don't give a fuck who you are, or how great you think you are; I care that my systems are secure, and that's the bottom line.

Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are. Especially Chris and Jay. Wow! I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you two. The only thing I've seen from any of you at this point is hidden agenda. You guys are truely disgusting. You guys set the bar for low. Proof that nothing is ever what it seems.

Third, I can't believe that not a single one of you dickless, amoebic, mental-myopics has even BOTHERED to look at the other people in this "industry" that are regularly exploited, and use the information we supply for the sake of creating something for the common good. The first person that comes to mind is Renaud Deraison. Yeah, you guys are fucking brilliant, right? Make the information copyrighted, so he can't continue to work on a FREE project continually exploited, and at least try to sell support so he can pay the fucking rent? Jesus.

And let's not even talk about Marty Roesch. If there's another person that knows something about giving heart and soul to a project, and continually getting exploited, he's our man. He runs a great project, and I'll bet not a single one of you whining bitches hasn't used it, and if you consult, haven't provided it as a "solution" that you charged some company billable hours for. So now you want to take the information that he needs as well, and restrict him from it? Looks to me like he's finally getting his company off the ground, and you guys want to fuck him now too?

I can't believe the amount of fucking "idealists" we have here that think they know how to fix the fucking world by fucking the people that actually do some good in it. Fuck each and every one of you. I can only hope that one day, you finally dislodge your head from your ass and realize the ramifications of your self-serving agenda. I have my doubts about it happening, though.

Furthermore, I'm thankful to see that people like Chris and Jay have actually come out of the closet to show what fucking miserable, narcissistic, ugly people they really are. It's high-time that we finally get an idea of the wheat and chaff in this industry, and seperate them. I still nearly fall off my chair with laughter when I visualize Chris sucking up to MS, and trying to push the "responsible disclosure" agenda while moderating an allegedly "full disclosure" list, and posting to others. You're a man of many faces, Chris, all of them in twos. I'll not even pick on Jay; I really feel pity on him.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
=ANWm
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

> Houses
> - ----------
> Fat Checks Are Good Biz
> They buy warm houses for March
> Is yours made of glass?

OK, so now the idiots who don't have the necessary social skills to get
paying jobs start tossing rocks at those who work for a living. Yeah, fat
checks are a good biz you are damn right, and what is wrong with that? If
you are good at something, go get a job doing that which you are good at.
How can you fault someone for that? Weld Pond has contributed more to the
security industry in general than half the fucks on this list INCLUDING
ME! It is no surprise that his skill are in demand, do you expect him to
flip burgers for a living?

I have had my shares of run-ins with the guys at Security Focus but do you
think I fault them for getting $75million. Shit no, I hope after the VCs
are done with them that Al and the crew each put a million or so in their
pocket. I may not agree with everything SF has done or is going to do but
that is their choice and you can't fault them for making money.


> Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days?

The difference here is that the consultant you are talking about in this
case WROTE THE FUCKING ADVISORY. Stop bitching and start contributing.
Why is everyone so against security consultants that have a clue? Whats a
matter your script kiddie tools aren't as effective anymore? Jealous that
you just can't seem to make a big discovery yourself? (heh, I know I am)

What we should be bitching about are the moronic (usually big 5)
consulting companies that have no clue and rely on FUD and commercial
products to do their work for them.

> I'll not even touch this. I could make fun of several hypocrits on this
> list, but like anybody in the industry that actually contributes, I have
> a regular job; one that doesn't involve stroking and petting my ego.


What does wanting to contribute a free vulnerability database have to do
with petting ones ego? This is about keeping the information free and
helping EVERYONE in the industry. Oh yeah, I forgot, this means that
people might actually start patching boxes making your s'kiddiot tools not
work. This in-fighting and finger pointing is complete bullshit gweeds
style. Why not work together for a common good?

> Now, it's time to cut the shit.

I agree.

> First and foremost, let me say this list is complete dogshit. I'd
> like to go on the record with my opinion being that moderated mailing
> lists are a good thing. It keeps all the fucking whining to a minimum.

Again, I agree, moderation prevents abuse. But, moderation also makes
certain people whine that they are being censored.....blah..cry me a
river.

> Second, I've been amazed at what big fucking morons the "esteemed hackers"
> in the community are. Especially Chris and Jay.
> Wow! I thought you guys were really intelligent, and to some extent,
> The only thing I've seen from any of you at this point is hidden agenda.
> You guys are truely disgusting. You guys set the bar for low. Proof
> that nothing is ever what it seems.

Explain what you feel this hidden agenda is? I consider both Jay and
Chris to not only be true hackers but to also be friends. So other than a
bit of common sense what is the hidden agenda?

> And let's not even talk about Marty Roesch. If there's another person
> that knows something about giving heart and soul to a project, and
> continually getting exploited, he's our man. He runs a great project,

If anything, ALL of us should be writing and contributing more NEssuss
signatures for stuff.

> Furthermore, I'm thankful to see that people like Chris and Jay have
> actually come out of the closet to show what fucking miserable,
> narcissistic, ugly people they really are. It's high-time that we
> finally get an idea of the wheat and chaff in this industry, and
> seperate them. I still nearly fall off my chair with laughter when
> I visualize Chris sucking up to MS, and trying to push the
> "responsible disclosure" agenda while moderating an allegedly
> "full disclosure" list, and posting to others. You're a man of
> many faces, Chris, all of them in twos. I'll not even pick on Jay;
> I really feel pity on him.

Now this is a load of shit. Responsible Full Disclosure means working
with a vendor to get something fixed and then releasing and advisory - NOT
blindsiding a vendor with one days notice or no notice at all. What is
wrong with Chris, a moderator of VulnWatch, getting invovled in the whole
responsible full disclosure thing? I would rather have him involved
because he has a clue than some moron like Russ Cooper or even worse the
MS people alone.

As for VulnWatch -- vulnwatch is full disclosure a post has never been
rejected based on the status of a vendor. Yeah, they encourage people to
work with vendors but they don't force it. I KNOW THIS FOR A FACT!

Its time for the so called community to put up or shut up.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

On Fri, 19 Jul 2002 haiku@hushmail.com wrote:

> Or better, thousands per advisory when a consultant for a certain
> company shows up to audit networks. What's @stake's billable rate
> these days?

As a consulting company that publishes vulnerability information and tools,
we contribute to the pool that we drink out of.

> First and foremost, let me say this list is complete dogshit. I'd like
> to go on the record with my opinion being that moderated mailing lists
> are a good thing. It keeps all the fucking whining to a minimum. You
> think I actually care that your information is being resold? No! I
> just want the information, delivery medium negotiable. I could give a
> fat rats ass if you get credit, either. That's one thing I can say for
> any vulnerability database; at least I don't have to listen to a bunch
> of punkasses and their incessant boohooing; instead, I get just the
> pertinent information. At the end of the day, I don't give a fuck who
> you are, or how great you think you are; I care that my systems are
> secure, and that's the bottom line.
>

So would you use a non-profit database that was populated by the
vulnerability reporters themselves? That is what I am proposing.


> Second, I've been amazed at what big fucking morons the "esteemed
> hackers" in the community are. Especially Chris and Jay. Wow! I
> thought you guys were really intelligent, and to some extent, had a
> moderate amount of respect for you two. The only thing I've seen from
> any of you at this point is hidden agenda. You guys are truely
> disgusting. You guys set the bar for low. Proof that nothing is ever
> what it seems.

For wanting a public vulnerability database? This is what the security
community is currently missing in a public and open format. There are open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE. But there
is no public vuln database. Why is everything else good to have
non-commercial alternatives for except a vuln database? The open source
tools could tie into it.

>
> supply for the sake of creating something for the common good. The
> first person that comes to mind is Renaud Deraison. Yeah, you guys are
> fucking brilliant, right? Make the information copyrighted, so he
> can't continue to work on a FREE project continually exploited, and at
> least try to sell support so he can pay the fucking rent? Jesus.

I certainly didn't mention restricting information. A public vulnerability
database would require the information to be open so that it could be in
the database.

> And let's not even talk about Marty Roesch. If there's another person
> that knows something about giving heart and soul to a project, and
> continually getting exploited, he's our man. He runs a great project,
> and I'll bet not a single one of you whining bitches hasn't used it,
> and if you consult, haven't provided it as a "solution" that you
> charged some company billable hours for. So now you want to take the
> information that he needs as well, and restrict him from it? Looks to
> me like he's finally getting his company off the ground, and you guys
> want to fuck him now too?

@stake employees have contributed to the Snort project. I actually was
using Snort earlier today on a product pen test. It's great. Marty has
created something wonderful. A public vulnerability database would enhance
Snort not hurt it. We don't really do implementation work but we have
recommended to some of our customers that they install Snort.

> seperate them. I still nearly fall off my chair with laughter when I
> visualize Chris sucking up to MS, and trying to push the "responsible
> disclosure" agenda while moderating an allegedly "full disclosure"
> list, and posting to others. You're a man of many faces, Chris, all of
> them in twos. I'll not even pick on Jay; I really feel pity on him.

You can support the First Amendment and still limit what you personally say
and write. I choose not to be vulgar in my list postings and I might even
advocate for others to not be vulgar but I would never want to ban that
langauge. I think it is a benfit to security if people can patch their
boxes before exploits are written. Nothing is a single bullet solution but
I think that certain disclosure practices can help make this happen.
Obviously a lot has to be done better on the vendor side. So while
advocating for people to follow certain disclosure practices I still don't
think there should be a law restricting free speech. Once someone has
chosen to publish information they are going to publish it. It is better
for the community that VulnWatch approve these messages so that everyone
can get the information at the same time.

-Chris



> haiku
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
> Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
> =ANWm
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

Second, I've been amazed at what big fucking morons the "esteemed
hackers" in the community are. Especially Chris and Jay. Wow! I
thought you guys were really intelligent, and to some extent, had a
moderate amount of respect for you two. The only thing I've seen from
any of you at this point is hidden agenda. You guys are truely
disgusting. You guys set the bar for low. Proof that nothing is ever
what it seems.

For wanting a public vulnerability database? This is what the security
community is currently missing in a public and open format. There are
open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE. But
there
is no public vuln database. Why is everything else good to have
non-commercial alternatives for except a vuln database? The open source
tools could tie into it.

I think that a public vuln database would be incredibly useful. I find
that when security
advisories are released, trying to search through all of the security
companies websites
for more information on how it is being exploited, and also how it is
going to affect my
systems, rather... tedious.

I also think that tying them to the open source tools, or leaving it
open so that they could be,
would also be a great idea. Having to find up-to-date signatures for
all of the security software,
is another task that could be easily automated with something like that.

I know that their are other reasons being discussed on this list about
the idea of the public vuln database, but, I just thought that I would
throw out my $0.02.

--Chris

Christopher Meiklejohn
cmeik@gawble.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>As a consulting company that publishes vulnerability information and tools,
>we contribute to the pool that we drink out of.

Oh. So this is your argument. You contribute to it, therefore you may use it? Wait .... I thought you said the information should be free for non-commercial use. Does not taking from the pool to use within a company constitute commercial use? Genius! So, the "do as I say and not as I do" applies here? What other double-standards are we also applying in this discussion?

You know, Chris, you really puzzle me. You look a person holding a very sharp axe in their hand directly in the eye, then you put your neck on the block. And you know DAMN WELL I'm going to bring this fucker right down on you. As you wish.

So, now that we've clarified that there is, in fact, a double-standard here, this would explain why a certain vicious rumor about the @stake toolkit that somehow found the light of day contains not only many, many publicly available exploits, but also some 0day that the vendors have yet to fix. Tell me, Chris, I'm a little confused how this applies to both "Responsible Disclosure" and "information being free for non-commercial use." From my take, there's nothing responsible whatsoever about possessing, and distributing a toolkit that contains exploits for problems that aren't even fixed. To me, it also doesn't constitute "non-commercial use" that this rumored toolkit is used by @stake pen testers when they're at a gig.

Why Johnny Ringo .... you look like somebody just walked over your grave.

>So would you use a non-profit database that was populated by the
>vulnerability reporters themselves? That is what I am proposing.

Chris, hellNbak AKA Steve Manziuk can't even read an email, get the point, and intelligently respond. And he moderates a fucking mailing list! You've got to be shitting me. Oh, btw Steve, when I want to talk to you, I'll initiate the conversation; I have little time to waste on your inate ability to read and not comprehend.

What about the folks that don't speak English as a first language, or no English whatsoever?

In short, yeah, you could say I'm skeptical. And what's going to stop other information security companies from using it anyway? If the data is freely available, it's there for the harvest. If you want to prevent it from being exploited by outside parties, you have to neuter it to where there's no details whatsoever. Then, it becomes roughly tits on a boar.

FYI, as I recall, the information in the Bugtraq Database is freely available to the public through their web site anyways. Perhaps you may have overlooked this.

>For wanting a public vulnerability database? This is what the security
>community is currently missing in a public and open format. There are open
>source NIDS, vuln scanners, and other security tools. There are public
>security mailing lists. There is a public vuln dictionary, CVE. But there
>is no public vuln database. Why is everything else good to have
>non-commercial alternatives for except a vuln database? The open source
>tools could tie into it.

The open source tools could tie into it. Open Source != Non-Commercial.

Ok, as I recall, Renaud was at least making a little money off his project by offering support, while the rest of these pentest dirtbags exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm wrong here, but first, doesn't this mean that Renaud would no longer be able to offer commercial support for his product? I think so.

And I believe the same applies to Marty, as Sourcefire is offering commercial products built on Snort. Gee, what a fucking HUGE hole in your logic. And, you additionally fuck them in the process. Good job.

>I certainly didn't mention restricting information. A public vulnerability
>database would require the information to be open so that it could be in
>the database.

Ok, so you have a database that can be used commercially, or you don't. Notice how there's no fucking in-between? And what if a person wants to use the "non-commercial database" in their commercial product? Does this now require a licensing fee? Or do you just turn them away? This has sham written all over it.

And of course, how does this differ from the Bugtraq Database?

>@stake employees have contributed to the Snort project. I actually was
>using Snort earlier today on a product pen test. It's great. Marty has
>created something wonderful. A public vulnerability database would enhance
>Snort not hurt it. We don't really do implementation work but we have
>recommended to some of our customers that they install Snort.

Horseshit. Non-commercial != Public, and vice-versa. The Bugtraq Database is public.

How does Marty benefit from the database by no longer being able to use it? It sure as hell doesn't help his commercial venture, as near as I can tell.

>You can support the First Amendment and still limit what you personally say
>and write. I choose not to be vulgar in my list postings and I might even
>advocate for others to not be vulgar but I would never want to ban that
>langauge. I think it is a benfit to security if people can patch their
>boxes before exploits are written. Nothing is a single bullet solution but
>I think that certain disclosure practices can help make this happen.
>Obviously a lot has to be done better on the vendor side. So while
>advocating for people to follow certain disclosure practices I still don't
>think there should be a law restricting free speech. Once someone has
>chosen to publish information they are going to publish it. It is better
>for the community that VulnWatch approve these messages so that everyone
>can get the information at the same time.

I really wish you weren't so two-faced, paradoxial, and self-righteous. And on that note, how does this make VulnWatch any different from any other security mailing list? Securiteam does the same thing. This list allegedly does the same thing. Bugtraq does the same thing.

Bottom-line, there's going to be people that make money off security information whether you like it or not. @Stake does. SecurityFocus does. ISS does. NAI does. Even CERT does. Welcome to the capitalist world; leave your agendas and egos at the door. Any company that uses information/software provided by them tends to make money, as they spend less time down due to security incidents. Funny how economics work, isn't it?

If you don't like it, might I recommend you move to Cuba? I hear they're still communist there, and you may find their way of thinking more inline with yours. I'd suspect you're not going to enjoy the same standard of living, though.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04oMwTHGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXB+ofAKCR
2eoCWaSG38HxQvUSeoHzHoJFMwCfV6BbSTdti70x5YCbA3CB4NTtv9A=
=Ra4B
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

I know better than to step into a discussion like this, but...

Advocating "full disclosure" and then trying to restrict the flow of
vulnerability information does not make sense! Either you want it fully
disclosed to everyone, or you don't. What I seem to hear being
advocated is something like "vulnerabilities should be fully disclosed
to people who support full disclosure, and _nobody else_". But that is
not full disclosure at all, that's a closed, insular universe.

There's a lot of anger on this list against "commercial use" of
vulnerability information, directed against "security companies". What
about commercial software vendors? How can you "protect" exploit
information against "commercial use" without also preventing commercial
entities like distro houses from using it?

If you did somehow successfully prevent the Red Hats, Calderas and Suns
from using your exploit information to tighten up their products, in
what way would this be a good thing? (A few readers are unconditionally
against all commercial software houses; the rest of us are aware of
that. If you're unconditionally against it then this is another tiny
bit of ammo; fine. I'm trying to ask this question of people who _do_,
to whatever degree, appreciate commercial software.)

Meanwhile, I haven't heard that Symantec has actually _done_ anything
that would harm bugtraq.

Instead of boycotting bugtraq, people should continue to use it as
before, but keep a sharp eye on it. If you post a vulnerability there,
does it show up promptly? Then the list is working as it should,
and there's nothing to get so excited about. The list is public --
if your vuln shows up, it's available to everyone, thus proving that
Symantec/SecurityFocus are not holding it back in order to gain some
sort of advantage in the marketplace.

If they _do_ start delaying things, it'll be obvious to participants,
and the list will die naturally. It would no longer be serving its
purpose, so people would stop using it and it would die.

And maybe, just maybe, _this_ list will some day take over the role.
Ain't gonna happen any time soon, not when the sound(vuln info):noise
(flamewars about who-bought-who) ratio is so low.

>Bela<

(yeah, I'm repeating some of what others have said, but -- I hope -- a
little more coherently and with a lot less swearing...)

Reply-To: /dev/null (this is the wrong venue for this discussion)

----- Original Message -----
From: <haiku@hushmail.com>
To: <full-disclosure@lists.netsys.com>
Sent: Saturday, July 20, 2002 12:28 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....

[tedious rant elided]

> If you don't like it, might I recommend you move to Cuba? I hear they're
still communist there, and you may find their way
> of thinking more inline with yours. I'd suspect you're not going to enjoy
the same standard of living, though.

And you probably would not be in the position of being able to hide behind
an anonymous email address either.... let alone being able to express your
own opinions.

Ho hum.

Maybe, there should be a rant-n-babble list, or an ego-tastic list so
that all compulsory self expression can step aside to a neat place of
it's own. This list at least is getting killed with vigour. Sad, because
I can clearly see the need for it.

Peter

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

On Fri, 19 Jul 2002 haiku@hushmail.com wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >As a consulting company that publishes vulnerability information and tools,
> >we contribute to the pool that we drink out of.
>
> Oh. So this is your argument. You contribute to it, therefore you may
> use it? Wait .... I thought you said the information should be free
> for non-commercial use. Does not taking from the pool to use within a
> company constitute commercial use? Genius! So, the "do as I say and
> not as I do" applies here? What other double-standards are we also
> applying in this discussion?

Please show where I said that vulnerability information or tools should be
restricted to non-commercial use only. That was Jay. I suggested a public
vulnerability database. I have been involved in the research, writing, or
coordination of dozens and dozens of advisories for over 7 years. In not
one case were these advisories restricted in any way. I might add that
there was no advertising or other fluff. Just technical information.


> So, now that we've clarified that there is, in fact, a double-standard
> here, this would explain why a certain vicious rumor about the @stake
> toolkit that somehow found the light of day contains not only many,
> many publicly available exploits, but also some 0day that the vendors
> have yet to fix. Tell me, Chris, I'm a little confused how this
> applies to both "Responsible Disclosure" and "information being free
> for non-commercial use." From my take, there's nothing responsible

You have clarified nothing. You are inventing controversy where there is
none.

Let me know about which specific files have 0day information in them that
we are supposedly distributing and I will investigate. We have nothing to
hide here.

Again the non-commercial use is something that Jay was talking about. We
give out the @stake Pocket Security Toolkits at trade shows so obviously
they are for commercial use too.

> What about the folks that don't speak English as a first language, or
> no English whatsoever?

I don't undersatnd the point here.

> In short, yeah, you could say I'm skeptical. And what's going to stop
> other information security companies from using it anyway? If the data
> is freely available, it's there for the harvest. If you want to
> prevent it from being exploited by outside parties, you have to neuter
> it to where there's no details whatsoever. Then, it becomes roughly
> tits on a boar.

I never proposed restricting the use of the public vulnerability database.

> FYI, as I recall, the information in the Bugtraq Database is freely
> available to the public through their web site anyways. Perhaps you
> may have overlooked this.

Sure and it is the best one out there. That doesn't mean another database
that allowed mirroring of the database itself and was updated by the
vulnerability reporters and editted by the community couldn't be better.
Maybe it won't be better. Why not discuss it rationally without flying off
the handle with accusations of hidden agendas that never materialize?

> The open source tools could tie into it. Open Source != Non-Commercial.

And your point is?

> Ok, as I recall, Renaud was at least making a little money off his
> project by offering support, while the rest of these pentest dirtbags
> exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit
> had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm
> wrong here, but first, doesn't this mean that Renaud would no longer be
> able to offer commercial support for his product? I think so.

We never charged any money for the @stake toolkit. I am not exactly sure
why you think I am proposing anything that would restrict Renaud from
making money charging support?

> And I believe the same applies to Marty, as Sourcefire is offering
> commercial products built on Snort. Gee, what a fucking HUGE hole in
> your logic. And, you additionally fuck them in the process. Good job.

Again I never said anything about restricting the use of vulnerability
information.

> Ok, so you have a database that can be used commercially, or you don't.
> Notice how there's no fucking in-between? And what if a person wants
> to use the "non-commercial database" in their commercial product?
> Does this now require a licensing fee? Or do you just turn them away?
> This has sham written all over it.

No it has your confusion written all over it.

> >think there should be a law restricting free speech. Once someone has
> >chosen to publish information they are going to publish it. It is better
> >for the community that VulnWatch approve these messages so that everyone
> >can get the information at the same time.
>
> I really wish you weren't so two-faced, paradoxial, and self-righteous.
> And on that note, how does this make VulnWatch any different from any
> other security mailing list? Securiteam does the same thing. This
> list allegedly does the same thing. Bugtraq does the same thing.

How is this two-faced? SecurityFocus/Symantec just announced a similar
dual policy. Once policy for vulnerability information that Symantec
researchers originate and control the release of and another policy for the
moderation of the Bugtraq disclosure list. Once someone decides to publish
information it will be published. Some researchers even run their own
lists and now there is an unmoderated disclosure list. Bugtraq or
Vulnwatch wouldn't be stopping anything by not approving disclosure
messages.

> Bottom-line, there's going to be people that make money off security
> information whether you like it or not. @Stake does. SecurityFocus
> does. ISS does. NAI does. Even CERT does. Welcome to the capitalist
> world; leave your agendas and egos at the door. Any company that uses
> information/software provided by them tends to make money, as they
> spend less time down due to security incidents. Funny how economics
> work, isn't it?

Again I never said to not let commercial entities make money off security
information. I simply stated the economics of the vulnerability database
case. I now realize you are the one with the ego problem and the agenda
issues. As you know I work at a commercial venture in the security industry
this paragraph above is a bit patronizing don't you think?

Well I hope I cleared up some of your misunderstandings.

-Chris

also sprach Jay D. Dyson <jdyson@treachery.net> [2002.07.20.2151 +0200]:
> In short, corporate America has been doing its damnedest to fuck
> things up for us. I sure as hell would not mind returning the favor.
> Sure, let 'em patch based on the work...but the moment they try reselling
> the data with their own brand name slapped on it, I'd say it's time to put
> their feet to the fire.
>
> But most importantly, I think it's time we took the stance that
> greatly favors Open Source products over their commercial counterparts.
> In case nobody's noticed, all the Closed Source vendors are doing their
> best to demonize Open Source (even going to far as to call it a "threat to
> national security").
>
> In short, the corporate sector has been lobbing shells at us this
> long. It's about goddamned time we returned fire.

I am in the boat, but only if you don't forget the European part of
the world, who are, partially due to America's influence, feeling the
same about their corporate world. At least some. We wouldn't want to
leave those folks to the enemy, right?

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

friends help you move. real friends help you move bodies.

also sprach gdd@siliconinc.net <gdd@siliconinc.net> [2002.07.19.0142 +0200]:
> A friend of mine already mirrored it. Im not sure as to how well it
> turned out since I havent had a chance to look at it yet, but it
> appears that everything is there.

Is he going to make it public?

> A dump of whatever database its in would be a much nicer method
> of doing this.

Word. Talk to the SF guys.

> I can provide both the bandwidth and server space, but what would
> the legal issues be with mirroring it? My lawyer wont even offer
> any advice on this one.

As long as you don't change the pages and it's obvious that you
simply mirrored SF, no (i'd still talk to webmaster@). it becomes
legally problematic as soon as you pretend that this information is
yours, i.e. by deleting references to SF.

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

beware of bugs in the above code;
i have only proved it correct, not tried it.
-- donald e. knuth