Mailing List Archive

Second, I've been amazed at what big fucking morons the "esteemed
hackers" in the community are. Especially Chris and Jay. Wow! I
thought you guys were really intelligent, and to some extent, had a
moderate amount of respect for you two. The only thing I've seen from
any of you at this point is hidden agenda. You guys are truely
disgusting. You guys set the bar for low. Proof that nothing is ever
what it seems.

For wanting a public vulnerability database? This is what the security
community is currently missing in a public and open format. There are
open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE. But
there
is no public vuln database. Why is everything else good to have
non-commercial alternatives for except a vuln database? The open source
tools could tie into it.

I think that a public vuln database would be incredibly useful. I find
that when security
advisories are released, trying to search through all of the security
companies websites
for more information on how it is being exploited, and also how it is
going to affect my
systems, rather... tedious.

I also think that tying them to the open source tools, or leaving it
open so that they could be,
would also be a great idea. Having to find up-to-date signatures for
all of the security software,
is another task that could be easily automated with something like that.

I know that their are other reasons being discussed on this list about
the idea of the public vuln database, but, I just thought that I would
throw out my $0.02.

--Chris

Christopher Meiklejohn
cmeik@gawble.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>As a consulting company that publishes vulnerability information and tools,
>we contribute to the pool that we drink out of.

Oh. So this is your argument. You contribute to it, therefore you may use it? Wait .... I thought you said the information should be free for non-commercial use. Does not taking from the pool to use within a company constitute commercial use? Genius! So, the "do as I say and not as I do" applies here? What other double-standards are we also applying in this discussion?

You know, Chris, you really puzzle me. You look a person holding a very sharp axe in their hand directly in the eye, then you put your neck on the block. And you know DAMN WELL I'm going to bring this fucker right down on you. As you wish.

So, now that we've clarified that there is, in fact, a double-standard here, this would explain why a certain vicious rumor about the @stake toolkit that somehow found the light of day contains not only many, many publicly available exploits, but also some 0day that the vendors have yet to fix. Tell me, Chris, I'm a little confused how this applies to both "Responsible Disclosure" and "information being free for non-commercial use." From my take, there's nothing responsible whatsoever about possessing, and distributing a toolkit that contains exploits for problems that aren't even fixed. To me, it also doesn't constitute "non-commercial use" that this rumored toolkit is used by @stake pen testers when they're at a gig.

Why Johnny Ringo .... you look like somebody just walked over your grave.

>So would you use a non-profit database that was populated by the
>vulnerability reporters themselves? That is what I am proposing.

Chris, hellNbak AKA Steve Manziuk can't even read an email, get the point, and intelligently respond. And he moderates a fucking mailing list! You've got to be shitting me. Oh, btw Steve, when I want to talk to you, I'll initiate the conversation; I have little time to waste on your inate ability to read and not comprehend.

What about the folks that don't speak English as a first language, or no English whatsoever?

In short, yeah, you could say I'm skeptical. And what's going to stop other information security companies from using it anyway? If the data is freely available, it's there for the harvest. If you want to prevent it from being exploited by outside parties, you have to neuter it to where there's no details whatsoever. Then, it becomes roughly tits on a boar.

FYI, as I recall, the information in the Bugtraq Database is freely available to the public through their web site anyways. Perhaps you may have overlooked this.

>For wanting a public vulnerability database? This is what the security
>community is currently missing in a public and open format. There are open
>source NIDS, vuln scanners, and other security tools. There are public
>security mailing lists. There is a public vuln dictionary, CVE. But there
>is no public vuln database. Why is everything else good to have
>non-commercial alternatives for except a vuln database? The open source
>tools could tie into it.

The open source tools could tie into it. Open Source != Non-Commercial.

Ok, as I recall, Renaud was at least making a little money off his project by offering support, while the rest of these pentest dirtbags exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm wrong here, but first, doesn't this mean that Renaud would no longer be able to offer commercial support for his product? I think so.

And I believe the same applies to Marty, as Sourcefire is offering commercial products built on Snort. Gee, what a fucking HUGE hole in your logic. And, you additionally fuck them in the process. Good job.

>I certainly didn't mention restricting information. A public vulnerability
>database would require the information to be open so that it could be in
>the database.

Ok, so you have a database that can be used commercially, or you don't. Notice how there's no fucking in-between? And what if a person wants to use the "non-commercial database" in their commercial product? Does this now require a licensing fee? Or do you just turn them away? This has sham written all over it.

And of course, how does this differ from the Bugtraq Database?

>@stake employees have contributed to the Snort project. I actually was
>using Snort earlier today on a product pen test. It's great. Marty has
>created something wonderful. A public vulnerability database would enhance
>Snort not hurt it. We don't really do implementation work but we have
>recommended to some of our customers that they install Snort.

Horseshit. Non-commercial != Public, and vice-versa. The Bugtraq Database is public.

How does Marty benefit from the database by no longer being able to use it? It sure as hell doesn't help his commercial venture, as near as I can tell.

>You can support the First Amendment and still limit what you personally say
>and write. I choose not to be vulgar in my list postings and I might even
>advocate for others to not be vulgar but I would never want to ban that
>langauge. I think it is a benfit to security if people can patch their
>boxes before exploits are written. Nothing is a single bullet solution but
>I think that certain disclosure practices can help make this happen.
>Obviously a lot has to be done better on the vendor side. So while
>advocating for people to follow certain disclosure practices I still don't
>think there should be a law restricting free speech. Once someone has
>chosen to publish information they are going to publish it. It is better
>for the community that VulnWatch approve these messages so that everyone
>can get the information at the same time.

I really wish you weren't so two-faced, paradoxial, and self-righteous. And on that note, how does this make VulnWatch any different from any other security mailing list? Securiteam does the same thing. This list allegedly does the same thing. Bugtraq does the same thing.

Bottom-line, there's going to be people that make money off security information whether you like it or not. @Stake does. SecurityFocus does. ISS does. NAI does. Even CERT does. Welcome to the capitalist world; leave your agendas and egos at the door. Any company that uses information/software provided by them tends to make money, as they spend less time down due to security incidents. Funny how economics work, isn't it?

If you don't like it, might I recommend you move to Cuba? I hear they're still communist there, and you may find their way of thinking more inline with yours. I'd suspect you're not going to enjoy the same standard of living, though.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04oMwTHGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXB+ofAKCR
2eoCWaSG38HxQvUSeoHzHoJFMwCfV6BbSTdti70x5YCbA3CB4NTtv9A=
=Ra4B
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

I know better than to step into a discussion like this, but...

Advocating "full disclosure" and then trying to restrict the flow of
vulnerability information does not make sense! Either you want it fully
disclosed to everyone, or you don't. What I seem to hear being
advocated is something like "vulnerabilities should be fully disclosed
to people who support full disclosure, and _nobody else_". But that is
not full disclosure at all, that's a closed, insular universe.

There's a lot of anger on this list against "commercial use" of
vulnerability information, directed against "security companies". What
about commercial software vendors? How can you "protect" exploit
information against "commercial use" without also preventing commercial
entities like distro houses from using it?

If you did somehow successfully prevent the Red Hats, Calderas and Suns
from using your exploit information to tighten up their products, in
what way would this be a good thing? (A few readers are unconditionally
against all commercial software houses; the rest of us are aware of
that. If you're unconditionally against it then this is another tiny
bit of ammo; fine. I'm trying to ask this question of people who _do_,
to whatever degree, appreciate commercial software.)

Meanwhile, I haven't heard that Symantec has actually _done_ anything
that would harm bugtraq.

Instead of boycotting bugtraq, people should continue to use it as
before, but keep a sharp eye on it. If you post a vulnerability there,
does it show up promptly? Then the list is working as it should,
and there's nothing to get so excited about. The list is public --
if your vuln shows up, it's available to everyone, thus proving that
Symantec/SecurityFocus are not holding it back in order to gain some
sort of advantage in the marketplace.

If they _do_ start delaying things, it'll be obvious to participants,
and the list will die naturally. It would no longer be serving its
purpose, so people would stop using it and it would die.

And maybe, just maybe, _this_ list will some day take over the role.
Ain't gonna happen any time soon, not when the sound(vuln info):noise
(flamewars about who-bought-who) ratio is so low.

>Bela<

(yeah, I'm repeating some of what others have said, but -- I hope -- a
little more coherently and with a lot less swearing...)

Reply-To: /dev/null (this is the wrong venue for this discussion)

----- Original Message -----
From: <haiku@hushmail.com>
To: <full-disclosure@lists.netsys.com>
Sent: Saturday, July 20, 2002 12:28 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....

[tedious rant elided]

> If you don't like it, might I recommend you move to Cuba? I hear they're
still communist there, and you may find their way
> of thinking more inline with yours. I'd suspect you're not going to enjoy
the same standard of living, though.

And you probably would not be in the position of being able to hide behind
an anonymous email address either.... let alone being able to express your
own opinions.

Ho hum.

Maybe, there should be a rant-n-babble list, or an ego-tastic list so
that all compulsory self expression can step aside to a neat place of
it's own. This list at least is getting killed with vigour. Sad, because
I can clearly see the need for it.

Peter

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

----- Original Message -----
From: Bela Lubkin
To: full-disclosure@lists.netsys.com
Sent: Saturday, July 20, 2002 4:44 AM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among
others....

>Meanwhile, I haven't heard that Symantec has actually _done_ anything
>that would harm bugtraq.

Yet. What will happen is:

1. All approved messages will now contain commercial .sigs: "BUY
NORTON ANTIVIRUS 50% OFF!!!"
2. Further down the road, the moderators and co-founders of
securityfocus will have a fall out with the
top brass of Symantec. They'll be replaced by Symantec newsgroup
support staff
3. Even further down the road, Symantec will take a beating in the
markets. They'll scramble how to generate revenue. Bugtraq,
subscriber based for a fee, vuln datatabase, fee based et cetra
4.
5.

the list goes on.

Why should something as important and as valuable as bugtraq
remains "free"? Symantec didn't buy it for 75 million just to "give
it away to everyone".


"'SecurityFocus has developed the world's most comprehensive and up-
to-date database of vulnerabilities available. Symantec will continue
to license the Vulnerability Database to security product vendors,
managed service providers and other organizations that use it to
create powerful new security products and services for their
customers'"

"'By monitoring almost 11,000 distinct versions of more than 2,700
products from 1,300 vendors, SecurityFocus provides proactive,
customized alert services for environment-specific vulnerabilities
and malicious code alerts.'"

http://www.symantec.com/press/2002/n020717.html


You're all working for Symantec now. Going rate: nothing

On Fri, 19 Jul 2002 haiku@hushmail.com wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >As a consulting company that publishes vulnerability information and tools,
> >we contribute to the pool that we drink out of.
>
> Oh. So this is your argument. You contribute to it, therefore you may
> use it? Wait .... I thought you said the information should be free
> for non-commercial use. Does not taking from the pool to use within a
> company constitute commercial use? Genius! So, the "do as I say and
> not as I do" applies here? What other double-standards are we also
> applying in this discussion?

Please show where I said that vulnerability information or tools should be
restricted to non-commercial use only. That was Jay. I suggested a public
vulnerability database. I have been involved in the research, writing, or
coordination of dozens and dozens of advisories for over 7 years. In not
one case were these advisories restricted in any way. I might add that
there was no advertising or other fluff. Just technical information.


> So, now that we've clarified that there is, in fact, a double-standard
> here, this would explain why a certain vicious rumor about the @stake
> toolkit that somehow found the light of day contains not only many,
> many publicly available exploits, but also some 0day that the vendors
> have yet to fix. Tell me, Chris, I'm a little confused how this
> applies to both "Responsible Disclosure" and "information being free
> for non-commercial use." From my take, there's nothing responsible

You have clarified nothing. You are inventing controversy where there is
none.

Let me know about which specific files have 0day information in them that
we are supposedly distributing and I will investigate. We have nothing to
hide here.

Again the non-commercial use is something that Jay was talking about. We
give out the @stake Pocket Security Toolkits at trade shows so obviously
they are for commercial use too.

> What about the folks that don't speak English as a first language, or
> no English whatsoever?

I don't undersatnd the point here.

> In short, yeah, you could say I'm skeptical. And what's going to stop
> other information security companies from using it anyway? If the data
> is freely available, it's there for the harvest. If you want to
> prevent it from being exploited by outside parties, you have to neuter
> it to where there's no details whatsoever. Then, it becomes roughly
> tits on a boar.

I never proposed restricting the use of the public vulnerability database.

> FYI, as I recall, the information in the Bugtraq Database is freely
> available to the public through their web site anyways. Perhaps you
> may have overlooked this.

Sure and it is the best one out there. That doesn't mean another database
that allowed mirroring of the database itself and was updated by the
vulnerability reporters and editted by the community couldn't be better.
Maybe it won't be better. Why not discuss it rationally without flying off
the handle with accusations of hidden agendas that never materialize?

> The open source tools could tie into it. Open Source != Non-Commercial.

And your point is?

> Ok, as I recall, Renaud was at least making a little money off his
> project by offering support, while the rest of these pentest dirtbags
> exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit
> had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm
> wrong here, but first, doesn't this mean that Renaud would no longer be
> able to offer commercial support for his product? I think so.

We never charged any money for the @stake toolkit. I am not exactly sure
why you think I am proposing anything that would restrict Renaud from
making money charging support?

> And I believe the same applies to Marty, as Sourcefire is offering
> commercial products built on Snort. Gee, what a fucking HUGE hole in
> your logic. And, you additionally fuck them in the process. Good job.

Again I never said anything about restricting the use of vulnerability
information.

> Ok, so you have a database that can be used commercially, or you don't.
> Notice how there's no fucking in-between? And what if a person wants
> to use the "non-commercial database" in their commercial product?
> Does this now require a licensing fee? Or do you just turn them away?
> This has sham written all over it.

No it has your confusion written all over it.

> >think there should be a law restricting free speech. Once someone has
> >chosen to publish information they are going to publish it. It is better
> >for the community that VulnWatch approve these messages so that everyone
> >can get the information at the same time.
>
> I really wish you weren't so two-faced, paradoxial, and self-righteous.
> And on that note, how does this make VulnWatch any different from any
> other security mailing list? Securiteam does the same thing. This
> list allegedly does the same thing. Bugtraq does the same thing.

How is this two-faced? SecurityFocus/Symantec just announced a similar
dual policy. Once policy for vulnerability information that Symantec
researchers originate and control the release of and another policy for the
moderation of the Bugtraq disclosure list. Once someone decides to publish
information it will be published. Some researchers even run their own
lists and now there is an unmoderated disclosure list. Bugtraq or
Vulnwatch wouldn't be stopping anything by not approving disclosure
messages.

> Bottom-line, there's going to be people that make money off security
> information whether you like it or not. @Stake does. SecurityFocus
> does. ISS does. NAI does. Even CERT does. Welcome to the capitalist
> world; leave your agendas and egos at the door. Any company that uses
> information/software provided by them tends to make money, as they
> spend less time down due to security incidents. Funny how economics
> work, isn't it?

Again I never said to not let commercial entities make money off security
information. I simply stated the economics of the vulnerability database
case. I now realize you are the one with the ego problem and the agenda
issues. As you know I work at a commercial venture in the security industry
this paragraph above is a bit patronizing don't you think?

Well I hope I cleared up some of your misunderstandings.

-Chris

also sprach Jay D. Dyson <jdyson@treachery.net> [2002.07.20.2151 +0200]:
> In short, corporate America has been doing its damnedest to fuck
> things up for us. I sure as hell would not mind returning the favor.
> Sure, let 'em patch based on the work...but the moment they try reselling
> the data with their own brand name slapped on it, I'd say it's time to put
> their feet to the fire.
>
> But most importantly, I think it's time we took the stance that
> greatly favors Open Source products over their commercial counterparts.
> In case nobody's noticed, all the Closed Source vendors are doing their
> best to demonize Open Source (even going to far as to call it a "threat to
> national security").
>
> In short, the corporate sector has been lobbing shells at us this
> long. It's about goddamned time we returned fire.

I am in the boat, but only if you don't forget the European part of
the world, who are, partially due to America's influence, feeling the
same about their corporate world. At least some. We wouldn't want to
leave those folks to the enemy, right?

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

friends help you move. real friends help you move bodies.

also sprach gdd@siliconinc.net <gdd@siliconinc.net> [2002.07.19.0142 +0200]:
> A friend of mine already mirrored it. Im not sure as to how well it
> turned out since I havent had a chance to look at it yet, but it
> appears that everything is there.

Is he going to make it public?

> A dump of whatever database its in would be a much nicer method
> of doing this.

Word. Talk to the SF guys.

> I can provide both the bandwidth and server space, but what would
> the legal issues be with mirroring it? My lawyer wont even offer
> any advice on this one.

As long as you don't change the pages and it's obvious that you
simply mirrored SF, no (i'd still talk to webmaster@). it becomes
legally problematic as soon as you pretend that this information is
yours, i.e. by deleting references to SF.

--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

beware of bugs in the above code;
i have only proved it correct, not tried it.
-- donald e. knuth