RE: Scanners and unpublished vulnerabilities - Full Disclosure

From: Alfred Huger (ah@securityfocus.com)
Date: Tue May 28 2002 - 20:54:52 EDT


>I couldn't agree more. I personally see it as a ploy touting the fact
that
>their purchasable product will now and then be able to look for some
>vulnerabilities that other products wont be able to.

And this is wrong how? If David can protect his customers on a pro-active
basis and allow them assess their own risk I can't see how you find fault
in it.

>I think its irresponsible to try to pawn off a marketing scheme as
something
>that will help benefit the security community, or help the process of
>getting vulnerabilities fixed.

Ok, that's a bit much. There is not a vendor or security team in existence
who is publishing security alerts for posterity alone. It's in most if not
all cases a situation whereby companies or individuals are either
marketing their product or talent. Start, stop, finish. People can paint
up their motivations in any way they suspect they might be more palatable
to the general public but let's not fool ourselves here our industry is
not driven by benevolence.

Further there is *nothing* wrong with this because regardless of your
motivation the net result if handled properly helps everyone involved.

>Giving out details of any nature, before their is a patch, is never the
best
>route and should be used as a last resort, not a first.

If you read the VNA I think you'll see this is the case.

>I also do not agree with the statements about people not being able to
>figure out exact details of the vulnerabilities based on the "VNA"'s.

I think your wrong here. By all means dig into his VNA and prove me wrong.

>If you publish details saying XYZ product has a flaw, this is how you
work
>around it, and here is a product which can scan your network for it, then
>people will FOR SURE be able to pinpoint the flaw and start widely
>exploiting it while we all wait for a vendor patch.

This is a strong statement with little or no evidence. Ballista, ISS and
Cerberus have all had non-published vuln checks in them. Can you point out
any instance where this turned into wholesale attacks from reverse
engineering?

>A researcher finds a flaw, why
>should they not be able to give that information to paying customers
(under
>NDA) while the researcher waits for a vendor to fix the vulnerability? I
am
>not saying I agree with that, but for people like David who have are good
at
>finding vulnerabilities, it only makes sense to try to figure out how to
>make a living off of that talnet... wrong or right no opinion.

A salient point to remember here is that David and his team are hardly
alone in their ability to discover vulnerabilities. Finding heap/buffer
overflows, format string bugs, race conditions etc. is no longer an arcane
science. It does not require strong programming skills (in the
professional sense). Simply put it's fairly simple to do and therefore
you should assume that it's being done en masse. The question is not
whether David's company should be able to profit off of their research,
that I think is a no brainer. The issue is should they follow their policy
as stated in the VNA? The answer to this I think is also a no brainer.
Yes.

> I do see it
>as being a big problem, and totally unethical, if you start to manipulate
>the situation into being one of a strong arm style tactic where its "give
me

Hmm, I know people have attacked your credibility on issues like this in
the past. Has your position changed or are you a touch gun shy now?

>money, so you stay protected" .... equating it to store owners having to
pay

This is hardly extortion it's the principle on which the security industry
is run. Buy a firewall or you're exposed to the unwashed masses, buy this
scanner or your network will be littered with security vulnerabilities,
buy our encryption or your data will be purloined and so on and so forth.
People are buying our products to protect themselves there are no
illusions about this.

>off local thugs so they don't go bashing their place up.

Loading up the conversation with this type of imagery boarders on
ridiculous. The same folks who use language like this are the same myopic
types who villified eEye over CodeRed.

> Not that I am
>saying this is what is happening here. Once again, I just think this is a
>really poor marketing ploy. But hey its working... were all discussing
it,
>as dumb as it all is.

David did not bring this issue up - I did. I do not own part of his
company, use his product or even know him. The only people I have ever
plugged in 4 years of running this list are CORE ST and they deserved it.

Cheers,
-al

VP Engineering
SecurityFocus
"Vae Victis"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT