RE: Scanners and unpublished vulnerabilities - Full Disclosure

From: Marc Maiffret (marc@eeye.com)
Date: Tue May 28 2002 - 21:49:01 EDT


not sure if my last email got through to the list where i apologized for my
dumbass email i sent earlier. was out of line and not very well thought out.
that was me fucking up :-] apologies again. back to my hole.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
| Sent: Tuesday, May 28, 2002 6:43 PM
| To: Marc Maiffret; Drew; pen-test@securityfocus.com
| Subject: RE: Scanners and unpublished vulnerabilities - Full Disclosure
|
|
| At 04:20 PM 5/28/2002, Marc Maiffret wrote:
| >I couldn't agree more. I personally see it as a ploy touting
| the fact that
| >their purchasable product will now and then be able to look for some
| >vulnerabilities that other products wont be able to.
|
| Hey Marc- hope all is well...
|
| I have to say that I'm confused... Are you speaking from the
| perspective of
| the pot or the kettle? Sorry, I had to ;) But before you get
| all pissed
| at me, let me say that the only reason I have considered buying *your*
| product when I can get stuff like URLScan or the comparable
| soon-to-be-available product from JD Glaser for *free* is for this very
| reason you call a "ploy." For instance, the latest issues with IIS were,
| at the time of your bulletin, protected by your SecureIIS product. It is
| not a ploy, it is value added.
|
| >I think its irresponsible to try to pawn off a marketing scheme
| as something
| >that will help benefit the security community, or help the process of
| >getting vulnerabilities fixed.
|
| Yet you include sample exploit code with your notifications, and you give
| away "free" scanners to check for blank SA passwords. You are
| knee-deep in
| it, brudda!
|
| >Giving out details of any nature, before their is a patch, is
| never the best
| >route and should be used as a last resort, not a first.
| >
| >I also do not agree with the statements about people not being able to
| >figure out exact details of the vulnerabilities based on the "VNA"'s.
|
| Don't equate yourself with "people." You may be able to, but not your
| average Joe. And certainly not the people who have to use a tool
| to see if
| they have a blank SA pwd. But, with that said, let's take the text (from
| memory) of the SQL VNA. Block TCP 1433 and UDP 1434, and make sure you
| have proper firewall rules in place. What is the exploit?
|
| > Now sometimes that wont be enough information however when you go
| >make a scanning tool that knows how to pinpoint the flaw its
| only a matter
| >of time to reverse engineer that tool to figure out how it
| identifies the
| >flaw and then drill that down further to pinpoint the vulnerability.
|
| I couldn't reverse engineer my toaster, so I would fall back on a simple
| sniff. But yes, I would then get a leg up on the sploit. But so
| what? People who paid for the product, or who had a fink, could
| get their
| hands on it. Credit for discovery is not an issue, so it would only be
| those who would write an exploit. As you well know, if
| Litchfield has the
| bug, chances are other people have it too. If the vendor gets off their
| arse, then it is better for me.
|
|
| > I am not saying I agree with that, but for people like David who have
| are good at
| >finding vulnerabilities, it only makes sense to try to figure out how to
| >make a living off of that talnet... wrong or right no opinion.
|
| "talnet?" I think your fingers have been trained ;)
|
|
| >I do see it
| >as being a big problem, and totally unethical, if you start to
| manipulate
| t>he situation into being one of a strong arm style tactic where
| its "give me
| >money, so you stay protected"
|
| You've gone too far here. NGSSoftware is not attacking people, or
| threatening to if they don't "pay up." If anything, it is a
| message to the
| vendors not to sit on a critical security bug for 8 months while
| they take
| advantage of someone else's good graces.
|
| >.... equating it to store owners having to pay
| >off local thugs so they don't go bashing their place up. Not that I am
| >saying this is what is happening here.
|
| Then what are you saying? Why bring up an non-sequitur analogy?
|
| >Once again, I just think this is a
| >really poor marketing ploy. But hey its working... were all
| discussing it,
| >as dumb as it all is.
|
| Let's put this in perspective. You supplied exploit code for the idq
| vulnerability. All manner of folk blamed you (incorrectly) for Code Red
| for the exact same reasons you are now saying are faulty with the
| VNA. You
| have a job because you are a bad-ass! Your company makes money
| *strictly*
| due to the fact that you perceive problems with other people's products,
| and provide solutions from them. What do you think the customer
| is paying
| for? I don't only want protection from 0 day exploits, it is what I
| *expect*!! I don't need protection from 6 month old bugs- I need
| protection from the people like you and David that are not professional.
|
| And that is what I will get when I buy your products. If anyone
| should get
| behind this, I would think it would be you.
|
| Cheers, dude. See ya at Blackhat.
|
| Tim
|
|
|
| ------------------------------------------------------------------
| ----------
| This list is provided by the SecurityFocus Security Intelligence
| Alert (SIA)
| Service. For more information on SecurityFocus' SIA service which
| automatically alerts you to the latest security vulnerabilities
| please see:
| https://alerts.securityfocus.com/
|
|

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT