[Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

• Previous message: Peter Kruse: "SV: [Full-Disclosure] AOL IM Worm"
• Next in thread: Paul Tinsley: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Reply: Paul Tinsley: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Brian Eckman: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Drew Copley: "RE: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Drew Copley: "RE: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Wed, 11 Feb 2004 11:46:33 -0800

Without replying to each troll, individually, I thought maybe some
people would like to see some answers to some notes.

These are my own comments, I speak for myself.

Question: "Why release all of the details"

Answer: Polls show this is what administrators what. This is one reason
we do this. Another reason we do this is simple, we use the details
ourselves. We use the details to create signatures for our vulnerability
assessment tool and firewall. Security administrators then download
these signatures and use them to check for patches or to protect systems
which can not yet be patched.

It does not matter if it is eEye you are talking about in this scenario,
or one of our competitors. This is the "behind the scenes" picture of
what happens when a patch is released.

When we - or our competitors - do not have full details on a
vulnerability, we have to reverse engineer the patch to do so. And, we
all do this.

So, people complaining about us releasing all of the details... They
simply are ignorant of what must be done in this process. They like to
scream and shout about how a worm will be coming and such, nevermind
that they don't even understand our advisories in the first place.

And if this does not make it all incredibly clear, let's spell it out
for them: we can reverse engineer the patches and have to... If virus
writers want to, they can, too, as well.

Question/Comment: "Wow, Microsoft kept this for six months!"

Answer: People have not been paying attention. Look at our advisories.
We have reported dates and release dates. Microsoft's average is now
getting to be about six months. It used to be three months. Here and
there they would do a six month patch. Now, the full average is creeping
towards there.

It is akin to a backdoor in their OS. It is shameful. It drives away
some researchers who don't want to wait six months. It puts a grave
responsibility on every software vendor. How many "backdoors" do you
really think the NSA has [to use a popular urban myth]? How many
"backdoors" do you think your typical security company has?

Question/Comment: "What is this thing with rapping?"

Answer: We have had these kinds of things in our advisories since we
started releasing them way back when.

Derek, at times, feels the need to bust a rhyme.

You are not going to stop him.

And, I have tried. Knives, ropes, pits, strangulation. He is quite wily.

Question/Comment: "You Guys Are Doing This For the Money and Fame! "

Answer: If we were doing this from corrupt motives we would be in the
Bahamas right now. Come on. Don't be stupid.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Peter Kruse: "SV: [Full-Disclosure] AOL IM Worm"
• Next in thread: Paul Tinsley: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Reply: Paul Tinsley: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Brian Eckman: "Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Drew Copley: "RE: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Maybe reply: Drew Copley: "RE: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Update utility ... >> I usually do a cvsup to update the list of the ports tree, ... Below is from a post to security@. ... >> facilitates security patch updating on FreeBSD. ... >> advisories, easy setup and use of CVSUP for source and ports tree ... (freebsd-questions) Re: [Full-Disclosure] [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ... been running into is that releasing exploits tends to harm our client ... How could we avoid the client "immage" damage? ... >> I have been following the subject of full disclosure ... > see exploit code replaced with nessus plugins in advisories - giving us ... (Full-Disclosure) Re: I feel a little let down by Microsoft - Anyone else? [SQL Slammer Worm ] ... Microsoft shouldn't stop at just releasing ... It's totally Microsoft's fault that six months after a patch is released, ... All code has bugs in it; many of these are exploitable security flaws. ... best that one can do is be vigilant before _and_ after release; ... (microsoft.public.security) [Full-disclosure] More information on ZERT patch for ANI 0day ... more information about the patch released April 1st can be found here: ... Why this patch was released when eeye already released a third party ... Basically an "anih" chunk in an animated ... ZERT is releasing a patch which addresses the core of the ... (Full-Disclosure) More information on ZERT patch for ANI 0day ... more information about the patch released April 1st can be found here: ... Why this patch was released when eeye already released a third party ... Basically an "anih" chunk in an animated ... ZERT is releasing a patch which addresses the core of the ... (Bugtraq)