On Thu, 19 Sep 2002, Arjen De Landgraaf wrote: > Thank you for taking the time to research our background, > although a bit one-sided. > Yes, a website got defaced a long time ago. That is a fact. > No-one is 100% secure (Richard Clarke), and we did learn from it.
You were defaced by a known security issue. There was a patch available yet you still got defaced. So don't try and fall back on to the no one is 100% secure garbage because you were not even 50% secure when the defacement happened. > However, you could acknowledge that we were not the > only one at the same time. Untold security companies > and sites were defaced by PoizonB0x and others > in that very same period. Including: SecurityNewsportal, CNet, > Attrition, Lucent. Microsoft (18 times in total?), SANS, > CERT, SecurityFocus and many others. Was SecurityFocus actually defaced? I thought they wacked an add server that then placed a hacked banner on the SF site. I could be wrong though. > If you also would have taken the effort to dig a bit further, > you would also have found that two weeks later IDG NZ > published a correction on their article, as it contained > factual errors. As it happens with news media, > the first article got spread around the world pretty > quickly, the correction did not. In other words, you guys made a quote; "oh it was a honeypot" then realized how stupid it sounded so had a retraction printed. > from readers of this list, and they are all very positive. > In fact, you are the only negative. Even more particular, > your review is extremely negative. Makes me wonder why. Here is another negative one. Your site it horrible to navigate through. > Our logs show no evidence that you actually went into > the database to "do your review", and I must therefore ask > questions on the objectivity of the "review" you conducted. So your database includes a list of every known IP address that Eric might have used? > I challenge you to show any other online single free source with > more complete information, any other free portal that enables > a complete check-up on any and each IT infrastructure component, > incl routers, firewalls, databases, O/S's etc etc. in a practical > way. Where an IT professional can check on all components > of their IT infrastructure on potential vulnerabilities and patches. There is one coming. Although it is different than yours. Its not being used to sell a service and there are no fees associated with it. > You mentioned that the data is a week old. > Heh, we just got it on the air last Sunday, give us a break. We > have already had many thousands of hits within a few days. Managing > performance is a more important issue. Anyway, the data was > at the time of your "review" only 2 days old. I thought you guys only did weekly updates? Can I do a dump of the entire database for my use? > These subscribers are very happy to pay for the added value we > provide to them in our E-Secure-IT alerting service. There is the kicker. You are not a free service. So don't pretend to be one. > The actual E-Secure-DB database component is now available to > the global IT and business community. Free. As a marketing ploy to sell your other services. At least be honest about it. > We believe that this initiative can make a powerful and positive > difference to the IT professionals all over the world. You are right, it probably will but don't pretend that you are not a business and that you don't have the motive of also making money off of this venture. That is where the problem is, in my mind anyways. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" [EMAIL PROTECTED] http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
