I get flamed everytime I post to this list but here it goes anyways. > > * security advisories are rarely based on original concepts > > Agreed.
There has been a lot of "XYZ found a vuln simular to this blah blah blah" type advisories lately. But, a vuln is a vuln is a vuln is it not? > And sometimes enough information for me to repeat the test and check if > I'm also vulnerable. Agreed. > my clients' computers. They also help better This isn't a shot at the author of this reply but his comment about the existance of tools help him help his clients helps illustrate something that lately has been making me sick enough to start rethinking things. The problem isn't full disclosure. The problem isn't the so called white-hats. The real problem is the armies of clueless "consultants" who use lists like this one, Bugtraq, VulnWatch, etc. to give themselves more fodder to swarm on corporate america with. Half of these people are not even taking the time to fully understand the issue. New vulnerabilities equals more money. More script kiddie web site defacements equals more money. When did learning about technology drop from this picture? Back in the day I remember using the mailing lists to learn about security and more importantly to learn about how vulnerabilities are found and how they effect various systems. I had a lot of fun and I learned a lot. Was I a consultant trying to sell security? No, I was an IT grunt just trying to have some fun while paying my bills. I have always supported full-disclosure because I feel I have learned a lot because of full disclosure and felt that others would too. Unfortunately, this doesn't seem to be the norm anymore. Today, I am part of that army of security consultants and as hard as it is to look at myself in the mirror I at least find comfort in knowing that I still learn a lot from these lists and I still try and take the time to understand the issues and not just take them and use them to try and sell work. Sure, I would rather not be yet another "security consultant" but until I find myself a more respectable job that lets me continue with my hobby it pays the bills. > And what to do when they ignore you ? The mechanics of "full disclosure" > (or "posting to public foruns" as you put it) is that vendors will not > correct software problems just because they exist, but they'll do it to > protect theur image and reputation. Before "full disclosure" it wasn't > strange to have a software company like Sun to take years to produce a fix > for a security bug. I don't want to go back to that dark age. I think this issue is black and white. Vendor ignores you release information on vulnerability. That does not however mean you release a point and click script. > That's what I'm doing, unfortunately positions like yours make my job and > all of those in the security industry more difficult and more expensive, > making sure that we'll have less, not more security. Killing full disclosure will make security more expensive I agree. Without full disclosure we will see a bunch of companies selling their zero days to the highest bidder which in the long run will not improve security one bit. I am asking myself what is worse, the clueless using lists like this to get rich or companies at least paying those who can find vulnerabilities a fat salary to then resell the vulns to their clients. I don't think either improves security. I remember years ago people saying to be careful - "the security industry is full of snake oil salesmen". This has never been more true. It makes me puke everytime I see some suit wearing fast talking "expert" who can barely use a computer but is armed with all kinds of "tools" and the knowledge that the CXO knows less than he does. The scary thing is, consistantly these guys will win the work because they talk a good game. Leaving organizations less secure then they were when they started. Why doesn't someone sue a vendor? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" [EMAIL PROTECTED] http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
