> -----Original Message----- > From: Kenton Smith [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 12, 2004 11:55 AM > To: Drew Copley > Cc: Paul Tinsley; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Re: Re: <to various > comments>EEYE: MicrosoftASN.1 ... > > Mr. Copley, > > I'm not an Eeye customer nor do I necessarily share the views > of the original poster. However, if I were you I'd quit while > you're ahead. > This sort of tone from a representative of the company > doesn't reflect well on the company in general. Whether the > poster is knowledgeable or not, a professional or not, a > troller or not, insults from a company representative, in my > view, will bias my opinion towards that company as a whole. > If I purchase an Eeye product and ask what the representative > thinks is a stupid question, will I get a constructive answer > to help me or will I get laughed off the phone? I don't know, > and now I wonder.
I am not a sales representative, however I am extremely patient and always have been with users of our software (or my own, or anyone else's). For years I have taken a lot of time to help people through technical problems. And, I surely do not even mind taking a lot of abuse. I believe in taking abuse as a matter of personal policy. This individual did not ask a stupid question. I think that is apparent to everyone. Further, again, my opinions are my own. I will tell you the truth. Perhaps to a fault, in this case. Though, I think maybe it will help him on his way down the years. Regardless, I had already set my mind not to deal with anymore trolls. > > There are enough people who respond with insults on this > list, it'd be nice if we didn't see it from corporate > representatives as well. > > Kenton > > On Thu, 2004-02-12 at 12:17, Drew Copley wrote: > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Paul > > > Tinsley > > > Sent: Wednesday, February 11, 2004 10:57 PM > > > To: Drew Copley > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: [Full-Disclosure] Re: Re: <to various > > > comments>EEYE: Microsoft ASN.1 ... > > > > > > Drew Copley wrote: > > > > > > >Without replying to each troll, individually, I thought > maybe some > > > >people would like to see some answers to some notes. > > > > > > > > > > > Most of these are from me, so I will personally respond to those > > > that apply. And believe it or not, this is not a troll, I really > > > wanted to see people's viewpoints on this subject. > > > > > > Somehow, I find this hard to believe. > > > > > > > > > >These are my own comments, I speak for myself. > > > > > > > >Question: "Why release all of the details" > > > > > > > > > > > This statement is not an accurate paraphrase, I didn't say > > > why release them all. I said why release them all on day 0 > > > of the patch release. > > > > > > >Answer: Polls show this is what administrators what. This is > > > one reason > > > >we do this. Another reason we do this is simple, we use > the details > > > >ourselves. We use the details to create signatures for our > > > >vulnerability assessment tool and firewall. Security > administrators > > > >then download these signatures and use them to check for > > > patches or to > > > >protect systems which can not yet be patched. > > > > > > > > > > > Administrators don't need this crap to fix their boxes, they > > > simply need the exploit vectors, the possible mitigation > > > steps, and the potential severity of the vulnerability. > > > > <snip> > > > > I have gone over this a few times with some others. I > believe I already > > said it here. You seem to be unable to either hear it or believe it. > > > > In no particuliar order: > > > > One, the polls show that more want it then not. > > > > Two, we sell products which secure their boxes. We have a lot of > > customers. Our competitors do the same thing. Altogether, we are the > > industry. We have to know what the security hole was, so do our > > competitors. Then, we can protect against this. So can they. > > > > Three, we don't give out exploit code. You can't make an > exploit from > > our advisory. I don't know you, I don't know who you are. > But, frankly, > > not that many people can even write exploit code. With > these bugs, you > > would have to be able to not only write the exploit code but also > > understand the cryptographic references and their > implementations in the > > Window's OS. It isn't all that hard. But, it turns out, > that the guys > > who can write exploit code also can reverse engineer > patches... They can > > also understand our advisories, but they can also find > their own bugs. > > > > Okay? > > > > Real world. > > > > But, I don't think you understand that. Why should I go on. It isn't > > rocket science. But, you are saying, "I know, I know". And, > you do not > > know. That is when people can neither learn nor understand. > > > > Now, as a brief disclaimer... Security, being able to do > these things is > > not something that requires someone to have a tumor in > their brain that > > makes their IQ magically go up a thousand points. It requires only > > desire. This means a predisposition. You have to be willing > and wanting > > to sit there and work through these things. > > > > So, you really have no excuse not to understand these things. > > > > You are a Monday morning quarterback. > > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
