Text 6028, 272 rader
Skriven 2005-07-14 10:25:18 av Rich (1:379/45)
Kommentar till text 6019 av Geo (1:379/45)
Ärende: Re: eeye's irresponsible self-serving behavior
======================================================
From: "Rich" <@>
This is a multi-part message in MIME format.
------=_NextPart_000_01D3_01C5885E.54C38410
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Do you not see how silly this is? To support a claim that eeye is =
not irresponsible you use a statement from eeye that they are not =
irresponsible. Do you really expect them to say they are culpable?
Rich
"Geo" <georger@nls.net> wrote in message news:42d695b7@w3.nls.net...
No, I'm claiming that they could have taken control of almost every =
windows
computer that connects to the internet at any time since the =
"information
anarchy" program started allowing Microsoft to take 188 days to patch =
the
most critical of exploits. Prior to that their window from
discovery/publishing to patch was at most 2 weeks. But now with =
standard
patch times taking roughly half a year there is always a root exploit =
or two
that they know about that is unpatched. At the momemt there are 4 for
windows and several more for other very common windows programs and =
those
are just the ones eeye discovered, not the full batch of all known =
root
level exploits for windows.
As for Rich's attitude about eeye being irresponsible, this article =
about
the "information anarchy" program shows eeye's initial stance on =
things
pretty clearly.
http://www.securityfocus.com/news/281
"What's being created here is an information cartel," says Elias Levy,
former moderator of the Bugtraq security mailing list, a standard =
outlet for
'full disclosure' security information. "It actually benefits security
vendors to have limited vulnerability information, because it makes =
them
look better in the eyes of their customers," says Levy. (Levy is CTO =
of
SecurityFocus).
Under the plan, member companies would share detailed information =
during the
30-day grace period with law enforcement agencies, infrastructure =
protection
organizations, and "other communities in which enforceable frameworks =
exist
to deter onward uncontrolled distribution." The last category would =
allow
member companies to share details with clients under a non-disclosure
agreement, and to share details with one another. "They're not going =
to ban
it among themselves," says Levy. "They might be willing to limit the =
public
access to this information, but I highly doubt that they'll limit it =
among
each other."
Marc Maiffret, co-founder of eEye Digital Security, agrees, and =
charges that
the coalition was formed for the commercial advantage of its members, =
rather
than the well-being of the Internet.
"If it becomes hard to release vulnerabilities, that's a good way for
Microsoft to get rid of some embarrassment," says Maiffret.
Maiffret's company is responsible for discovering some of the most =
serious
Microsoft security holes in recent years -- vulnerabilities in the =
company's
IIS web server product that allow attackers to gain remote control of =
the
system. He says eEye cooperates with vendors, and doesn't release =
advisories
until a company has had a chance to produce patches for the security =
hole.
But Maiffret rejects the idea of holding back on technical details, =
and
warns that the new coalition may alienate independent security =
researchers.
"People have to do it Microsoft's way or they'll have this group =
telling
them that they're acting irresponsibly," says Maiffret. "It's going to =
drive
people into the underground, and could lead to more people breaking =
into
computers."
Geo.
"John Beckett" <FirstnameSurname@compuserve.com.omit> wrote in message
news:nf1cd1pblvdmv4gpcp55g3671etghdujsm@4ax.com...
> "Rich" <@> wrote in message news:<42d5ef53@w3.nls.net>:
> > You made a claim that 95% of computers are vulnerable to the point =
that
eeye could own them.
>
> I thought Geo's claim was that if eeye had not been publishing the =
bugs
> they had found (and just kept them to themselves) over the last =
couple of
> years, then eeye could have owned 95% of the Windows computers =
connected
> to the Internet now.
>
> Assuming that no one filled this hypothetical vacuum left by eeye =
saying
> nothing, Geo's claim looks very credible to me (with pointless =
argument
> about whether it's really 95% or 85% etc).
>
> John
>
------=_NextPart_000_01D3_01C5885E.54C38410
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2> Do you not see how silly =
this=20
is? To support a claim that eeye is not irresponsible you use a =
statement=20
from eeye that they are not irresponsible. Do you really expect = them
to=20
say they are culpable?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote=20
in message <A=20
=
href=3D"news:42d695b7@w3.nls.net">news:42d695b7@w3.nls.net</A>...</DIV>No=
, I'm=20
claiming that they could have taken control of almost every=20
windows<BR>computer that connects to the internet at any time since =
the=20
"information<BR>anarchy" program started allowing Microsoft to take =
188 days=20
to patch the<BR>most critical of exploits. Prior to that their window=20
from<BR>discovery/publishing to patch was at most 2 weeks. But now =
with=20
standard<BR>patch times taking roughly half a year there is always a =
root=20
exploit or two<BR>that they know about that is unpatched. At the =
momemt there=20
are 4 for<BR>windows and several more for other very common windows =
programs=20
and those<BR>are just the ones eeye discovered, not the full batch of =
all=20
known root<BR>level exploits for windows.<BR><BR>As for Rich's =
attitude about=20
eeye being irresponsible, this article about<BR>the "information =
anarchy"=20
program shows eeye's initial stance on things<BR>pretty =
clearly.<BR><BR><A=20
=
href=3D"http://www.securityfocus.com/news/281">http://www.securityfocus.c=
om/news/281</A><BR><BR>"What's=20
being created here is an information cartel," says Elias =
Levy,<BR>former=20
moderator of the Bugtraq security mailing list, a standard outlet =
for<BR>'full=20
disclosure' security information. "It actually benefits =
security<BR>vendors to=20
have limited vulnerability information, because it makes them<BR>look =
better=20
in the eyes of their customers," says Levy. (Levy is CTO=20
of<BR>SecurityFocus).<BR><BR>Under the plan, member companies would =
share=20
detailed information during the<BR>30-day grace period with law =
enforcement=20
agencies, infrastructure protection<BR>organizations, and "other =
communities=20
in which enforceable frameworks exist<BR>to deter onward uncontrolled=20
distribution." The last category would allow<BR>member companies to =
share=20
details with clients under a non-disclosure<BR>agreement, and to share =
details=20
with one another. "They're not going to ban<BR>it among themselves," =
says=20
Levy. "They might be willing to limit the public<BR>access to this=20
information, but I highly doubt that they'll limit it among<BR>each=20
other."<BR><BR>Marc Maiffret, co-founder of eEye Digital Security, =
agrees, and=20
charges that<BR>the coalition was formed for the commercial advantage =
of its=20
members, rather<BR>than the well-being of the Internet.<BR><BR>"If it =
becomes=20
hard to release vulnerabilities, that's a good way for<BR>Microsoft to =
get rid=20
of some embarrassment," says Maiffret.<BR><BR>Maiffret's company is=20
responsible for discovering some of the most serious<BR>Microsoft =
security=20
holes in recent years -- vulnerabilities in the company's<BR>IIS web =
server=20
product that allow attackers to gain remote control of the<BR>system. =
He says=20
eEye cooperates with vendors, and doesn't release advisories<BR>until =
a=20
company has had a chance to produce patches for the security =
hole.<BR>But=20
Maiffret rejects the idea of holding back on technical details, =
and<BR>warns=20
that the new coalition may alienate independent security=20
researchers.<BR><BR>"People have to do it Microsoft's way or they'll =
have this=20
group telling<BR>them that they're acting irresponsibly," says =
Maiffret. "It's=20
going to drive<BR>people into the underground, and could lead to more =
people=20
breaking into<BR>computers."<BR><BR><BR>Geo.<BR><BR>"John Beckett" =
<<A=20
=
href=3D"mailto:FirstnameSurname@compuserve.com.omit">FirstnameSurname@com=
puserve.com.omit</A>>=20
wrote in message<BR><A=20
=
href=3D"news:nf1cd1pblvdmv4gpcp55g3671etghdujsm@4ax.com">news:nf1cd1pblvd=
mv4gpcp55g3671etghdujsm@4ax.com</A>...<BR>>=20
"Rich" <@> wrote in message <A=20
=
href=3D"news:<42d5ef53@w3.nls.net">news:<42d5ef53@w3.nls.net</A>>:<=
BR>>=20
> You made a claim that 95% of computers are vulnerable to the =
point=20
that<BR>eeye could own them.<BR>><BR>> I thought Geo's claim was =
that if=20
eeye had not been publishing the bugs<BR>> they had found (and just =
kept=20
them to themselves) over the last couple of<BR>> years, then eeye =
could=20
have owned 95% of the Windows computers connected<BR>> to the =
Internet=20
now.<BR>><BR>> Assuming that no one filled this hypothetical =
vacuum left=20
by eeye saying<BR>> nothing, Geo's claim looks very credible to me =
(with=20
pointless argument<BR>> about whether it's really 95% or 85%=20
etc).<BR>><BR>> John<BR>><BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_01D3_01C5885E.54C38410--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|