Text 6064, 237 rader
Skriven 2005-07-15 11:19:04 av Geo (1:379/45)
Kommentar till text 6052 av Randy (1:379/45)
Ärende: Re: eeye's irresponsible self-serving behavior
======================================================
From: "Geo" <georger@nls.net>
This is a multi-part message in MIME format.
------=_NextPart_000_0053_01C5892F.02543B30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Most of the security companies are privately owned so immune to =
Sarbanes-Oxley but I don't see what that has to do with the value of =
knowledge about security exploits.=20
By making exploit details public knowledge, the information anarchy club =
can't keep new competition from starting up, they can't use the = discoveries
made by others as if it were their property. Anyone who = wants the information
can get it free of charge. At best the IA club can = only offer to aggregate
and rate the exploit information as a service to = their customers.
It takes the exclusiveness out of the IA club. You don't realize it but = this
but there were open databases of exploit information that everyone = had
contributed to, these used to be a great resource but the IA club = managed to
get all the details removed from them, details that folks = like me and others
had contributed so that we could easily find critical = information about
software we were evaluating. That technical = information is now the private
stock of the IA club. That action pissed = off eeye and lots of others so now
many places post the details on their = own websites.
And contrary to Rich, eeye does not give step by step instructions, see =
http://www.eeye.com/html/research/advisories/AD20050208.html and tell me = how
easily you could take that information and cook up a working = exploit.
Geo.
"Randy" <dev@null.org> wrote in message news:42d72baa@w3.nls.net...
Why do you think Sarbanes-Oxley was passed?=20
"Geo" <georger@nls.net> wrote in message news:42d70ed8@w3.nls.net...
the guys at eeye believe making exploits public knowledge lowers the =
value thus the cost that security companies can charge customers for = that
knowledge.
Geo.
"Rich" <@> wrote in message news:42d6d8ee$1@w3.nls.net...
No. I consider this irresponsible. For all we know folks at =
eeye do too but greed trumps responsibility.
Rich
"Geo" <georger@nls.net> wrote in message =
news:42d6befe@w3.nls.net...
So you consider this responsible behavior?
Geo.
"Rich" <@> wrote in message news:42d6a0c1$1@w3.nls.net...
Where do you get this taboo nonsense? Look at =
http://www.eeye.com/html/research/advisories/AD20040615A.html and =
http://www.eeye.com/html/research/advisories/AD20040615B.html. These = are
among the simplest but by far not the only. eeye appears to try to = provide
instructions to exploit in all of these. If you are going to be = in denial
about this behavior of theirs then no wonder you are in denial = about the
damage they cause.
Rich
"Geo" <georger@nls.net> wrote in message =
news:42d696e9$1@w3.nls.net...
But instead he want's evidence that the exploits eeye has =
discovered over
the past year or so are dangerous, and since exploit code is =
now taboo that
becomes quite difficult to prove doesn't it?
Geo.
------=_NextPart_000_0053_01C5892F.02543B30
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1505" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Most of the security companies are =
privately owned=20
so immune to Sarbanes-Oxley but I don't see what that has to do = with
the=20
value of knowledge about security exploits. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>By making exploit details public =
knowledge, the=20
information anarchy club can't keep new competition from starting = up,
they=20
can't use the discoveries made by others as if it were their property. =
Anyone=20
who wants the information can get it free of charge. At best the IA club =
can=20
only offer to aggregate and rate the exploit information as a service to =
their=20
customers.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>It takes the exclusiveness out of the =
IA club. You=20
don't realize it but this but there were open databases of exploit =
information=20
that everyone had contributed to, these used to be a great resource but = the
IA=20
club managed to get all the details removed from them, details that = folks
like=20
me and others had contributed so that we could easily find critical =
information=20
about software we were evaluating. That technical information is now the =
private=20
stock of the IA club. That action pissed off eeye and lots of others so = now
many=20
places post the details on their own websites.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>And contrary to Rich, eeye does not =
give step by=20
step instructions, see <A=20
href=3D"http://www.eeye.com/html/research/advisories/AD20050208.html">htt=
p://www.eeye.com/html/research/advisories/AD20050208.html</A> and=20
tell me how easily you could take that information and cook up a working =
exploit.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Randy" <<A href=3D"mailto:dev@null.org">dev@null.org</A>> =
wrote in=20
message <A=20
=
href=3D"news:42d72baa@w3.nls.net">news:42d72baa@w3.nls.net</A>...</DIV>
<DIV><FONT size=3D2>Why do you think Sarbanes-Oxley was passed? =
</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>>=20
wrote in message <A=20
=
href=3D"news:42d70ed8@w3.nls.net">news:42d70ed8@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>the guys at eeye believe making =
exploits public=20
knowledge lowers the value thus the cost that security companies can =
charge=20
customers for that knowledge.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:42d6d8ee$1@w3.nls.net">news:42d6d8ee$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2> No. I consider =
this=20
irresponsible. For all we know folks at eeye do too =
but greed=20
trumps responsibility.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>>=20
wrote in message <A=20
=
href=3D"news:42d6befe@w3.nls.net">news:42d6befe@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>So you consider this =
responsible=20
behavior?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:42d6a0c1$1@w3.nls.net">news:42d6a0c1$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2> Where do you get =
this taboo=20
nonsense? Look at <A=20
=
href=3D"http://www.eeye.com/html/research/advisories/AD20040615A.html">ht=
tp://www.eeye.com/html/research/advisories/AD20040615A.html</A>=20
and <A=20
=
href=3D"http://www.eeye.com/html/research/advisories/AD20040615B.html">ht=
tp://www.eeye.com/html/research/advisories/AD20040615B.html</A>. =20
These are among the simplest but by far not the only. =
eeye=20
appears to try to provide instructions to exploit in all of=20
these. If you are going to be in denial about this =
behavior of=20
theirs then no wonder you are in denial about the damage they=20
cause.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A=20
href=3D"mailto:georger@nls.net">georger@nls.net</A>> =
wrote in=20
message <A=20
=
href=3D"news:42d696e9$1@w3.nls.net">news:42d696e9$1@w3.nls.net</A>...</DI=
V><BR><BR>But=20
instead he want's evidence that the exploits eeye has =
discovered=20
over<BR>the past year or so are dangerous, and since exploit =
code is=20
now taboo that<BR>becomes quite difficult to prove doesn't=20
=
it?<BR><BR><BR>Geo.<BR><BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCK=
QUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0053_01C5892F.02543B30--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|