RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
> From: aleph1@SECURITYFOCUS.COM [mailto:aleph1@SECURITYFOCUS.COM]
> * Marcus J. Ranum (mjr@NFR.NET) [000921 18:32]:
> > I see. At least someone's willing to be honest about what's
> > going on. So the whole purpose is as a means of marketing
> > oneself?
> > Am I the only person who finds this a rather thin, lame
> > justification?
> It is lame that someone is trying to make a name for themselves?
> Of course you are entitled to your opinion.
Most of it is indeed lame. It isn't a bad thing to be known in general, but
known for what? Known for making good security tools? Known for helping
people secure things? Even known for running an informative list or site?
That's not so bad. That's really doing something useful. But if you take
an honest look at a lot of what's going on, we're not dealing with that at
all in many cases.
> > I see. Ego-gratification?
> So I guess all people in academia are only ego driven because
> they ask to be credited for their work. Guess what, it's human nature.
> If you can't feel good about your self and you work you may as well
> snuff yourself.
Academia (and I can speak from experience on this one, as my name can
properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most
ego-driven portions of society aside from entertainment. We also see
tremendous amounts of damage done from the quest for credit - if more people
collaborated, lots more research would get done. Nice illustration of
exactly what's wrong with this picture, though it does undermine your point.
The real point here should be about doing the right thing in the right way,
but now we're going into philosophy. Feeling good about what you do and
having your ego inflated ought to be orthogonal.
> > That's the reason I raised this issue. If folks are really
> > considering using cryptographic hashes and whatnot, just to
> > protect their ego-bragging rights, that seems like massive
> > technological overkill for what's really a social problem.
> > I.e.: "grow up, guys."
> The realities of this business are that vulnerability disclosures
> are used as a marketing vehicle. You don't like it and can't do
> nothing better than calling it ego-bragging.
You're both right. It is ego-bragging, they do need to grow up and be
responsible, and it is percieved as a marketing vehicle. I personally don't
think it is a very effective marketing vehicle, as Marcus is a good
counter-example - he's never made one advisory I know of, but he's well
known for the software he's written. Conversely, most of the people who have
released advisories haven't produced products I'd consider valuable - there
are, obviously, some exceptions. The thing is that most of these people
claim to be doing the world a valuable service when they're really just
stroking themselves (as opposed to some people I know who really do the
world a service AND pump their egos, but that's another story).
> > There's no similarity at all. I sell a product. It has tangible
> > value. Not ego value, not marketing value.
> And vulnerability information has not tangible value?
Not especially - not unless you add value. Else why do you have a database
as opposed to a simple archive? Once someone releases their advisory, it is
then only of marketing and ego value to them. Then you go and add value
sticking it into your database, Marcus adds value by making a decode, others
write checks and document fixes.
For example, this current nonsense with Eudora and the DLLs - why wasn't
this just a post saying "one way to screw people with the DLL thing is to
mail it to them if they are using Eudora"? That's what people used to do -
now it is a stinking advisory with marketing nonsense at the top and bottom.
I should make an advisory not to run with scissors or look both ways before
crossing the street.
You should also see how much rubbish we get here - I got an advisory the
other day that said if you could get someone to go to your UNC share, you
could probably collect hashes and crack them. Threatened to go public in 48
hours if we didn't fix it. Pointed out it went public about 3 years ago,
guy went away. Very low signal to noise ratio. The majority of what comes
to the lists isn't well thought out, has huge inaccuracies, omissions, all
sorts of nonsense. People are in such a hurry to get their name in lights
that they do really sloppy work. At least when I was in academia, I had to
make it through peer review before I got my name in lights. At least be
known for doing solid, professional work.
Then we have the problem of people tell 100 of their friends, the press,
etc. then are suprised when it leaks. As Marcus says, grow up. These are
grade-school games. Oooh - I got the sploits, gimme you codez, I got the
warez. Greets and shouts - oh, please. Grow up.
> That seems like
> a strange statement coming from you or any other IDS or vulnerability
> scanner vendor. After all you make your money from taking the same
> vulnerability information you say is worthless and making test and
> signatures for it and then selling it to customers at a high price
> without paying anything to the people that discovered the
I don't think he said it was worthless, just that these people need to grow
up in many cases. You're arguing against something he didn't say. I also
don't see _you_ paying them any money to stick things in your database,
which you then sell. This is the pot calling the kettle black. Now that I
check, he never once used the word worthless.