[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
> From: aleph1@SECURITYFOCUS.COM [mailto:aleph1@SECURITYFOCUS.COM] > * Marcus J. Ranum (mjr@NFR.NET) [000921 18:32]: > > I see. At least someone's willing to be honest about what's > > going on. So the whole purpose is as a means of marketing > > oneself? > > Am I the only person who finds this a rather thin, lame > > justification? > It is lame that someone is trying to make a name for themselves? > Of course you are entitled to your opinion. Most of it is indeed lame. It isn't a bad thing to be known in general, but known for what? Known for making good security tools? Known for helping people secure things? Even known for running an informative list or site? That's not so bad. That's really doing something useful. But if you take an honest look at a lot of what's going on, we're not dealing with that at all in many cases. > > I see. Ego-gratification? > So I guess all people in academia are only ego driven because > they ask to be credited for their work. Guess what, it's human nature. > If you can't feel good about your self and you work you may as well > snuff yourself. Academia (and I can speak from experience on this one, as my name can properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most ego-driven portions of society aside from entertainment. We also see tremendous amounts of damage done from the quest for credit - if more people collaborated, lots more research would get done. Nice illustration of exactly what's wrong with this picture, though it does undermine your point. The real point here should be about doing the right thing in the right way, but now we're going into philosophy. Feeling good about what you do and having your ego inflated ought to be orthogonal. > > That's the reason I raised this issue. If folks are really > > considering using cryptographic hashes and whatnot, just to > > protect their ego-bragging rights, that seems like massive > > technological overkill for what's really a social problem. > > I.e.: "grow up, guys." > The realities of this business are that vulnerability disclosures > are used as a marketing vehicle. You don't like it and can't do > nothing better than calling it ego-bragging. You're both right. It is ego-bragging, they do need to grow up and be responsible, and it is percieved as a marketing vehicle. I personally don't think it is a very effective marketing vehicle, as Marcus is a good counter-example - he's never made one advisory I know of, but he's well known for the software he's written. Conversely, most of the people who have released advisories haven't produced products I'd consider valuable - there are, obviously, some exceptions. The thing is that most of these people claim to be doing the world a valuable service when they're really just stroking themselves (as opposed to some people I know who really do the world a service AND pump their egos, but that's another story). > > There's no similarity at all. I sell a product. It has tangible > > value. Not ego value, not marketing value. > And vulnerability information has not tangible value? Not especially - not unless you add value. Else why do you have a database as opposed to a simple archive? Once someone releases their advisory, it is then only of marketing and ego value to them. Then you go and add value sticking it into your database, Marcus adds value by making a decode, others write checks and document fixes. For example, this current nonsense with Eudora and the DLLs - why wasn't this just a post saying "one way to screw people with the DLL thing is to mail it to them if they are using Eudora"? That's what people used to do - now it is a stinking advisory with marketing nonsense at the top and bottom. I should make an advisory not to run with scissors or look both ways before crossing the street. You should also see how much rubbish we get here - I got an advisory the other day that said if you could get someone to go to your UNC share, you could probably collect hashes and crack them. Threatened to go public in 48 hours if we didn't fix it. Pointed out it went public about 3 years ago, guy went away. Very low signal to noise ratio. The majority of what comes to the lists isn't well thought out, has huge inaccuracies, omissions, all sorts of nonsense. People are in such a hurry to get their name in lights that they do really sloppy work. At least when I was in academia, I had to make it through peer review before I got my name in lights. At least be known for doing solid, professional work. Then we have the problem of people tell 100 of their friends, the press, etc. then are suprised when it leaks. As Marcus says, grow up. These are grade-school games. Oooh - I got the sploits, gimme you codez, I got the warez. Greets and shouts - oh, please. Grow up. > That seems like > a strange statement coming from you or any other IDS or vulnerability > scanner vendor. After all you make your money from taking the same > vulnerability information you say is worthless and making test and > signatures for it and then selling it to customers at a high price > without paying anything to the people that discovered the > vulnerability. I don't think he said it was worthless, just that these people need to grow up in many cases. You're arguing against something he didn't say. I also don't see _you_ paying them any money to stick things in your database, which you then sell. This is the pot calling the kettle black. Now that I check, he never once used the word worthless.