[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey

* David LeBlanc (dleblanc@MICROSOFT.COM) [000922 00:25]:
> 
> Most of it is indeed lame. It isn't a bad thing to be known in general, but
> known for what?  Known for making good security tools?  Known for helping
> people secure things?  Even known for running an informative list or site?
> That's not so bad.  That's really doing something useful.  But if you take
> an honest look at a lot of what's going on, we're not dealing with that at
> all in many cases.

I think we all agree on that. Some people just have no regard for whether or
not there is a fix for whatever vulnerability they are reporting. But the
only options presented so far by anyone to curb such behavior would throw
out the baby with the bath water. They would chill the disclosure of
vulnerability information in general, and most people I know find that
to be a step in the wrong direction.

> Academia (and I can speak from experience on this one, as my name can
> properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most
> ego-driven portions of society aside from entertainment. We also see
> tremendous amounts of damage done from the quest for credit - if more people
> collaborated, lots more research would get done.  Nice illustration of
> exactly what's wrong with this picture, though it does undermine your point.
> The real point here should be about doing the right thing in the right way,
> but now we're going into philosophy.  Feeling good about what you do and
> having your ego inflated ought to be orthogonal.

Indeed no system is perfect, none is. Yet academia is also a success regardless
of it faults. So I hardly see how it undermines my point.

Maybe my grasp on the language is off. The Cambridge dictionary defines ego as
"your idea or opinion of yourself, or a great feeling of your own importance 
and ability". So how you could feel good about what you do and not have
an inflated ego escapes me.

> > And vulnerability information has not tangible value?
> 
> Not especially - not unless you add value.

No. You only need to add value if the information is already public.
If its private information its perfectly valuable in it of itself.

>  Else why do you have a database
> as opposed to a simple archive?

Because it adds value to *public* information.

> 
> > That seems like
> > a strange statement coming from you or any other IDS or vulnerability
> > scanner vendor. After all you make your money from taking the same
> > vulnerability information you say is worthless and making test and
> > signatures for it and then selling it to customers at a high price
> > without paying anything to the people that discovered the
> > vulnerability.
> 
> I don't think he said it was worthless, just that these people need to grow
> up in many cases.  You're arguing against something he didn't say. I also
> don't see _you_ paying them any money to stick things in your database,
> which you then sell. This is the pot calling the kettle black.  Now that I
> check, he never once used the word worthless.

Huh? Marcus said that vulnerability information has no tangible value.
If that is not the same as saying its worthless you may want to let me
know what it means.

I was not chastising Marcus for not paying for the information. I was
pointing out that it has value as his own product, for which
people pay tangible, money depends on it. Without the vulnerability
information his product would not be worth as much. Ergo the
information has value. 

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007