[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] iDefense: Solution or Problem?
- To: Full-Disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] iDefense: Solution or Problem?
- From: VX Dude <vxdude2003@xxxxxxxxx>
- Date: Wed, 14 Jul 2004 07:56:37 -0700 (PDT)
Just a quick thought for a business plan.
1) Start off with a low investment of $1200.
2) Buy a couple chunks of Entersys source code from
3) Find vulnerabilities and write 0-day exploits
4) give 0day to your investors
5) sell 0day to iDefense (or Sourcefire hahahahaha)
for $300 a pop
6) Use profits of sale to buy more chunks of
7) Repeat steps 3-6 until complete
8) Release code as "open source" dimishing its
corporate value
9) make a business using this "open source" IDS and
compete with Sourcefire hahahahaha
10) Release IPO =D
Now, I'm no lawyer, but Hollywood has taught me that
its probably illegal to _knowingly_ buy illegal goods
(such as entersys source), but! is it illegal for
iDefense to buy the research from illegal bought
Full-Disclosure - We suck it.
--- idefense@xxxxxxxxxxxx wrote:
> Hash: SHA1
> Michael, you claim that this is a typo, but is it
> really? Even if this
> is a typo, how do you explain waiting over a month
> to contact the vendor?
> How do you explain past times when iDefense waited
> over a year to notify
> a vendor? How does this relate to the iDefense
> disclosure policy?
> http://www.idefense.com/legal_disclosure.jsp
> iDEFENSE will responsibly inform vendors as soon as
> possible after having
> learned of a problem with their product(s) or
> service(s).
> Note: ".. will responsibly inform vendors as soon as
> possible after having
> learned of a problem". There is absolutely no
> debating that this is pure
> marketing fluff and not how iDefense operates. Look
> at their history
> of vulnerability disclosure and their timelines for
> proof. The real question
> becomes, just how unethical and how greedy iDefense
> really is! Further,
> are they now rewriting history to desperately
> protect their already
> dark image? Witness:
> Adobe Reader 6.0 Filename Handler Buffer Overflow
> Vulnerability
> 02/02/2003 Exploit discovered by iDEFENSE
> 03/11/2004 Initial vendor notification
> Did iDefense sit on this vulnerability for 17
> months? Shortly before
> or after Cary Barker pointed this out on
> Full-Disclosure
> iDefense
> seems to have had a change of heart!
> 02/02/2004 Exploit discovered by iDEFENSE
> 03/11/2004 Initial vendor notification
> The first and understandable reaction (excuse) would
> be "iDefense had
> a typo", but once again, digging into their past
> vulnerabilities, is
> that really the case?! Even if THIS advisory had a
> typo, how about some
> others this year?!
> 04/03/2003 Vulnerability acquired by iDEFENSE
> 07/08/2004 Public disclosure
> 04/05/03 Vulnerability acquired by iDEFENSE
> 05/17/04 Public disclosure
> April 2, 2003 Exploit acquired by iDEFENSE
> May 12, 2004 Coordinated public disclosure
> Sitting on vulnerabilities for a year before
> notifying the vendors is
> not what 'white hat' hackers do. These aren't the
> actions of a reputable
> security company. Combine this with the fact you
> sell this information
> to people in foreign companies and governments,
> including some that are
> "harboring terrorists" (according to our government)
> makes your actions
> potentially criminal. What, you haven't checked your
> client list carefully?
> Selling vulnerability information to terrorist
> nations isn't very friendly
> to the US!
> Looking back at your 2004 advisories (and some in
> 2003), could anyone
> at iDefense explain how their responsible disclosure
> policy applies?
> Here is a general idea of their disclosure process
> and time frames:
> Advisory Discovery Publish Vend Notify Publish
> Time
> 07.12.04 03-02-02 04-07-12 13 mo 7 d 17 mo 10
> d
> 07.09.04 04-06-29 04-07-09 7 d 10
> d
> 07.08.04 03-04-03 04-07-08 14 mo 26 d 15 mo 5
> d
> 07.01.04 03-09-27 04-07-01 8 mo 7 d 9 mo 4
> d
> 06.23.04 04-04-21 04-06-23 14 d 2 mo 2
> d
> 06.21.04 04-02-26 04-06-21 3 mo 13 d 3 mo 25
> d
> 06.10.04 04-04-14 04-06-10 28 d 1 mo 26
> d
> 06.08.04 04-04-27 04-06-07 22 d 1 mo 10
> d
> 06.07.04 03-04-05 04-05-17 13 mo 2 d 13 mo 12
> d
> 05.27.04 04-02-18 04-05-27 20 d 3 mo 9
> d
> 05.26.04 04-02-18 04-05-26 20 d 3 mo 8
> d
> 05.12.04 03-04-02 04-05-12 12 mo 5 d 13 mo 10
> d
> 04.15.04 03-12-08 04-04-15 1 mo 16 d 5 mo 7
> d
> 04.14.04 04-01-09 04-04-14 1 mo 11 d 3 mo 5
> d
> 04.13.04 04-01-12 04-04-13 5 d 2 mo 24
> d
> 04.05.04 04-01-09 04-04-05 1 mo 16 d 2 mo 26
> d
> 03.19.04 04-01-13 04-03-19 24 d 2 mo 5
> d
> 03.09.04 03-10-10 04-03-11 1 mo 2 d 5 mo 1
> d
> 03.02.04 04-01-22 04-03-02 25 d 1 mo 10
> d
> 02.27.04 04-01-13 04-02-27 26 d 1 mo 14
> d
> 02.27.04 04-02-04 04-02-27 6 d 23
> d
> 02.23.04 03-12-08 04-02-23 1 mo 21 d 2 mo 15
> d
> 02.17.04 03-10-31 04-02-17 4 mo 2 d 4 mo 19
> d
> 02.12.04 04-02-09 04-02-12 0 d 3
> d
> 02.10.04 04-01-09 04-02-10 24 d 1 mo 1
> d
> 02.04.04 03-12-08 04-02-02 1 mo 21 d 1 mo 24
> d
> 09.25.03 03-02-25 ? 8 mo 0 d ?
> 07.29.03 03-04-20 03-07-29 2 mo 11 d 3 mo 9
> d
> 07.01.03 03-03-11 03-07-01 3 mo 0 d 3 mo 19
> d
> 05.22.03 02-12-31 03-05-22 4 mo 17 d 5 mo 22
> d
> 02.12.03 02-10-31 03-02-12 2 mo 29 d 3 mo 13
> d
> 02.03.03 02-01-11 03-02-10 12 mo 9 d 12 mo 29
> d
> "iDEFENSE will responsibly inform vendors as soon as
> possible after having
> learned of a problem with their product(s) or
> service(s)."
> Five different times, iDefense sat on a
> vulnerability for OVER A YEAR.
> They routinely wait one or more months to notify the
> vendor. Is that
> "as soon as possible"? Of course not, that would
> hurt the bottom line.
> Sincerely,
> Dark Elf
> References
> 07.12.04 - Adobe Reader 6.0 Filename Handler Buffer
> Overflow Vulnerability
> 02/02/2004 Exploit discovered by iDEFENSE
> 03/11/2004 Initial vendor notification
> 03/11/2004 Initial vendor response
> 03/11/2004 iDEFENSE clients notified
> 06/07/2004 Vendor update released
> 07/12/2004 Public Disclosure
> * original full-disc post listed 02/02/2003
> discovery date
> 07.09.04 - wvWare Library Buffer Overflow
> Vulnerability
> 06/29/2004 Initial vendor contact
> 07/06/2004 Vendor response
=== message truncated ===
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html