OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Dailydave] Fwd: [ISN] Security experts hit out at "unethical" bug finder

From: Anthony Zboralski (bcs2005bellua.com)
Date: Mon Mar 14 2005 - 10:13:11 CST

whatever...

Begin forwarded message:

> From: InfoSec News <isnc4i.org>
> Date: 14 March 2005 16:43:43 GMT+07:00
> To: isnattrition.org
> Subject: [ISN] Security experts hit out at "unethical" bug finder
> Reply-To: isnc4i.org
>
> http://software.silicon.com/security/0,39024655,39128621,00.htm
>
> By Will Sturgeon
> silicon.com
> March 11, 2005
>
> Security experts have hit out at US firm Immunity Inc, which provides
> paid-up members with vulnerability information under non-disclosure
> agreements (NDA), which it subsequently keeps from vendors and the
> world at large.
>
> A silicon.com article last week revealed Immunity and its founder Dave
> Aitel have been causing a stir in the security world in recent months
> with a business model branded "unethical" but entirely above-board.
>
> The greatest source of growing concern appears to focus on the NDA and
> the potential for anybody to sign up and pay the price for
> notification of vulnerabilities.
>
> One rival bug finder, who operates along the more traditional lines of
> informing the affected vendor of the flaw in its product and working
> with them to patch it before releasing any details of the
> vulnerability, has hit out at Immunity Inc.
>
> Drew Copley, senior research engineer at eEye Digital Security, told
> silicon.com the situation of signing members to a non-disclosure
> agreement in return for information on security vulnerabilities is
> "extremely unethical".
>
> "What are these people missing here?" asked Copley. "Are they crazy?
> What prevents any organised criminal group or criminal from getting on
> there and signing a NDA?"
>
> "We treat security vulnerabilities that are not fixed yet by the
> vendor as state secrets. Selling them to anyone who would pose as a
> company or sign a NDA is highly unethical."
>
> Copley said even "total disclosure", whereby everybody . vendors,
> researchers and the general public alike - is given the information at
> the same time would be preferable.
>
> eEye was last week credited for working with Computer Associates to
> fix flaws in CA's licensing software.
>
> Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge
> cannot be effectively controlled. NDAs in the IT community as a whole
> are not taken seriously and there do not appear to be adequate
> controls to ensure that the information does not leak to those who
> have an interest in creating a dangerous exploit."
>
> "The business model deliberately creates a culture of the security
> haves, and the security have-nots. It does not improve security
> overall," he added.
>
> Perry also questioned whether Aitel's customers are getting value for
> money. Because vendors are kept out of the loop, flaws go un-patched
> while Immunity's customers are given a workaround.
>
> "You're given a workaround by Immunity, but you don't have a fix . a
> patch from the vendor that permanently addresses the problem. The door
> is closed, but it's not locked shut."
>
>
>
> _________________________________________
> Bellua Cyber Security Asia 2005 -
> http://www.bellua.com/bcs2005
>
>
>
--
Bellua Cyber Security Asia 2005 - http://www.bellua.net
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave