From: "Geo" 

This is a multi-part message in MIME format.

------=_NextPart_000_0053_01C5892F.02543B30
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Most of the security companies are privately owned so immune to =
Sarbanes-Oxley but I don't see what that has to do with the value of =
knowledge about security exploits.=20

By making exploit details public knowledge, the information anarchy club =
can't keep new competition from starting up, they can't use the =
discoveries made by others as if it were their property. Anyone who = wants
the information can get it free of charge. At best the IA club can = only
offer to aggregate and rate the exploit information as a service to = their
customers.

It takes the exclusiveness out of the IA club. You don't realize it but =
this but there were open databases of exploit information that everyone =
had contributed to, these used to be a great resource but the IA club =
managed to get all the details removed from them, details that folks = like
me and others had contributed so that we could easily find critical =
information about software we were evaluating. That technical = information
is now the private stock of the IA club. That action pissed = off eeye and
lots of others so now many places post the details on their = own websites.

And contrary to Rich, eeye does not give step by step instructions, see =
http://www.eeye.com/html/research/advisories/AD20050208.html and tell me =
how easily you could take that information and cook up a working = exploit.

Geo.
  "Randy"  wrote in message news:42d72baa{at}w3.nls.net...
  Why do you think Sarbanes-Oxley was passed?=20
    "Geo"  wrote in message
news:42d70ed8{at}w3.nls.net...
    the guys at eeye believe making exploits public knowledge lowers the =
value thus the cost that security companies can charge customers for = that
knowledge.

    Geo.
      "Rich"  wrote in message news:42d6d8ee$1{at}w3.nls.net...
         No.  I consider this irresponsible.   For all we know folks at =
eeye do too but greed trumps responsibility.

      Rich

        "Geo"  wrote in message =
news:42d6befe{at}w3.nls.net...
        So you consider this responsible behavior?

        Geo.
          "Rich"  wrote in message news:42d6a0c1$1{at}w3.nls.net...
             Where do you get this taboo nonsense?  Look at =
http://www.eeye.com/html/research/advisories/AD20040615A.html and =
http://www.eeye.com/html/research/advisories/AD20040615B.html.  These = are
among the simplest but by far not the only.  eeye appears to try to =
provide instructions to exploit in all of these.  If you are going to be =
in denial about this behavior of theirs then no wonder you are in denial =
about the damage they cause.

          Rich

            "Geo"  wrote in message =
news:42d696e9$1{at}w3.nls.net...


            But instead he want's evidence that the exploits eeye has =
discovered over
            the past year or so are dangerous, and since exploit code is =
now taboo that
            becomes quite difficult to prove doesn't it?


            Geo.


------=_NextPart_000_0053_01C5892F.02543B30
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








Most of the security companies are =
privately owned=20
so immune to Sarbanes-Oxley but I don't see what that has to do =
with the=20
value of knowledge about security exploits. 
 
By making exploit details public =
knowledge, the=20
information anarchy club can't keep new competition from starting
= up, they=20
can't use the discoveries made by others as if it were their property. = Anyone=20
who wants the information can get it free of charge. At best the IA club = can=20
only offer to aggregate and rate the exploit information as a service to = their=20
customers.
 
It takes the exclusiveness out of the =
IA club. You=20
don't realize it but this but there were open databases of exploit = information=20
that everyone had contributed to, these used to be a great resource but = the IA=20
club managed to get all the details removed from them, details that = folks like=20
me and others had contributed so that we could easily find critical = information=20
about software we were evaluating. That technical information is now the = private=20
stock of the IA club. That action pissed off eeye and lots of others so = now many=20
places post the details on their own websites.
 
And contrary to Rich, eeye does not =
give step by=20
step instructions, see htt=">http://www.eeye.com/html/research/advisories/AD20050208.html">htt=
 and=20" target="new">p://www.eeye.com/html/research/advisories/AD20050208.html and=20
tell me how easily you could take that information and cook up a working =

exploit.
 
Geo.

  "Randy" <dev{at}null.org>">mailto:dev{at}null.org">dev{at}null.org> =
wrote in=20
  message news:42d72baa{at}w3.nls.net...
  Why do you think Sarbanes-Oxley was passed? =

  

    "Geo" <georger{at}nls.net>=20">mailto:georger{at}nls.net">georger{at}nls.net>=20
    wrote in message news:42d70ed8{at}w3.nls.net...
    the guys at eeye believe making =
exploits public=20
    knowledge lowers the value thus the cost that security companies can =
charge=20
    customers for that knowledge.
     
    Geo.
    

      "Rich" <{at}> wrote in message news:42d6d8ee$1{at}w3.nls.net...
        
No.  I consider =
this=20
      irresponsible.   For all we know folks at eeye do too =
but greed=20
      trumps responsibility.
       
      Rich
       
      

        "Geo" <georger{at}nls.net>=20">mailto:georger{at}nls.net">georger{at}nls.net>=20
        wrote in message news:42d6befe{at}w3.nls.net...
        So you consider this =
responsible=20
        behavior?
         
        Geo.
        

          "Rich" <{at}> wrote in message news:42d6a0c1$1{at}w3.nls.net...
            
Where do you get =
this taboo=20
          nonsense?  Look at ht=">http://www.eeye.com/html/research/advisories/AD20040615A.html">ht=
=20" target="new">tp://www.eeye.com/html/research/advisories/AD20040615A.html=20
          and ht=">http://www.eeye.com/html/research/advisories/AD20040615B.html">ht=
. =20" target="new">tp://www.eeye.com/html/research/advisories/AD20040615B.html. =20
          These are among the simplest but by far not the only.  =
eeye=20
          appears to try to provide instructions to exploit in all of=20
          these.  If you are going to be in denial about this =
behavior of=20
          theirs then no wonder you are in denial about the damage they=20
          cause.
           
          Rich
           
          
            "Geo" <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
=
wrote in=20
            message news:42d696e9$1{at}w3.nls.net...But=20
            instead he want's evidence that the exploits eeye has =
discovered=20
            overthe past year or so are dangerous, and since exploit =
code is=20
            now taboo thatbecomes quite difficult to prove doesn't=20
            =
it?Geo.

------=_NextPart_000_0053_01C5892F.02543B30--

--- BBBS/NT v4.01 Flag-5