"Should people who discover new medicines or treatment methods keep them to themselves" ... well, wecome to the concept of an economy. Those that spend resources discovering knowledge must receive some sort of payment for doing so in order for this process to continue. That's what makes the world turn (goods and services). The same is true for exploits. Back in the day everyone traded each other. Today the circle has actually expanded rather than gotten smaller. Those that don't have the smarts or ability to trade simply fork over money instead. VSCs in turn use that money to pay more people to spend time discovering exploits. I don't see how this is bad? Would you instead rather that these were not discovered in this sanitary and closed environment where little bad can be done? The alternative is discovery by less respectable people that will use your 0wned computer for their own profit.

The thing is, there are problems everywhere. They're not selling cures to the problems, just exposing the problems. They've made a business model to help compensate for the time they've spent A) Finding the problem, and B) reliably exploiting the problem.

It's not immoral to do what they're doing. It's not overly useful either :) .. but as long as people are willing to pay for that kind of information, I support it.

Morally reprehensible?
A monopoly like microsoft sits on $50 billion in cash and desigs and sells swiss hole operating systems. Dave and Immunitysec comes along and sells products that provide a fine set of penetration testing tools, informing M$oft's customers of their network's weaknesses. That's not morally reprehensible.

He's hired some guys that do more than scour full disclosure for ideas. They develop their own. Seems to push a vendor like microsoft in a better direction, and is good for the industry.

Btw, when was the last time you saw a lawyer or doctor for free? And when did every teacher in the nation start teaching for free? Your analogies are poor.

s/exploits/fixes/

anyway, have you forgotten what it means to be a teenage h4x0r? all that matters to them is rebelling against their mommies and trying to obtain some autonomy in a world where they're under the authority of even hall monitors. they're not going to listen to reason, let alone some demode luddite on a blog ranting about hippie shit such as this.

/OUOTE I think it is dishonourable. People that do that are pimping knowledge. QUOTE/

Stuart Wilde would say that pimping knowledge is very honorable. There are only three things human beings can sell:
1. Products
3. Services
3. Knowledge

We live in an information age. Professors, authors, stockbrokers, researchers, reporters/news shows, speakers, lecturers, and consultants all "pimp knowledge".

I understand you make your living as a security consultant? What exactly do you pimp?

are you talking about people who traffic non public exploits, or vulnerabilities? Do you not believe that a person has the right to do as they please with their software. How else to make money. It would be more unfair if immunitysec did all the work for free, and other companies, including yours, made money off them.

Your analogy of treatments and air pollution would better fit non-public patches rather than exploits. I dont believe immunitysec has ever withheld a cure for a vulnerability. Furthermore, immunitysec has posted publicly many vulnerability reports with details on the problem. I dont see how this is preventing people from learning.

Whoa, hold on there dudes. I don't have much of an issue with people providing services. It's the knowledge that should be public domain. What kind of extras you wrap the knowledge with is where you can make your living. That's what I pimp.

Read the article again; I think you missed the salient point of it.

Also, please note that I am in no way a fan of Microsoft.

"I don't have much of an issue with people providing services."
Much of an issue?
"It's the knowledge that should be public domain."
Bullshit

So you favour an elitocracy (dunno if that's a real word) where only certain people are privileged enough to know certain things? What exactly is 'bullshit' about me thinking knowledge should be public domain? Explain.

You can and will hold on to whatever knowledge you gain for yourself. I'm not saying you can't nor do I plan on taking that right/capability away from you. I'm just saying I won't respect you if you do. Ask anyone that knows me; anything I learn or know that can make the world a better place or usefully enhance a body of knowledge (that isn't of a personal nature) I am totally willing to pass on to anyone who asks.

I'm serious; those who learn and do not teach are thieves.

Obviously personal information doesn't apply, I will grant that exception.

Knowledge is not restricted to the privileged. You can know anything you want of course. You just have to figure it out or pay for it. I already explained why knowledge is not in the public domain, and so you disrepect doctors, professors, etc? If you make a lot of money, it is so much easier to "make the world a better place" with it if you desire. I'm curious what country you live in? I think these things are pretty evident and wonder if you are egging me on.

I live in Canada, Toronto to be precise.

I'm not egging you on - I just don't understand why people are so reluctant to share info and knowledge. I don't think the pursuit of wealth is a good enough reason or excuse. There's other ways to get rich - hoarding knowledge is just lame.

I don't disrespect doctors and professors; most (if not all) of the knowledge they deal in is in the public domain. I might not understand it, but it's out there if I want to get ahold of it. And any doctor that wouldn't share medical knowledge for the betterment of human kind is not someone I would hold in esteem.

Hehe... so I'm not alone: http://www.theregister.co.uk/2005/05/11/open_access_research/

Also, I would also like to make it clear that I fully recognize that Dave Aitel and his crew are extremely skilled individuals; I don't want to call that into question. I wish I was as good as they are at what they do.

I mention this as I've received some venomous responses to this particular blog entry, that maybe I'm picking on them because I'm jealous. Which is a fair assertion, but I don't think that's the case.

Byron,

nCircle produces products that aim to protect people from security exposure by proactive security scanning. The product is not too shabby from when I used it.

However, the fact remains that your company -- and you have a vested intrest in that company -- profits off of an enviorment of fear that is only possible because of the public disclosure of vulnrabilities to people who would use it for childish, criminal, or vengefull purposes. To hear a company -- whose life-blood is subscriptions to update their product with a continual flow of new vulnrbility scans -- decry another company's ethical and businuess decision not to disclose, and thusly not freely provide you fodder for sales, is morally reprehensable.

[To hear a company -- whose life-blood is subscriptions to update their product with a continual flow of new vulnrbility scans -- decry another company's ethical and businuess decision not to disclose, and thusly not freely provide you fodder for sales, is morally reprehensable.]

You make an excellent point.

One correction though: It was not nCircle decrying another business' morals, it was *me*, an individual, decrying their morals. There are people here at work that disagree with my position.

Your argument could be thought of as akin to saying that I am a dentist, and I profit off of an environment of tooth decay fears, and that I am decrying the sugar industry for not releasing their new super-tasty (and extra damaging) sugar substitute research.

However, I would argue that the disclosure of all vuln information to the world is a much better decision in the long term. And I think this for a simple reason: knowledge is power. If you don't know what the threats are, how can you protect yourself? Look at the history of warfare from ancient times up to now. At probably every point, new weapons and technology give people a temporary advantage, and then in short order, it is neutralized by everyone aquiring it. Or at least the survivors, that is ;)

By getting everything from ancient vulns to 0-day out in the open, for everyone to see, we are shortening the gap that allows unethical people to use it to their advanatge. The most damaging weapon is a secret weapon, and the longer it is secret, the more damaging it is. The solution, as I see it, is to make it secret no longer.

The fact is there have always been, and always will be threats. Whether this company exists or not really doesn't affect that fact.

"Those who learn and do not teach are thieves"

Can we assume since you included this quote in the posting that you feel it applies to Aitel & Immunity? If so, care to explain how the quote fits after taking their classes? Listening to their presentations at conferences? Sharing information on mail lists? Answering questions from people striving to reach their technical ability?

And since you are such a proponent of sharing information, would you like to share any older vulnerabilities in nCircle products? Maybe open up your product bug database so everyone can see what problems used to exist that are now patched? Would be a shame to see your company hoard that knowledge when others could benefit from it. Feel free to send me a .tar file, i'll host it for you.

[If so, care to explain how the quote fits]

Sure, I'd be happy to. But I think you ought to read the post again since you've missed the main thrust of what I wrote. Did you not see 'non-public exploits' in the topic?

I'm not saying they don't give out knowledge in all cases. Sure, they can do it some of the time. It can be quite valuable too. As a Canvas and past SPIKE user I've asked questions on the lists and had them answered. That's never been in doubt nor should you have read that into it.

However, as much as that is valuable, it's not the non-public stuff. It's not the 0-day. It's not the stuff can really be used by the 'dark side'.

As far as opening up nCircle's product bug database, so people can see what problems there used to be and such, I think that's a neat idea. Let me put that question to my superiors; if we have nothing to hide then we should be willing to share. I agree.

It's not going to be particularly interesting or anything though. And really, the issues are going to be standard kinds of stuff. There's not going to be much in there that enhances the world's body of knowledge on a pure content generation basis. Refinement. That's our strength - we've taken what we see as great information and cool ways of doing things that are out there, and implemented them. We've wrapped already present knowledge and technology with a good idea of the right way to do things. Then we've worked our asses off. Maybe the implementation is unlike what other people have done, but the information and ideas driving it could be thought of and pieced together by anyone intelligent enough. If we see so far, it is only because we stand on the shoulders of giants, as it were.

Contrast this to what Immunitysec and it's kin do; working their asses off to find new things no-one has probably found before, then keeping some of it to themselves to enhance their esteem and bank balance. You know these guys are keeping shit to themselves and saving it for a rainy day. They've even said almost as much themselves. I read 'Daily Dave' too, you know.

However, since it is not all my information to share, it might not happen - clearly there may be moral issues in sharing someone else's information when you don't rightly have authorship or ownership of it, and you've already made a promise to only use it in a particular fashion or context. One can't just willy-nilly break promises. But when you have something under your own control, and you don't share it, what's your reason?

Stop beating around the bush all of you - just come out and say why holding your 0-days close to your chest isn't lame. Defend it. Or is it that you can't, and that you know you aren't being as honourable as you could be? Pick up a copy of 'Hackers' by Stepehn Levy, read it, and feel the shame you deserve.

I believe that we all owe something back to the universe, and one of the fundemental units of that particular value transaction is the creation of new knowledge. The universe passively slides into chaos, and we're the opposing active force. And the way you balance the type and quantity of your payments affects the rate and character of those changes. Unfortunately I'm probably gonna sound like a commie for saying this, but from each according to their ability and nature of their expertise. If you're really good at the creation of new knowledge, then your payments in that particular unit are going to be higher than that of others'. Just as they will be higher in other areas of theirs. You just had the luck of the draw to be better equipped to balance the universe in that way. It's a privilege and I think it behooves one to treat it as such.

I don't always live up to the standards I hold myself to. Sometimes I too am deserving of moral rebuke. But I am trying - and I'm not sure folks such as yourself, if your assertions are representative of your actual beliefs, are.

Please don't assume that my views necessarily reflect those of my co-workers or the company. I probably sound like an overly philosophic wanker, but there you have it.