RE: vuln research/disclosure paper from eEye

["Ben Nagy" <ben () iagu net>]

Hi Chris,

Yep, I'll take the heat for that, since I wrote it. :)

I have (and always have had) great respect for l0pht while it was l0pht. You
were, as you say, selling product before eEye. So were ISS, and a lot of
other people. The l0pht / Schneier  PPTP paper in 1998 was one of the
seminal works of formal security analysis. I was focusing, however, on paid
commercial vulnerability research teams, and I said "LIKE... blah blah". 

I'm also happy to admit that we weren't the first company ever to post
vulnerabilities - my paper was supposed to be vaguely factual, so what do
you expect? If you think that there are material errors in my paper I'd like
to discuss it. 

Please don't take this as dissing l0pht. In fact, Dave has more reason to be
upset than you, since I am less than rosy about vulnerability sharing clubs
in the paper - although I like to think I am balanced.

So. All flames my way. I'm a big boy, I can handle them. If you can show me
that I have flat-out lied or been misinformed then I'm ready to apologise.
And again, I was not trying to trivialise any of the contributions that you
guys or hundreds of others made to security in the '90s - and if you take
the whole paper in context then I like to think that is clear.

Cheers,

ben

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Chris Wysopal
> Sent: Thursday, May 19, 2005 5:13 PM
> To: dailydave () lists immunitysec com
> Subject: [Dailydave] vuln research/disclosure paper from eEye
>
>
> Zero Day: Vulnerability Research, Disclosure and Ethics
>
> By: Ben Nagy
> Senior Security Engineer
> eEye Digital Security
>
> http://www.eeye.com/~data/publish/whitepapers/research/OT20050
> 512.FILE.pdf
>
> Dave's favorite topic, I know.  What caught my eye was:
>
> "The first professional research teams were created in the 
> late 1990s by
> innovative commercial vendors like eEye Digital Security and 
> ISS - at last
> presenting a legitimate way for researchers to find software
> vulnerabilities for a living"
>
> I guess L0pht wasn't commercial enough for them even though we were
> selling software and had 4 fulltime employees years before 
> eEye's first
> product was for sale.  L0pht along with Cerberus Information Security,
> CORE SDI, Secure Networks, Inc., and yes, ISS really paved 
> the way.  I am
> probably missing others.
>
> Zero Day: Vulnerability Research, Disclosure and Ethics
>
> By: Ben Nagy
> Senior Security Engineer
> eEye Digital Security
>
> http://www.eeye.com/~data/publish/whitepapers/research/OT20050
> 512.FILE.pdf
>
>
> -Chris
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave