hah,
Nice catch. It is because we had to move our site to a different host due to the high abmount of traffic that was generated from the HP response. We do not have control over the current httpd.conf on this new host. We will be moving back to our primary host shortly... which by the way... is patched..;o) I will notify the admin however. Thank you for the catch, even if it was a flame.
There are two models that snosoft follows internally when performing security research: 1) Independent research with a full disclosure policy, and 2) Private research under NDA with a vendor. The threat from HP regarding extortion was based on the miscommunications/misperceptions around these two models. The history of the situation included initially findings under independent research. We halted prior to full disclosure due to the serious nature of our findings, and approached HP with a proposal to continue our research privately with them, under NDA. At no time did we attempt to request compensation for the initial research findings, and at no time did we threaten damaging actions if HP did not provide compensation. The goal we attempted to strive for was to transition from the Independent research/full-disclosure model to the private research/NDA model. HP was not interested in pursuing this track. So, we accepted their decision, and followed the "industry standard practice" for reporting vulnerabilities, by reporting them to CERT, who acted as the independent third party between SNOsoft and HP. The end result is that HP is getting penetration testing results for approximately two person months worth of work. The value in this service is obvious, which incents us to transition to a private research/NDA business model.
So, to sum up, the difference between extortion and transitioning a business model is a matter of the timing of requesting compensation for research results. If a security firm performs independent research, and then approaches the vendor with the position of, "pay us for this information, or else we'll release it to the public", then that can be considered extortion. However, if a security firm performs sales generating activities by trying to demonstrate to a vendor the value in their service, and requests a contract to do future work based on the demonstrated value, then that can not be considered extortion.
"But that sentence sounds a bit like a shakedown, doesn't it?"
Secure Network Operations provides system security research results to both the public and private sectors in a mutually exclusive manner. We perform independent research and maintain a full disclosure policy for such engagements. We also perform custom security research for private enterprises and government whereby disclosure is limited to our client, and bound by NDA.
We have also changed our page.
Regards,
Adriel T. Desautels
Founder, Secure Network Operations, inc.
The founders of Secure Network Operations would like to thank all of you for your support in this issue. We will soon be providing you with updates to this issue on our web site. Thanks Again!!
Regards,
Snosoft Recon Team & The Cerebrum Project
Slashdot Mirror
hah, ;o) I will notify the admin however. Thank you for the catch, even if it was a flame.
Nice catch. It is because we had to move our site to a different host due to the high abmount of traffic that was generated from the HP response. We do not have control over the current httpd.conf on this new host. We will be moving back to our primary host shortly... which by the way... is patched..
There are two models that snosoft follows internally when performing security research: 1) Independent research with a full disclosure policy, and 2) Private research under NDA with a vendor. The threat from HP regarding extortion was based on the miscommunications/misperceptions around these two models. The history of the situation included initially findings under independent research. We halted prior to full disclosure due to the serious nature of our findings, and approached HP with a proposal to continue our research privately with them, under NDA. At no time did we attempt to request compensation for the initial research findings, and at no time did we threaten damaging actions if HP did not provide compensation. The goal we attempted to strive for was to transition from the Independent research/full-disclosure model to the private research/NDA model. HP was not interested in pursuing this track. So, we accepted their decision, and followed the "industry standard practice" for reporting vulnerabilities, by reporting them to CERT, who acted as the independent third party between SNOsoft and HP. The end result is that HP is getting penetration testing results for approximately two person months worth of work. The value in this service is obvious, which incents us to transition to a private research/NDA business model.
So, to sum up, the difference between extortion and transitioning a business model is a matter of the timing of requesting compensation for research results. If a security firm performs independent research, and then approaches the vendor with the position of, "pay us for this information, or else we'll release it to the public", then that can be considered extortion. However, if a security firm performs sales generating activities by trying to demonstrate to a vendor the value in their service, and requests a contract to do future work based on the demonstrated value, then that can not be considered extortion.
"http://www.netsys.com/cgi-bin/display_news_articl e.cgi?338"
In response to Bruce:
"But that sentence sounds a bit like a shakedown, doesn't it?"
Secure Network Operations provides system security research results to both the public and private sectors in a mutually exclusive manner. We perform independent research and maintain a full disclosure policy for such engagements. We also perform custom security research for private enterprises and government whereby disclosure is limited to our client, and bound by NDA.
We have also changed our page.
Regards,
Adriel T. Desautels
Founder, Secure Network Operations, inc.
http://www.msnbc.com/news/788216.asp?0dm=T14JT ....this just keeps getting better and better! --Snosoft
The founders of Secure Network Operations would like to thank all of you for your support in this issue. We will soon be providing you with updates to this issue on our web site. Thanks Again!! Regards, Snosoft Recon Team & The Cerebrum Project