I repeat that nobody including Microsoft asked us, told us or made us, paid us or persuaded us take the 'Unpatched' page down. And, in response to your previous post we maintained this page in the manner you suggested for two+ years.
"The solution that would sound better to me would have been to KEEP the exploits there until you verify that MS has indeed patched them. Then as MS patched them, update the site to show that the vuln has been fixed while NOT removing it." Those are your words AstroDrabb, not mine
and if you'd been one of the 20,000 people that showed up almost daily to view the same you'd know that is how we operated it.....for FREE the last two years. That's putting our money where our mouth is. You go on to say how could anyone trust our newsletter. I don't get this. Just because we took the 'Unpatched' page down to deny those who seek to exploit the information for nefarious purposes, how does that make our research information, methodology and expertise any less trusted or valuable? Don't think for a moment that just because the 'Unpatched' page is not public anymore that we are giving up on our research and our crusade. Both we and our clients demand it. As for other browsers, we decided years ago to focus a good portion of our research on this browser given that as many as 90% of all internet browing is done through IE. Coincidentally, the most recent high profile attacks have focused on exploiting vulns in this program, which get's back to my original point. Taking the 'Unpatched' page down to deny those who would use the information to exploit the vulns and cause havoc...and huge financial losses. This is a problem that we have decided to try and be a part of the solution.
I do appreciate your final comment wishing us luck. Again we simply hope to be a part of the overall solution and as you pointed out from the article above "Microsoft unveils a fundamental security shift". Isn't that what people have been screaming for? We have taken notice and are hopeful that their shift will be successful and that our action will be a contributing factor.
I hope this helps you to gain a better understanding of our motives and our actions.
Finally an intelligent comment to this issue. It's tough when people are so close minded that they don't even stop ranting for a moment to consider the alternatives and the end goal. I'm not sure what get's me the most with the majority of these posts: the arrogance or the ignorance...both are dangerous POV's and incredibly self limiting. I am still optomistic that there are enough good and talented people out there who are willing to try and make a difference and who will contribute to a solution versus taking the easy way out and simply bitching about the problem. The vocal minority has had it's say.....as you suggest ScottKin it's a good thing they don't represent the majority.
It was entirely our decision at PivX to take Unpatched down. Based on the state of affairs, notably the 25 days it took to create LovSan/MSBlaster as compared to the 295+ days or so it took to create Code Red, the 200+ days for the creation Nimda, and the 100 days it took to develop Slammer (see a pattern here?) The time that it takes for people to develop exploits against IE vulernabilities has declined significantly over the last year or two. This gives vendors like MS even less time to develop and distribute patches and for sys admins to deploy them before the exploit's attack. What surprises me is the same theme of uninformed conspiracy theories (like MS being a contributing editor of our website and them paying us to shut up) that continue to appear on some of these boards. Plus, the fact that if anybody cares to look at facts: we have been anything but an apologist for MS for the last two years. Google ('Pivx Microsoft' for proof). You would think that our constant pressure on MS, plus our free and constantly updated page would make a few people stop and think that perhaps we deserve some credit for our objective approach to developing a solution to a problem that is increasing in severity versus those that are so compelled to simply scream at the problem and vilify us for taking down our free research. For those of you who have thanked us since the page was taken down, we thank you for noticing what we have done, the significant investment our company has made to provide this information gratis for years and our continuing contribution and committment to a solution. The fact of the matter is 'Unpatched" has served it's purpose, it has raised awareness of a problem and has ushered in many solutions, workarounds and a review of the status quo. Furthermore, MS has patched or is in the process of fixing those vulns that remain. Based on Microsoft's communication which included their willingness to create meaningful solutions and their recent actions to fix the current problems, we have given them a good faith reprieve, nothing more nothing less. Sorry it is not any juicier than this. If you have a better idea I'd sure like to hear it. If you are sincerely interested in keeping up to date on the latest in internet security from our perspective you can subscribe to our newsletter which can be found at http://www.pivx.com/larholm/unpatched/
Most Secure Regards, Founder PivX Solutions
It was entirely our decision at PivX to take Unpatched down. Based on the state of affairs, notably the 25 days it took to create LovSan/MSBlaster as compared to the 295+ days or so it took to create Code Red, the 200+ days for the creation Nimda, and the 100 days it took to develop Slammer (see a pattern here?) The time that it takes for people to develop exploits against IE vulernabilities has declined significantly over the last year or two. What surprises me is the same theme of uninformed conspiracy theories (like MS being a contributing editor of our website and them paying us to shut up) that continue to appear on some of these boards. Plus, the fact that if anybody cared to look at facts: we have been anything but an apologist for MS for the last two years. Google ('Pivx Microsoft' for proof) You would think that our constant pressure on MS, plus our free and constantly updated page would make a few people stop and think that perhaps we deserve some credit for our objective approach to developing a solution to a problem that is increasing in severity versus those that are so compelled to simply scream at the problem and vilify us for taking down our free research. For those of you who have thanked us since the page was taken down, we thank you for noticing what we have done, the significant investment our company has made to provide this information and our contribution to a solution. The fact of the matter is Unpatched has served it's purpose, it has raised awareness of a problem and has ushered in many solutions, workarounds and a review of the status quo. Furthermore, MS has patched or is in the process of fixing those vulns that remain. Based on their communication which included their willingness to create a meaningful solution and their recent actions to fix the current problems, we have given them a good faith reprieve, nothing more nothing less. Sorry it is not any juicier than this. If you have a better idea I'd sure like to hear it. If you are sincerely interested in keeping up to date on the latest in internet security you can subscribe to our newsletter which can be found at http://www.pivx.com/larholm/unpatched/
Most Secure Regards,
Founder
PivX Solutions
Slashdot Mirror
I repeat that nobody including Microsoft asked us, told us or made us, paid us or persuaded us take the 'Unpatched' page down. And, in response to your previous post we maintained this page in the manner you suggested for two+ years. "The solution that would sound better to me would have been to KEEP the exploits there until you verify that MS has indeed patched them. Then as MS patched them, update the site to show that the vuln has been fixed while NOT removing it." Those are your words AstroDrabb, not mine and if you'd been one of the 20,000 people that showed up almost daily to view the same you'd know that is how we operated it.....for FREE the last two years. That's putting our money where our mouth is. You go on to say how could anyone trust our newsletter. I don't get this. Just because we took the 'Unpatched' page down to deny those who seek to exploit the information for nefarious purposes, how does that make our research information, methodology and expertise any less trusted or valuable? Don't think for a moment that just because the 'Unpatched' page is not public anymore that we are giving up on our research and our crusade. Both we and our clients demand it. As for other browsers, we decided years ago to focus a good portion of our research on this browser given that as many as 90% of all internet browing is done through IE. Coincidentally, the most recent high profile attacks have focused on exploiting vulns in this program, which get's back to my original point. Taking the 'Unpatched' page down to deny those who would use the information to exploit the vulns and cause havoc...and huge financial losses. This is a problem that we have decided to try and be a part of the solution. I do appreciate your final comment wishing us luck. Again we simply hope to be a part of the overall solution and as you pointed out from the article above "Microsoft unveils a fundamental security shift". Isn't that what people have been screaming for? We have taken notice and are hopeful that their shift will be successful and that our action will be a contributing factor. I hope this helps you to gain a better understanding of our motives and our actions.
Finally an intelligent comment to this issue. It's tough when people are so close minded that they don't even stop ranting for a moment to consider the alternatives and the end goal. I'm not sure what get's me the most with the majority of these posts: the arrogance or the ignorance...both are dangerous POV's and incredibly self limiting. I am still optomistic that there are enough good and talented people out there who are willing to try and make a difference and who will contribute to a solution versus taking the easy way out and simply bitching about the problem. The vocal minority has had it's say.....as you suggest ScottKin it's a good thing they don't represent the majority.
It was entirely our decision at PivX to take Unpatched down. Based on the state of affairs, notably the 25 days it took to create LovSan/MSBlaster as compared to the 295+ days or so it took to create Code Red, the 200+ days for the creation Nimda, and the 100 days it took to develop Slammer (see a pattern here?) The time that it takes for people to develop exploits against IE vulernabilities has declined significantly over the last year or two. This gives vendors like MS even less time to develop and distribute patches and for sys admins to deploy them before the exploit's attack. What surprises me is the same theme of uninformed conspiracy theories (like MS being a contributing editor of our website and them paying us to shut up) that continue to appear on some of these boards. Plus, the fact that if anybody cares to look at facts: we have been anything but an apologist for MS for the last two years. Google ('Pivx Microsoft' for proof). You would think that our constant pressure on MS, plus our free and constantly updated page would make a few people stop and think that perhaps we deserve some credit for our objective approach to developing a solution to a problem that is increasing in severity versus those that are so compelled to simply scream at the problem and vilify us for taking down our free research. For those of you who have thanked us since the page was taken down, we thank you for noticing what we have done, the significant investment our company has made to provide this information gratis for years and our continuing contribution and committment to a solution. The fact of the matter is 'Unpatched" has served it's purpose, it has raised awareness of a problem and has ushered in many solutions, workarounds and a review of the status quo. Furthermore, MS has patched or is in the process of fixing those vulns that remain. Based on Microsoft's communication which included their willingness to create meaningful solutions and their recent actions to fix the current problems, we have given them a good faith reprieve, nothing more nothing less. Sorry it is not any juicier than this. If you have a better idea I'd sure like to hear it. If you are sincerely interested in keeping up to date on the latest in internet security from our perspective you can subscribe to our newsletter which can be found at http://www.pivx.com/larholm/unpatched/ Most Secure Regards, Founder PivX Solutions
It was entirely our decision at PivX to take Unpatched down. Based on the state of affairs, notably the 25 days it took to create LovSan/MSBlaster as compared to the 295+ days or so it took to create Code Red, the 200+ days for the creation Nimda, and the 100 days it took to develop Slammer (see a pattern here?) The time that it takes for people to develop exploits against IE vulernabilities has declined significantly over the last year or two. What surprises me is the same theme of uninformed conspiracy theories (like MS being a contributing editor of our website and them paying us to shut up) that continue to appear on some of these boards. Plus, the fact that if anybody cared to look at facts: we have been anything but an apologist for MS for the last two years. Google ('Pivx Microsoft' for proof) You would think that our constant pressure on MS, plus our free and constantly updated page would make a few people stop and think that perhaps we deserve some credit for our objective approach to developing a solution to a problem that is increasing in severity versus those that are so compelled to simply scream at the problem and vilify us for taking down our free research. For those of you who have thanked us since the page was taken down, we thank you for noticing what we have done, the significant investment our company has made to provide this information and our contribution to a solution. The fact of the matter is Unpatched has served it's purpose, it has raised awareness of a problem and has ushered in many solutions, workarounds and a review of the status quo. Furthermore, MS has patched or is in the process of fixing those vulns that remain. Based on their communication which included their willingness to create a meaningful solution and their recent actions to fix the current problems, we have given them a good faith reprieve, nothing more nothing less. Sorry it is not any juicier than this. If you have a better idea I'd sure like to hear it. If you are sincerely interested in keeping up to date on the latest in internet security you can subscribe to our newsletter which can be found at http://www.pivx.com/larholm/unpatched/ Most Secure Regards, Founder PivX Solutions