Simon Smith wrote:
> Blue Boar,
> Simply put, and with all due respect, you're wrong.
About? I see basically two assertions in my note; 1) that I would sell
to iDefense or TippingPoint. Surely you're not going to tell me what I
would do? And 2) That iDefense isn't doing the same thing that Blackhats
are. Is the latter one the one you disagree with?
> Furthermore I don't
> appreciate you directly or indirectly suggesting that these exploits are
> being sold on the black market, that will never happen on my watch, ever!
If you look carefully, you'll see I was replying to Kevin, who did make
a comparison to selling to blackhats. I hadn't even seen your note at
the point, and I wasn't replying to you, and I didn't quote anything you
wrote.
So I assume you think I was saying that your company is selling to
blackhats. I wouldn't think you were. Certainly you don't mean to claim
that, in general, the entire market never sells to blackhats, nor that
you have any control over what others do.
> More importantly, the company that I am working with is no different
> than iDefense. In fact, they both sell their exploits and harvested research
> to the same people. The only real difference is in the amount of money that
> the researcher realizes when the transactions are complete. This difference
> is a direct result of low corporate overhead.
>
> Lastly, all transactions require that the researcher engage the company
> that I work with in a tight contract. This contract ensures that both
> parties are legitimate and also protects both parties. They don't do that on
> the black market do they?
So, is the problem that I didn't realize you guys also bought vulns, and
that you pay more? No, I had no idea that you did. I guess some better
marketing is in order. The quarterly challenge thing is pretty good for
publicity, maybe you guys should do one of those.
> Blue Boar,
> Simply put, and with all due respect, you're wrong.
About? I see basically two assertions in my note; 1) that I would sell
to iDefense or TippingPoint. Surely you're not going to tell me what I
would do? And 2) That iDefense isn't doing the same thing that Blackhats
are. Is the latter one the one you disagree with?
> Furthermore I don't
> appreciate you directly or indirectly suggesting that these exploits are
> being sold on the black market, that will never happen on my watch, ever!
If you look carefully, you'll see I was replying to Kevin, who did make
a comparison to selling to blackhats. I hadn't even seen your note at
the point, and I wasn't replying to you, and I didn't quote anything you
wrote.
So I assume you think I was saying that your company is selling to
blackhats. I wouldn't think you were. Certainly you don't mean to claim
that, in general, the entire market never sells to blackhats, nor that
you have any control over what others do.
> More importantly, the company that I am working with is no different
> than iDefense. In fact, they both sell their exploits and harvested research
> to the same people. The only real difference is in the amount of money that
> the researcher realizes when the transactions are complete. This difference
> is a direct result of low corporate overhead.
>
> Lastly, all transactions require that the researcher engage the company
> that I work with in a tight contract. This contract ensures that both
> parties are legitimate and also protects both parties. They don't do that on
> the black market do they?
So, is the problem that I didn't realize you guys also bought vulns, and
that you pay more? No, I had no idea that you did. I guess some better
marketing is in order. The quarterly challenge thing is pretty good for
publicity, maybe you guys should do one of those.
BB
[ reply ]