On Tue, Feb 24, 2009 at 4:00 PM, Netragard Advisories <advisor...@netragard.com> wrote:
The irony of Kevin (don't make fun of my complexion) Finisterre disclosing he has a full time job outside of security followed by his foray into the realm of security with "advisories" is puzzling. So Kevin isn't working in the industry as he disclosed in his previous email which means he obviously isn't working for "Netragard" which leads me to believe that Netragard is merely a fictitious company formed on an IRC channel amongst friends. Now this is not to say there is anything wrong with this however, to trust a bunch of IRC kids on an infrastructure would amount to career suicide. For starters outside of a modded Pentium, they'd have little experience in the real world. Themes like DoDAF, DIACAP, Information Security Architecture would be beyond the scope of their understanding. Without further-ado, I'll now speculate on the intent of this current "Critical" advisory Netragard was gracious enough to bless the community with. > - > ------------------------------------------------------------------------------------------------- > Contact : Adriel T. Desautels > Researcher : Kevin Finisterre > Vendor Notified : 08/22/2007 > > [Proof Of Concept] > - > ------------------------------------------------------------------------------------------------- > Proof of concept code exists but is not provided as to not increase > CAMAS > users overall risk levels. Any website that reads "Powered by the > Cambium > Group, LLC." is a CAMAS powered website. Snake oil at it's finest. You may recall Netragard has a pay for play scheme working where they never disclose any code. This works to anyone's advantage as a trump card when you think about it on a psychological warfare like scale. "We found a tumor somewhere in your body however, we're choosing not to tell you about how we found it, nor where it is." Imagine if you will those words coming out of a doctor's mouth. You have to take into account that a doctor is a professional as should someone in this industry be - a professional. The entire absurdity of "finding a tumor" and not revealing that tumor is quite shady. Wouldn't you agree? You may choose to disagree but offer some supportive argument should you choose to say so. > [Vendor Status and Chronology] > - > ------------------------------------------------------------------------------------------------- > 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered > 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail > 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to > Notification > 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled > 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution > 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded > 09/26/2008 11:17:35 PM EDT - Issues remain unfixed > 02/09/2009 09:00:00 PM EDT - Issues remain unfixed > 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation > to Netragard) > 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release During the initial discovery by the self-impose-experts at Netragard, it seems that Cambium performed some form of diligence in the sense they took the time to listen to Netragard however, much can be gleaned from Netragards own choice of wording: > 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution > 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded At the onset of a conference call - dot dot dot - there was an immediate breakdown. Not one day later, not one week later - according to Netragard it occurred the minute Netragard got on call with them. This is a rather peculiar scenario if you think about it logically. What could have been the potential breakdown; after all, Cambium took the time out of their schedules to do "something". Could it have been the pitch offered by Netragard. How could that have played out? Kevin: "We discovered a tumor" Cambium: "We appreciate you coming to us with this news, what have you got?" Adriel: "Wait a minute we won't disclose to you where this tumor is right away. What's in it for us?" Cambium: " Gentlemen have a nice day" There seems to be no follow-up given by Netragard other than them (Netragard) potentially running their own super secret Kernel's special sauce coding as they state in their own words "Issues remain unfixed" So what was the root cause of the breakdown. To be fair about it I tried going over this scenario while thinking about my golf game but no scenario came to mind other than you perhaps tried to squeeze them for money and they likely told you to piss off. This is likely the case, I'd be willing to bet the Lexus ISF that if I questioned someone at Cambium, they'd likely solidify that notion. So now Simon and Adriel can play King Leotard to the rescue and offer some response to defend their Fortune 1,000,000,000,000 IRC based company. Which makes me wonder if they even forked out money for a limited liability corporation filing. If so where. Other than craptastically worded advisories, there is nothing listing a company address, "Re http://news.infracritical.com/pipermail/scadasec/2009-February/002984.html http://news.infracritical.com/pipermail/scadasec/2009-February/002978.html -- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/