SecurityFocus: we can't believe our eyes

Recently on SecurityFocus (read: Symantec) appeared an article written by Jamie Reid, a privacy, security and risk consultant to healthcare agencies in Toronto.

While reading the article, we could not believe our eyes. In a nutshell, the article is brilliantly demonstrating why the current level of money offered by traditional security vendors to security researchers (yes, somobedy finally used the proper term) for their 0day findings is not representing the real value of them. No need to report here SecurityFocus columnist's ideas backing up such statement, we totally agree with them, especially with the final part which is stating that perhaps, the proper model should be a model including a sort of revenue sharing scheme. Just go and read the article.

But... there is a but. To demonstrate that the traditional security vendors' model is not providing a proper value to the researcher's efforts, the columnist wrote:
"Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them."

Initially, we didn't pay much attention to it, but then... questions started to pop up in our mind.
As everybody knows, stating something like "Competitors in the bug-buying space like WabiSabiLabi's auction scheme(...) offer lower rewards" is actually not representing the reality. In fact, WabiSabiLabi doesn't offer ANY sort of reward at all. We just provide a marketplace, where the reward level is the natural result of the interaction of offer and demand. Why the need to say that WSL itself is providing low reward to researchers? It puzzled us.

Then we paid attention to the fact that the columnist is wishing for security researchers a sort of revenue sharing model, deliberately (?) forgetting to mention that WabiSabiLabi announced such scheme since the time of its very foundation. Go and read our almost-one-year-old post.

At that point, we mailed to Jamie Reid, pointing out the fact that we were not providing "low rewards scheme" and that we were already promoting since a year our revenue sharing scheme, hoping that he would have corrected his article.
Guess what? We received a polite mail in which he answered "Thank you. That's an interesting model. I will be interested in following up in a year or so about how it is working". But no amendments on his article.

A distracted columnist? Or perhaps an anticipation of a future Symantec's move toward a different approach in the security research industry?

As you know, we are working hard since one year in the realization of such rewarding scheme, having initially half of the world against us. Our efforts are concretizing in the recently announced partnership for the production of the UTM OneShield Security, which will integrate a revenue sharing model, for those security researchers who are contributing with their findings.

We took all of the risk and heat, we faced the shadiness of the current laws, we took all the insults from that part of the researcher's community which didn't agree with us, we standed strong hits from some lobbied press.
Nevertheless, we are still alive so it might be the right time from the big industry to take advantage of the results of our work?

We'll see. It will be interesting for us, to see how our competitors (who much criticized our model, defining it unethical) will find excuses to adopt it.

Our forecast? Perhaps they will adopt only part of it. They won't adopt the auction part but they will eventually adopt the revenue-sharing scheme.

With a problem: it will be the demonstration that they abused of the work of the security researchers, paying them peanuts, up to the moment somebody popped out of the blue and forced them to adopt new business models, in which security researchers are not anymore considered as freebies or peanuts workers.

Please remember... that somebody, was us.


Are South Africans aliens from another planet?

They must be, at least this is what we think after being invited to hold a keynote speech at the ITWeb Security Summary 2008, (Johannesburg - South Africa), and after having checked the reaction of the attendees at the end of it.

Let us get it straight: the speech was about WabiSabiLabi's marketplace project and it was held in front of a crowd of 400 attendees.
At the end of the speech, the conference host fired up a question to the crowd:"Who think that WSL is doing the right thing in providing a marketplace for security research, raise the hand".
We panicked waiting for the response but then ... 399 hands attached to security professionals' bodies were raised.
To counter-check, the host asked then: "Who is against such initiative?". Only one hand up.

Are we THAT good in selling ideas? Or maybe it's just the marketplace idea itself that, when supported by proper motivations, doesn't find any difficulties in being adopted or even supported by security professionals?

Or is it that South Africans are aliens from another planet? We are still wondering...

Meanwhile, a few words about the ITWeb conference. We are always bragging how good the Swiss are in organizing things. Well, they have indeed some good competitors in South Africa. The ITWeb conference is a top international event, period.

Pros, Cons and Kudos

Symantec's "free of charge" espresso coffee machine at their booth. Finally, some good hardware.
Thanks a lot, from the deep bottom of an Italian heart.

ITWeb's catering service. We have the proof that aliens don't know how to properly cook pasta.
Yes, boiling it for less than two and a half hours will also help to spare Africa's energy resources and will contribute to lessen the power outages.

Johnny Long for his fabulous speech and his charity initiative. People, vendors...what are you waiting for to support it?
Johnny Cache, for being so... smurky. He knows what we mean ;)
Dino Covotsos, for being a good friend and for sponsoring through his company Johnny Long's charity initiative.
Kudos also to the Serbian community, Paul, Janine, Alissa, Mariette, Ilva and all the new and old friends we found over there.

Final round of kudos to South Africa, for giving us such dramatic sunsets.

From Earth, over.


Partnership announcement with OneShield Security

WSL is proud to announce a partnership with OneShield Security for the production of a UTM appliance. The appliance will intergrate a 0day preemtpive engine, based on the knowledge coming from WSL's marketplace and will be based on hardware provided by Eurotech, a defense, security and aerospace hardware producer.
The partnership is already in its second-phase which means that in a few weeks the product will be available for the mass-market (projected date: June 1st 2008).

In the next two blog posts we will announce how the security researchers community will benefit out of the OneShield Security network and also another strategic partnership in the security research area.

The appliance will be bundled with an optional Managed Security Services package, and will have the following characteristics:

Network Security:

- Stateful Packet Firewall
- Demilitarized Zone (DMZ)
- Intrusion Detection
- Multiple Public IPs
- Traffic Shaping

-- VoIP/SIP support
- Malformed Packet Protection
- Portscan Detection
- DoS and DDoS Protection
- SYN/ICMP Flood Protection
- Anti-Spoofing Protection

Enterprise IDS:

- Fully Web Managed Intrusion Detection System
- Integrated with the largest Networks of 0Days Threats in the world
- Ajax Instant Log Web Interface for instant alerting of Intrusion Attempts

Web Security:

- HTTP & FTP proxies
- Anti-virus (100.000+ patterns)
- Transparent Proxy support
- Content Analisys/Filtering
- URL Blacklist
- Authentication: Local, RADIUS, LDAP, Active Directory
- NTLM Single Sign-On
- Group Based Access Control

Mail Security:

- SMTP & POP3 proxies
- Anti-spam with Bayes, Pattern, SPF, Heuristics, Black- and White-lists support
- Anti-virus (100.000+ patterns)
- Transparent Proxy support
- Spam Auto-Learning
- Transparent Mail Forwarding (BCC)
- Greylisting

VPN Concentrator:

- True SSL/TLS VPN (OpenVPN)
- Encryption: DES, 3DES, AES 128-, 192-, 256-bit
- Authentication: Pre-Shared Key, X.509, Certification Authority, Local
- PPTP Passthrough
- Native VPN Client for MS Windows, MacOSX and Linux

Hotspot Security:

- Captive Portal
- Wired/Wireless support
- Pre-/Post-paid and free Tickets
- Integrated RADIUS service
- Connection Logging
- No additional software/hardware required


- Easy Web-based Administration (SSL)
- Secure Remote SSH/SCP Access
- Serial Console
- Centralized Management through Endian Network (SSL)

High Availability:

- Multi-Node Appliance Cluster
- Hot Standby (active/passive)
- Load Balancing (active/active)
- Node Data Synchronization

WAN Failover:

- Automatic WAN Uplink Failover
- Monitoring of WAN Uplinks
- VPN Failover

Network Address Translation:

- Static NAT (Port Translation)
- One-to-One NAT
- IPSec NAT Traversal


- Static Routes
- Source Based Routing
- Destination Based Routing


- Instant Log Viewer (AJAX based)
- Detailed User Based Web Access Report
- Network/System/Performance Statistics
- Syslog (Local or Remote)

Updates and Backup:

- Centralized Updates through Oneshield Eurotech Network
- Anti-virus Definitions
- URL Blacklist Definitions
- Scheduled Automatic Backup
- Encrypted Backups via E-mail
- Instant Recovery/Backup to USB-Stick