Re: [fw-wiz] recent disclosure debates

From: Barney Wolff (barney@tp.databus.com)
Date: 12/15/02

• Next message: Paul D. Robertson: "Re: [fw-wiz] recent disclosure debates"
• Previous message: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• In reply to: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Next in thread: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Barney Wolff <barney@tp.databus.com>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Sun Dec 15 21:45:01 2002

On Sun, Dec 15, 2002 at 09:14:53PM -0500, R. DuFresne wrote:
>
> This posting was pretty enlightening on the issue:

Well, no, it wasn't. Despite all the verbiage, the fact remains that
ISS released the vulnerability before patches were available to many
or most of the people who needed them. If ISC actually refused to
release the patches until after the notice, one would think ISS would
have said that, but they didn't. So I'm forced to conclude that they
released the notice on the scheduled day without checking that ISC
had actually released the patches. Both parties look very bad, but ISS
is the one more immediately at fault for the premature release, imho.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

• Next message: Paul D. Robertson: "Re: [fw-wiz] recent disclosure debates"
• Previous message: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• In reply to: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Next in thread: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] recent disclosure debates ... | By ISS' admission at the time, no 3rd party exploit code seemed to exist. ... the vendors who re-distribute ISC code didn't get enough time. ... when they told the vendor about the problem, ... being too close-mouthed about vulnerability information. ... (Firewall-Wizards) Re: [fw-wiz] recent disclosure debates ... Was it a "mistake" that ISC was distributing patches ... ISS may or may not have made a mistake in this ... Do you Yahoo!? ... (Firewall-Wizards) Re: EEYE: RealSecure/BlackICE Server Problems/Witty ... > my face, but there seems to be no patches available from ISS, ... > given (at least for BlackICE PC Protection and BlackICE ... > Hopefully I'm just blind and the necessary patches are ... Or maybe ISS is. ... (NT-Bugtraq) Re: [fw-wiz] recent disclosure debates ... Re:Did ISS tell bind maintainers? ... If ISC actually refused to ... > release the patches until after the notice, ... (Firewall-Wizards) Re: [fw-wiz] recent disclosure debates ... > I'm wondering why all the fingers are pointing so dramatically at ISS and ... > why ISC has received little or no heat in the issue. ... > followed there was a coordinated effort that failed when it came time to ... > make the patches available to the public, after members of BIND Forum were ... (Firewall-Wizards)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint