Re: [fw-wiz] recent disclosure debates
From: Paul D. Robertson (proberts@patriot.net)
Date: 12/15/02
- Next message: David Lang: "RE: [fw-wiz] Corporate H/N IPS"
- Previous message: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- In reply to: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
- Next in thread: ISC Tattler: "Re: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: "R. DuFresne" <dufresne@sysinfo.com> Date: Sun Dec 15 21:45:14 2002
On Sun, 15 Dec 2002, R. DuFresne wrote:
[This is purely my personal perspective on this issue, and isn't intended
to be the postition of TruSecure. I originally wrote my thoughts up on
the events back when the disclosure happened, there's enough blame to go
around- and I think it's been hashed enough, so I won't post my rant
unless there's specific things that need addressed, but I'd like to
comment on some of the things here...]
> This posting was pretty enlightening on the issue:
>
I beg to differ...
> Date: Sat, 16 Nov 2002 06:37:08 -0800 (PST)
> From: <mark_sala@yahoo.com>
> Subject: bind 8 info update regarding ISS
> To: bugtraq@securityfocus.com
>
> Upfront, Like to recognize that ISS has been doing a
> great job at finding very critical but obscure
> vulnerabilities in popular services. I'm guessing
> that there has been alot of other security experts
> that have audited the source code of Bind, SSH, etc
> and overlooked the discrepencies that ISS picks up on.
>
>
> Russ Cooper, the Surgeon General of TruSecure, blasted
> ISS publicly on the Symantec Bugtraq mailing list with
> an opinion on how ISS is irresponsible for not working
> with the ISC to properly patch Bind and how they
> unethically updated their own products.
> http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0
>
No, what Russ blasted ISS for was for not following the rules of OIS, an
organization that ISS is a member of, so obviously for not following the
disclosure rules that ISS itself agreed to. Anything else is a
mischaracterization of Russ' posting.
Blaming ISC doesn't absolve ISS of its duty in being a good security
company instead of the bearer of harmful information. While ISS certainly
has a right to use vulnerability information to as marketing collateral,
part of the responsibility that comes from doing so is taking the lumps
that get handed out when you do that and things go wrong.
[snip]
> If TruSecure, Russ Cooper's employer, ever found a
> vulnerability, I would expect them to update their
> products also. When's the last time TruSecure spent
> any R&D Money finding vulnerabilities and released an
> advisory?
TruSecure doesn't do press releases based on vulnerabilities we find, any
more than we do them on vulerabilities other people find. A lot of that
has to do with our prior agreements with security product vendors through
ICSA Labs, though most of us[2] really wouldn't be comfortable with our
marketing department getting in the middle of a research <-> vendor or
Labs <-> vendor relationship (even when that vendor isn't a customer.)
We've found vulnerabilities in the past, we've worked with others who
discover vulnerabilities in the past- in none of those cases[1]
have we alerted our marketing department, issued press releases, or even
customer advisories in cases where fixes weren't already verified as
available if the vulnerability wasn't public.
"First, do no harm" is a standard that should apply to security companies.
"First, do marketing" doesn't seem to have the same ring to it.
Even before I worked at TruSecure, I reported vulnerabilities to vendors
directly, and let them fix them and notify their customers about them.
That's stood me in good stead with several vendors over time.
Paul
[1] To the best of my knowledge for the almost 3 years I've been with
ICSA/TruSecure, and everything I've heard before that timeframe.
[2] I think I speak for everyone in Research and the Labs when I say this.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: David Lang: "RE: [fw-wiz] Corporate H/N IPS"
- Previous message: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- In reply to: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
- Next in thread: ISC Tattler: "Re: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
