Re: [fw-wiz] recent disclosure debates
From: Paul Robertson (proberts@patriot.net)
Date: 12/16/02
- Next message: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Chris Boscolo: "Re: [fw-wiz] Corporate H/N IPS"
- In reply to: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Next in thread: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Reply: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: Adam Shostack <adam@homeport.org> Date: Mon Dec 16 19:33:01 2002
On Mon, 16 Dec 2002, Adam Shostack wrote:
[Once again, this is my personal opinion, and not the position of
TruSecure.]
> ISS has released 22 or so advisories this year.[1] They messed up on
> one of them. There's always a last minute flurry of stuff that
> happens in these coordinated releases. Vendors who have been silent
> pop up asking for extra time. Someone realizes that the text of
> announcements is out of whack. Exploit code surfaces outside. Etc.
By ISS' admission at the time, no 3rd party exploit code seemed to exist.
> While it was painful for everyone who runs bind to have a disjoint
> release, ISS's error rate is under 10% for the year. Redhat has also
> jumped the gun, and I'm sure others have, and will again.
We're talking about a product that has lots of ties into OS vendors, none
of whom had time to ship new releases. Error rate doesn't make a whole
bunch of difference when you're talking critical infrastructure. Error
rate doesn't matter for the victims of attacks who have no protection and
can't replace shipping vendor versions without voiding support
contracts... We should expect better of the security community.
If it's worth it for ISS to not just let ISC give them credit, and follow
up with that, then it's worth it for them to take responsibility for the
results of their actions. Bad marketing decisions _should_ cost you-
especially when those marketing decisions put thousands at risk.
> I think a more important issue is ISC's possible use of a problem in
> their free software to get people to buy into a consortia. ISS made a
> mistake, ISC may be using their position to differentially allow users
> of their software to secure themselves. That's a business choice, and
> I think it's a bad one for a maker of free software.
Indeed, I wholeheartedly agree with you. But this isn't an OR condition,
it's an AND condtion, and both parties need to do better if they're going
to be seen as responsible entities.
I'm going through the pain of switching to djbdns for my personal systems
because of ISC's handling of this incident. It certainly worries me more
than ISS's culpability, but I don't think that gives them absolution from
criticism. I also think that ISC has made their position clear in the
past, and ISS seemed to be going against the formal disclosure policy they
seem to have agreed to- it seems to me that was the basis of Russ'
comments that Ron pointed to.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Chris Boscolo: "Re: [fw-wiz] Corporate H/N IPS"
- In reply to: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Next in thread: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Reply: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
