[Full-Disclosure] Re: [VulnDiscuss] HP Full Disclosure Story

From: Jonathan Rickman (full-disclosure@lists.netsys.com)
Date: 08/26/02 

From: full-disclosure@lists.netsys.com (Jonathan Rickman)
Date: Sun, 25 Aug 2002 20:52:40 -0400 (EDT)

On Fri, 23 Aug 2002, Kevin Spett wrote:

> I think it'd be great if people made a habit of posting researcher-vendor
> communications like this. They say a lot about a company's attitude and
> policy regarding security and can help sysadmins, developers, security
> professionals, etc. decide whether they would want to buy from them. This
> would be a good way for vendors to show the community that they react to
> reports of vulnerabilities in a responsible, communicative and friendly
> manner. It would also be a good way to expose vendors such as HP who fail
> miserably to do so.

I think it is also very important to keep all parts of the conversation
intact. There is a significant portion of this particular conversation
that was not included, which I suspect, sent the conversation on the
downward spiral. No offense to Tamer, but this strikes me as a case of a
researcher who insisted on setting HP's rules for them "on the fly" as it
were. HP has a policy in place. Flawed or not, they have to work within
the confines of that policy. They were fairly candid with you...and I
quote:

"Let me be very candid here, you are not the first to assume
that a $50 billion corporation will drop all the other security
issues we are working on in order to work on yours because
you threaten to publish. It has never changed the course of
our work internally; we will continue to work on the issue
until it is tested and finished."

Honestly, that sounds pretty reasonable to me, considering that we do not
have the privilege of reading the communication from you. For all we know,
your email to them, consisted of "ph33r m3 HP, eye will dr0p dis 0day b0mb
on yo @z in 10 minutes if joo do not r3zpect my skillz!!!" Once again,
Tamer, no offense intended, but that part of the conversation does seem to
be critical, since that's where things turned south. As for their
September 11th remarks, I consider that pretty tasteless and cliche, and I
seriously doubt that that is the "Company Line", but rather the work of
one individual who has not learned to toe that "Company Line" quite right.

Another possibility is that the folks at HP were slow to pick up on the
fact that English is obviously not your first language, and ask for
further clarification. Sometimes that is a source of confusion, even
when dealing with someone who writes fairly well, such as yourself.

I think Dan at HP summed the whole thing up best when he said,
"We did reply, and you are making the assumption that your
issue is the only one we have to work on, and that it is
the most important."

I suspect that he hit the proverbial nail right on the head with that one. 

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

Relevant Pages

  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • Re: Intermittant GPO failure to apply
    ... Nick ... > Windows cannot query for the list of Group Policy objects. ... > Network Client digitally sign communications: ... >> For the attachments, it should be the problem of our newsgroup server, I ...
    (microsoft.public.windows.server.sbs)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)