Re: Towards a responsible vulnerability process

From: Joe Melhado (subs@DYNSOL.COM)
Date: 11/05/01 

Message-ID:  <4.3.2.7.2.20011104182846.06ae7c90@earth.execnet.com>
Date:         Sun, 4 Nov 2001 18:46:41 -0500
From: Joe Melhado <subs@DYNSOL.COM>
Subject:      Re: Towards a responsible vulnerability process
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I wonder if we're arguing over the right issue.

A few points:

1) If I buy coffee at a fast food drive through and spill it in my lap
and it's hot enough to burn me, the vendor is liable and I'll be
compensated. But if I buy a computer and a hole in the software lets
someone cause me harm, none of the vendors are liable. Maybe this is
one of the issues we should be discussing.

2) If someone enters my home uninvited through a window, and gets
caught, he has possibly climbed through his last window. If someone
enters my computer, and even steals something or does damage and gets
caught (much less likely, unfortunately) very little happens unless I
happen to be a high profile person/company or he did the same thing to
lots of people. Everyone knows that climbing in someone's window is
socially unacceptable. Maybe we need to make sure that computer
intrusion is socially unacceptable. One way to help that along is to
punish the black hats and script kiddies when we catch them, and work a
bit harder at catching them.

3) The point was made that "vendors" is an over generalization. I
submit that "Microsoft" is an over generalization as well. I believe
that the MS folks whose job is security take security seriously. I
don't believe that every decision at MS takes security into account,
otherwise we wouldn't have so many insecure defaults and so many
"features" that almost can't help being basically insecure. No vendor
employing more than one person is monolithic (IMO). I think we need to
be aware of this.

Given my track record with this list (several submissions but nothing
published) I'm not holding my breath, but even if I didn't say it in a
way considered fit for the list, I'd like to see these issues discussed.

Joe Melhado
(another frustrated sysadmin)
security@dynsol.com

Relevant Pages

  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
    (Securiteam)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part 3
    ... > varying degrees of 'faith' in the security industry. ... site admins and other whitehats. ... > architect would be notifying the software vendor alone... ... Full disclosure isn't so much a tool to get vunerability information ...
    (Full-Disclosure)
  • [NT] Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass (MS0
    ... Get your security news from a reliable source. ... Internet Explorer Zone Elevation Restrictions Bypass and Security Zone ... Vendor Information, Solutions and Workarounds: ... Core sends an advisory ...
    (Securiteam)
  • RE: Vendor wants remote control of our Servers and Workstations
    ... Of course the age-old problem with security is that ... Vendor has significant access to your internal ... this vendor uses the same method to support a number ... customer and makes significant changes ... ...
    (Security-Basics)
  • Security researchers organization
    ... of security researchers, plain and simple. ... better than the vendor itself. ... industry, telecommunications industry and banking industry has ( ... These are all common ideals we can agree and act upon, ...
    (NT-Bugtraq)
Quantcast