Re: Details of Sybase ASE bugs withheld
From: Jay Libove (libove_at_felines.org)
Date: 03/23/05
- Previous message: Shalom Carmel: "Backdoors in AS/400 emulations allow the server to attack connected PC workstations"
- In reply to: Simple Nomad: "Re: [VulnWatch] Details of Sybase ASE bugs withheld"
- Next in thread: http-equiv_at_excite.com : "RE: [VulnWatch] Details of Sybase ASE bugs withheld"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Mar 2005 12:54:36 -0500 (EST) To: vulnwatch@vulnwatch.org
I think Simple Nomad wrote an excellent analysis of the problem of a COTS
vendor (in this case, Sybase) "requesting" (make legal threats) against a
security research firm to not disclose the details of a discovered
vulnerability.
<IMHONSFME - In My Humble Opinion Not Speaking For My Employer mode on>
Looking at this from my point of view as an employee of a Fortune 200
company with a massively complex IT infrastructure, in the microcosm of
this specific Sybase vulnerability, it is a two edged sword: one edge may
be good for us in that only the more dedicated of crackers will find and
build an exploit for the vulnerability in the absence of the full details;
the other edge is that we still do not know the precise details and so we
are less certain what and how much to do to protect ourselves against it.
It would be foolish to assume that an effective exploit for the
vulnerability will not be created and published (or for that matter than
an effective exploit for the vulnerability is not already quietly
circulating). Therefore, on the whole, even in the microcosm of our large
company and this one specific incident, I do not think that it is good for
us that a commercial software product vendor has been able to even
temporarily silence a security research firm.
In the broader context, I believe that Simple Nomad is exactly right: it
will be bad for us and for everyone who uses such commercial products if
security research firms are effectively gagged by legal threats, because
we will less and less know what vulnerabilities exist in the products we
use, until such time as we suffer an actual exploit against them.
To that end, I have encouraged my employer to perform some commercial
activism by contacting the commercial product vendor, as a concerned
customer, and suggesting that we disapprove of their policy of using legal
threats to keep the vulnerability details quiet. I have further suggested
that we should copy such notice to our lobbyists / elected
representatives.
</IMHONSFME - In My Humble Opinion Not Speaking For My Employer mode off>
-Jay Libove, CISSP
On Wed, 23 Mar 2005, Simple Nomad wrote:
> On Tuesday 22 March 2005 14:53, Marchand, Tom wrote:
>> And what happens when the vendor won't indemnify the researchers? No more
>> security bulletins? Wouldn't the vendors love that. Or would security
>> researchers become outlaws?
>
> It gets worse if you consider that the researcher may be researching a COTS
> product on behalf of a client who wants the software evaluated before it is
> implemented/purchased. Now where does the EULA lie? Company X bought the
> software, but pays me to evaluate it in a cubicle on Company X's property.
> Does the EULA apply to me? What if Company X already installed it on a
> computer, and *they* clicked "I Agree" during the license question and I am
> just there to rip things apart bit by bit?
>
> This is why EULAs don't work in this context.
>
> Additionally, myself and/or NMRC has been threatened with legal action from
> several companies or have done "legalish" things to try to scare us ("please
> GPG sign NMRC's disclosure policy with *your personal* GPG key and email it
> to us before releasing your advisory we don't want published"). My experience
> through my employer BindView also leads me to believe that given the chance
> any and all vendors will do anything to prevent public disclosure of bugs.
>
> <tinfoilhat>
> IMO, several large vendors are waiting for one of the smaller companies to
> risk the bad publicity of going after a security researcher (criminal, civil,
> or both) so a precedence has been set. Assuming the courts decide in favor of
> the company instead of the researcher, security research as we know it will
> end as all the vendors come after us like biblical locust swarms, and we will
> go back underground, old school style.
> </tinfoilhat>
>
> --
> # Simple Nomad -- thegnome@nmrc.org #
> # C1B1 E749 25DF 867C 36D4 1E14 247A A4BD 6838 F11D #
> # http://www.nmrc.org/~thegnome/ #
>
- Previous message: Shalom Carmel: "Backdoors in AS/400 emulations allow the server to attack connected PC workstations"
- In reply to: Simple Nomad: "Re: [VulnWatch] Details of Sybase ASE bugs withheld"
- Next in thread: http-equiv_at_excite.com : "RE: [VulnWatch] Details of Sybase ASE bugs withheld"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
