Bugtraq mailing list archives
Re: Submission
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 27 Nov 2000 22:01:25 -0800
On Mon, 27 Nov 2000 hellnbak () HUSHMAIL COM wrote:
OK, with that being said many of you are probably thinking that Georgi is not allowed to cooperate with Microsoft because of his job with Netscape/AOL. To be blunt, this is nothing more than a lame excuse. Companies work with their competitors over security holes constantly. In fact, I have seen advisories (the recent MS Network Monitor ones as an example) that contain issues worked on by two very competitive companies, ISS and NAI.
As a counter-example, our vulnhelp folks tried to coordinate a vuln release recently that had to do with the locale bug in (g)libc that affected most unix vendors, discovered by CoreSDI. Some Linux vendors jumped the gun. I suspect the idea of waiting on other (competing?) vendors to get their fix together, when someone is ready to go, is a new thing for them. It's been a couple months, and Sun still isn't quite done. I don't expect the Linux folks would have waited too long, and I don't think we would have expected them to wait 2 months. We'll all probably have to go thorugh a few iterations of this type of thing before it works itself out. Having said that, I don't think that has anything to do with Georgi's decision on when to release. If you check out his web pages (guninski.com) You'll see that he has 16 Netscape vulns in addition to the ~40 IE holes. This probably has to do with the fact that IE just encompases a larger set of functionality, and therefore provides a potentially greater source of holes, and is probably just more interesting to research.
I know a lot of you are probably thinking that this rant is pointed directly at Georgi and I guess it is as he is probably the largest offender. Georgi, take this message for what it is worth, you are no longer doing the security industry a service, you are letting people know that AOL/Netscape and their big pockets can take a once respected person and obviously very intelligent security professional and use them to do their bidding.
Netscape doesn't need Georgi's help looking bad. Once they stopped acknowledging bugs in their browser and releasing fixes in a timely manner, they clearly communicated their feelings on security. I'm impatient for Mozilla. I hope that the bloated piece of software that barely runs called Netscape 6 doesn't reflect the state of the Mozilla project. Ryan
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
(Thread continues...)