Re: Subject: Re: How Apple orchestrated web attack on (Bow Sineath)

["Steve Manzuik" <smanzuik () juniper net>]

Disclaimer:  My opinion only.  I should really subscribe to this list
with a non-work email addr.

> IMHO, theses most vendors won't dare threaten any legal action if you
have a
> solid bug release/advisory methodology in place. Doing so would make
them
> look like they were trying to quash your research.

Yes and no.  I think it all depends.  I have had experience both being
on the independent unknown researcher side and I have had experience
being the vendor reporting the issue.  It seems most vendors "play ball"
with the infosec vendors vs. the one man operations.  This is a bad
thing if you ask me.

> When we (SNOsoft) were working with HP back in early 2000 they
threatened
> legal action in an attempt to do just that, quash our research. Look
at how
> it backfired. A lot of people felt that HP cared more about quashing
> security research than they did protecting their customers. That's a
message
> that companies are trying to avoid sending these days.

That is a great comparison because I have worked with HP on a
vulnerability in the last year and they are a bit more responsive.  They
definitely remember their mistakes in 2000 and seem to have improved
their response.  Or at least in my experience they have.

> Granted, certain companies are still more difficult to work with than
> others, but if your methodology for release is well built then you
won't be
> giving them a legal leg to stand on. You're just doing the right
thing.

I agree.  I typically like to, up front, give the company a heads up of
what our expectations are even before the vulnerability details.  It
helps keep everyone on the same page and at least from my end shows that
we are being up front with the vendor.  

I am finding this whole Apple thread very very interesting.  When I was
at eEye Digital Security, we found and reported multiple vulnerabilities
to Apple.  Mostly quictime/itunes related stuff (file format) but the
response from Apple, while slow and generally difficult (for lack of any
other words to explain it nicely) they always dealt with the issues.
Granted, the wireless issues and other actual OSX type issues are
probably of higher impact, I am surprised to see a vendor deal with one
set of issues in a satisfactory way and then completely mess up with
others.

I know a lot of you on this list have been around this industry just as
long if not longer than me.  Most of us come from the days of
criticizing and complaining about Microsoft and how they handled issues.
Now, we see Microsoft as the model, which shows us that the researchers
can actually make a difference and the vendors can adjust the way they
deal with things if enough pressure is provided.  The thing to remember
is that a lot of vendors really have not thought out how to handle a
security vulnerability when it is reported.  I have a ton of funny
stories around this, perhaps it would make a good talk at some
non-technical conference one day.

So while many of you are frustrated and don't bother reporting
vulnerabilities anymore I honestly think you would do more of a service
by reporting them and fighting the battles.  It has worked once and it
will work again.

-Steve

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave