Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ]

[Chris Calabrese <christopher_calabrese () merck com>]

Yeah, I thought of that.  The issues surrounding my
constraints on disclosure are pretty complicated,
though, so just doing an anon post probably
won't work for me.  I've been trying to work out a
solution, and you may see white smoke soon.

amanda wrote:

> You could always make an anonymous post to bugtraq and attach some exploit
> code for the script kiddies. That should get the vendors attention. Or at
> least it will make some other customers complain loudly to the vendor.
>
> Just look at how Microsoft reacted to last summers IIS exploit from eEye.
> For several days they completely ignored it until it turned up on bugtraq.
> Then they fixed it in a few hours.
>
> Amanda.
>
> On Thu, 14 Sep 2000, Chris Calabrese wrote:
> > In almost every case, when I've reported these holes to the
> > vendors, they were ignored.  Since I am constrained in my
> > ability to disclose these holes to the general public (for
> > other reasons), the holes are still out there waiting to be
> > exploited.
> > This also matches my experience when I've worked
> > for major software vendors.  Security holes generally
> > are only addressed if genuine customers complain
> > about them, if the company's own IT shop complains
> > about them, or if some certification that's needed
> > for a big contract gets rejected because of them.

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese