Re: recent disclosure debates

["R. DuFresne" <dufresne () sysinfo com>]

This posting was pretty enlightening on the issue:

Date: Sat, 16 Nov 2002 06:37:08 -0800 (PST)
From: <mark_sala () yahoo com>
Subject: bind 8 info update regarding ISS
To: bugtraq () securityfocus com

Upfront, Like to recognize that ISS has been doing a
great job at finding very critical but obscure
vulnerabilities in popular services.  I'm guessing
that there has been alot of other security experts
that have audited the source code of Bind, SSH, etc
and overlooked the discrepencies that ISS picks up on.
 

Russ Cooper, the Surgeon General of TruSecure, blasted
ISS publicly on the Symantec Bugtraq mailing list with
an opinion on how ISS is irresponsible for not working
with the ISC to properly patch Bind and how they
unethically updated their own products. 
http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0

Here's updated information that clears up whether ISS
was acting responsible and properly gave notice to the
ISC BIND organization.  Maybe Russ should give ISS an
apology for jumping to conclusions without waiting for
facts.

http://developers.slashdot.org/comments.pl?sid=44855&threshold=-1&commentsort=0&tid=172&mode=thread&cid=4653012

Re:Did ISS tell bind maintainers? 

ISS and ISC worked together on this. ISS found the
vulns, ISC worked with the vendors, and both of us
worked with CERT and coordinated the announcements.

Paul Vixie
Chairman, ISC
 
Re:Did ISS tell bind maintainers? 
by Florian Weimer (fw () deneb enyo de) on Tuesday
November 12, @06:43PM (#4655265) 
(User #88405 Info | http://www.enyo.de/fw/)  
Does anyone know if ISS did the right thing, or are
they being big doo-doo-heads?

In this case, ISS did not rush ahead. This was a
coordinated release. Of course, something went
horribly wrong, but I don't think ISS is to blame for
it (maybe they could have warned ISC that their
approach wouldn't work out, though).  


http://online.securityfocus.com/archive/1/299873/2002-11-11/2002-11-17/0

Subject: Re: Bind 8 bug experience 
Date: Nov 14 2002 2:41PM 
Author: Olaf Kirch <okir () suse de> 
 
On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C.
Reed wrote: > But I see the patches were made October
30 (if the dates are reliable).

In fact I believe ISC have been sitting on this for
almost a month.
The CVE IDs were assigned October 16, and I have
reason to believe that they learned of this no later
than October 23.

Members of BIND Forum were notified last week, from
what I'm told.

In my opinion, the main reason for ISC to use this
method of distributing the patches rather than going
through established channels (such as CERT) was to be
able to convince software vendors and other bodies
using/distributing BIND to become a member of BIND
forum. I don't know if that worked out, but I have my
doubts.

> From my experience of the past two days, I believe
they did not expect there to be such a demand for the
patches...


** My Own Msg below To Russ **

Regarding Russ Cooper trying to shoot the messenger,
where ISS has reported BIND vulnerabilities, I have
not seen any evidence of ISS acting irresponsible.

It appears they have worked with the vendor to develop
patches and a fix. On ISC Bind's website, they thank
ISS in many places. ISS's advisory recommended several
work-arounds as well.  They did not release any
exploit code or demonstration code.  Their security
advisory is very benign compared to many other posts
on Bugtraq.

I don't understand Russ accusing ISS of violating the
code ethics of vulnerability disclosure by updating
their own security products against the
vulnerabilities.  It would seem ridiculous if they
DIDN'T update their products when they find
vulnerabilities.  I would hope any security company
who found vulnerabilities would update their products
as quickly as possible.  IMHO, If ISS finds a
vulnerability, they should update their products while
the vendor fixes their products.  

If TruSecure, Russ Cooper's employer, ever found a
vulnerability, I would expect them to update their
products also. When's the last time TruSecure spent
any R&D Money finding vulnerabilities and released an
advisory?  

Atleast ISS is helping find these vulnerabilities,
working with the vendors to correct, and if they want
to update their products and make money off of it, so
be it.  We still do live in a capitalistic society. 
ISS, Bindview, Foundstone, and any other security
company that finds holes and updates its products for
these new vulnerabilities will make their customers'
more protected; I think that is why they are in
business and that's why they invest in finding
vulnerabilities and fixing them.  

In the end, I'd rather have a security company find
the vulnerabilities and work with the vendor to fix,
then to stay in the dark and let the holes stay open
for intruders to exploit.

---
Mark Sala
System Admin



On Sun, 15 Dec 2002, Barney Wolff wrote:

> On Sun, Dec 15, 2002 at 07:49:02PM -0500, R. DuFresne wrote:
> > I'm wondering why all the fingers are pointing so dramatically at ISS and
> > why ISC has received little or no heat in the issue.  It appears in other
> > postings through bugtraq that ISS and ISC worked together for at leat a
> > month on the issues ISS released their advisory on and for which patches
> > seem to be dated back to as ISC fixes to code.  From all the reading I've
> > followed there was a coordinated effort that failed when it came time to
> > make the patches available to the public, after members of BIND Forum were
> > notified and given advance patches.  so, I'm wondering why ISS gotso much
> > bad press on this issue and ISC remained unscathed for the most part.
>
> Because, as I understand the events, ISS and ISC agreed in advance on
> a date for the patches to be available, but when the date came ISS
> released the vulnerability without checking that the patches were in
> fact available.  So for lack of a few minutes effort a nasty situation
> was allowed to develop.  I'd welcome correction by anybody from ISS or
> ISC who actually knows what happened.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards