Firewall Wizards mailing list archives

Re: recent disclosure debates

From: Adam Shostack <adam () homeport org>
Date: Mon, 16 Dec 2002 15:44:15 -0500

On Sun, Dec 15, 2002 at 09:33:05PM -0500, Barney Wolff wrote:
| On Sun, Dec 15, 2002 at 09:14:53PM -0500, R. DuFresne wrote:
| > 
| > This posting was pretty enlightening on the issue:
| 
| Well, no, it wasn't.  Despite all the verbiage, the fact remains that
| ISS released the vulnerability before patches were available to many
| or most of the people who needed them.  If ISC actually refused to
| release the patches until after the notice, one would think ISS would
| have said that, but they didn't.  So I'm forced to conclude that they
| released the notice on the scheduled day without checking that ISC
| had actually released the patches.  Both parties look very bad, but ISS
| is the one more immediately at fault for the premature release, imho.

ISS has released 22 or so advisories this year.[1] They messed up on
one of them.  There's always a last minute flurry of stuff that
happens in these coordinated releases.  Vendors who have been silent
pop up asking for extra time.  Someone realizes that the text of
announcements is out of whack.  Exploit code surfaces outside.  Etc.

While it was painful for everyone who runs bind to have a disjoint
release, ISS's error rate is under 10% for the year.  Redhat has also
jumped the gun, and I'm sure others have, and will again.

I think a more important issue is ISC's possible use of a problem in
their free software to get people to buy into a consortia.  ISS made a
mistake, ISC may be using their position to differentially allow users
of their software to secure themselves.  That's a business choice, and
I think it's a bad one for a maker of free software.

Adam

1: http://bvlive01.iss.net/issEn/delivery/xforce/alerts.jsp?type=Alerts
(javascript required?)

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
  - Re: recent disclosure debates R. DuFresne (Dec 15)
    - Re: recent disclosure debates Barney Wolff (Dec 15)
    - Re: recent disclosure debates R. DuFresne (Dec 15)
    - Re: recent disclosure debates Adam Shostack (Dec 16)
    - Re: recent disclosure debates Paul Robertson (Dec 16)
    - Re: recent disclosure debates Adam Shostack (Dec 16)
    - Re: recent disclosure debates Paul D. Robertson (Dec 16)
    - Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)