Firewall Wizards mailing list archives
Re: recent disclosure debates
From: Adam Shostack <adam () homeport org>
Date: Mon, 16 Dec 2002 15:44:15 -0500
On Sun, Dec 15, 2002 at 09:33:05PM -0500, Barney Wolff wrote: | On Sun, Dec 15, 2002 at 09:14:53PM -0500, R. DuFresne wrote: | > | > This posting was pretty enlightening on the issue: | | Well, no, it wasn't. Despite all the verbiage, the fact remains that | ISS released the vulnerability before patches were available to many | or most of the people who needed them. If ISC actually refused to | release the patches until after the notice, one would think ISS would | have said that, but they didn't. So I'm forced to conclude that they | released the notice on the scheduled day without checking that ISC | had actually released the patches. Both parties look very bad, but ISS | is the one more immediately at fault for the premature release, imho. ISS has released 22 or so advisories this year.[1] They messed up on one of them. There's always a last minute flurry of stuff that happens in these coordinated releases. Vendors who have been silent pop up asking for extra time. Someone realizes that the text of announcements is out of whack. Exploit code surfaces outside. Etc. While it was painful for everyone who runs bind to have a disjoint release, ISS's error rate is under 10% for the year. Redhat has also jumped the gun, and I'm sure others have, and will again. I think a more important issue is ISC's possible use of a problem in their free software to get people to buy into a consortia. ISS made a mistake, ISC may be using their position to differentially allow users of their software to secure themselves. That's a business choice, and I think it's a bad one for a maker of free software. Adam 1: http://bvlive01.iss.net/issEn/delivery/xforce/alerts.jsp?type=Alerts (javascript required?) -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)