Re: recent disclosure debates

[Paul Robertson <proberts () patriot net>]

On Mon, 16 Dec 2002, Adam Shostack wrote:
[Once again, this is my personal opinion, and not the position of 
TruSecure.]

> ISS has released 22 or so advisories this year.[1] They messed up on
> one of them.  There's always a last minute flurry of stuff that
> happens in these coordinated releases.  Vendors who have been silent
> pop up asking for extra time.  Someone realizes that the text of
> announcements is out of whack.  Exploit code surfaces outside.  Etc.

By ISS' admission at the time, no 3rd party exploit code seemed to exist.

> While it was painful for everyone who runs bind to have a disjoint
> release, ISS's error rate is under 10% for the year.  Redhat has also
> jumped the gun, and I'm sure others have, and will again.

We're talking about a product that has lots of ties into OS vendors, none 
of whom had time to ship new releases.  Error rate doesn't make a whole 
bunch of difference when you're talking critical infrastructure.  Error 
rate doesn't matter for the victims of attacks who have no protection and 
can't replace shipping vendor versions without voiding support 
contracts...  We should expect better of the security community.

If it's worth it for ISS to not just let ISC give them credit, and follow 
up with that, then it's worth it for them to take responsibility for the 
results of their actions.  Bad marketing decisions _should_ cost you- 
especially when those marketing decisions put thousands at risk.

> I think a more important issue is ISC's possible use of a problem in
> their free software to get people to buy into a consortia.  ISS made a
> mistake, ISC may be using their position to differentially allow users
> of their software to secure themselves.  That's a business choice, and
> I think it's a bad one for a maker of free software.

Indeed, I wholeheartedly agree with you.  But this isn't an OR condition, 
it's an AND condtion, and both parties need to do better if they're going 
to be seen as responsible entities.  

I'm going through the pain of switching to djbdns for my personal systems 
because of ISC's handling of this incident.  It certainly worries me more 
than ISS's culpability, but I don't think that gives them absolution from 
criticism.  I also think that ISC has made their position clear in the 
past, and ISS seemed to be going against the formal disclosure policy they 
seem to have agreed to- it seems to me that was the basis of Russ' 
comments that Ron pointed to.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards