Firewall Wizards mailing list archives
Re: recent disclosure debates
From: Paul Robertson <proberts () patriot net>
Date: Mon, 16 Dec 2002 18:30:21 -0500 (EST)
On Mon, 16 Dec 2002, Adam Shostack wrote: [Once again, this is my personal opinion, and not the position of TruSecure.]
ISS has released 22 or so advisories this year.[1] They messed up on one of them. There's always a last minute flurry of stuff that happens in these coordinated releases. Vendors who have been silent pop up asking for extra time. Someone realizes that the text of announcements is out of whack. Exploit code surfaces outside. Etc.
By ISS' admission at the time, no 3rd party exploit code seemed to exist.
While it was painful for everyone who runs bind to have a disjoint release, ISS's error rate is under 10% for the year. Redhat has also jumped the gun, and I'm sure others have, and will again.
We're talking about a product that has lots of ties into OS vendors, none of whom had time to ship new releases. Error rate doesn't make a whole bunch of difference when you're talking critical infrastructure. Error rate doesn't matter for the victims of attacks who have no protection and can't replace shipping vendor versions without voiding support contracts... We should expect better of the security community. If it's worth it for ISS to not just let ISC give them credit, and follow up with that, then it's worth it for them to take responsibility for the results of their actions. Bad marketing decisions _should_ cost you- especially when those marketing decisions put thousands at risk.
I think a more important issue is ISC's possible use of a problem in their free software to get people to buy into a consortia. ISS made a mistake, ISC may be using their position to differentially allow users of their software to secure themselves. That's a business choice, and I think it's a bad one for a maker of free software.
Indeed, I wholeheartedly agree with you. But this isn't an OR condition, it's an AND condtion, and both parties need to do better if they're going to be seen as responsible entities. I'm going through the pain of switching to djbdns for my personal systems because of ISC's handling of this incident. It certainly worries me more than ISS's culpability, but I don't think that gives them absolution from criticism. I also think that ISC has made their position clear in the past, and ISS seemed to be going against the formal disclosure policy they seem to have agreed to- it seems to me that was the basis of Russ' comments that Ron pointed to. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)