Full Disclosure mailing list archives
Re: OpenSSH - is X-Force really behind this?
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 22 Sep 2003 20:17:11 +0200 (CEST)
On Mon, 22 Sep 2003 Valdis.Kletnieks () vt edu wrote:
Charles Darwin and Alfred Wallace independently came up with the concept of natural selection.
The cycle of a vulnerability from discovery to publication (or leak) is probably around two weeks to one month on average, which is a fairly short timeframe. Collissions have happened in the past for more trivial issues, but this is not one of them - the vulnerability reported is a fairly non-obvious and obscure problem. This is, of course, not enough to rule out the problem was discovered by two sources at once, but I'd say it makes it highly unlikely, and this is the only reason I posted the initial message. What I find perplexing is the fact ISS was not credited by any major player reporting the vulnerability - OpenSSH team, CERT, CVE, Red Hat, you name it. I happened to work with them in the past, and I know most of them are very pedantic when it comes to crediting the source. That's simply strange. Even if there was an underground rumor about the problem making it to the vendors at roughly the same time ISS contacted them, the benefit of doubt would be most definitely granted to the well-established researchers, and the other channel would be considered an accidental leak, not a separate discovery path. So what happened? Did ISS report an already known problem, and were not credited because of this, or did they discover it, but the information leaked long before they decided to contact the vendors? Or are the vendors really naughty? -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-09-22 20:08 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenSSH - is X-Force really behind this? Michal Zalewski (Sep 22)
- Re: OpenSSH - is X-Force really behind this? Valdis . Kletnieks (Sep 22)
- Re: OpenSSH - is X-Force really behind this? Michal Zalewski (Sep 22)
- Re: OpenSSH - is X-Force really behind this? Eric Rescorla (Sep 29)
- Re: OpenSSH - is X-Force really behind this? Michal Zalewski (Sep 22)
- <Possible follow-ups>
- Re: OpenSSH - is X-Force really behind this? Steven M. Christey (Sep 22)
- Re: OpenSSH - is X-Force really behind this? Valdis . Kletnieks (Sep 22)