Re: OpenSSH - is X-Force really behind this?

[Michal Zalewski <lcamtuf () ghettot org>]

On Mon, 22 Sep 2003 Valdis.Kletnieks () vt edu wrote:

> Charles Darwin and Alfred Wallace independently came up with
> the concept of natural selection.

The cycle of a vulnerability from discovery to publication (or leak) is
probably around two weeks to one month on average, which is a fairly short
timeframe. Collissions have happened in the past for more trivial issues,
but this is not one of them - the vulnerability reported is a fairly
non-obvious and obscure problem.

This is, of course, not enough to rule out the problem was discovered by
two sources at once, but I'd say it makes it highly unlikely, and this is
the only reason I posted the initial message.

What I find perplexing is the fact ISS was not credited by any major
player reporting the vulnerability - OpenSSH team, CERT, CVE, Red Hat, you
name it. I happened to work with them in the past, and I know most of them
are very pedantic when it comes to crediting the source.  That's simply
strange.

Even if there was an underground rumor about the problem making it to the
vendors at roughly the same time ISS contacted them, the benefit of doubt
would be most definitely granted to the well-established researchers, and
the other channel would be considered an accidental leak, not a separate
discovery path.

So what happened? Did ISS report an already known problem, and were not
credited because of this, or did they discover it, but the information
leaked long before they decided to contact the vendors? Or are the vendors
really naughty?

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-22 20:08 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html