Re: CERT, CIAC, etc. and unethical practices

[clavin () iag net (Chris Lavin)]

Ok,
        Well we tried this recently with Sun! Sun in no uncertain terms
told us OH WELL!...That comes right from the Manager of teh Kernel group
Myron Kashima!...We have found a problem with Solaris X86 2.5.1. We could
put together a lil 20 line C program that would cause the kernel to hard
lock when a user opens a tcp socket to a machine that throwsa up a banner
reply (This inclusdes Suns own Mail machine). Well anyway we went around
with Sun for three months b4 we released the exploit to the newsgroups and
on bugtraq. We have tried the diplomatic route IT DON'T WORK!..So maybe if
a few people start to crash X86 systems Sun will do the right thing and
fix the bug. Oh did I fail to mention that Sun would be willing to fix the
bug if we BOUGHT a contract and paid them for their time?...Thanx

===============================================================================
       Chris Lavin <clavin () iag net> The Internet Access Group, Inc.
       801 W.Highway 436 - Suite 2151, Altamonte Springs, FL. 32714
                   Voice:407-786-1145, Fax:407-682-7327
===============================================================================


On Sat, 21 Dec 1996, d wrote:

> > In light of the recent discussion that has taken place in regards to
> > {CERT,CIAC,AUSCERT,HP,SGI,etc} and their lack of ethics when it comes
> > to crediting other peoples research; I am happy to announce a LARGE
> > company that just did the exact opposite!
>
> While I applaud lotus, and not to be a wet blanket or anything, I
> think that more companies would be more enthusiastic about acknowledging
> contributions of the people on these lists if they perceived us working
> with them, rather than against them.  Posting code to a list & telling the
> world in no uncertain terms that you think that they are complete
> assholes and idiots is not the best way to make friends with them.
> If you don't want to be friendly with 'em, I don't care myself - it's
> a free world (at least in many places.)  Just don't be too surprised when
> they say, essentially "fuck you" right back at ya by not giving you credit
> that you definitely deserve.
>
> One of the most effective things that I've seen (from working at cert and
> at a couple of unix vendors), that is, if you want some sort of credit,
> is to simply notify the vendor/developers/CERTs/whatever of the problem
> *before* posting it to the list.  Give them a bit of time work out a
> fix, and *then* post the details.  You might say that you don't know
> who to send things to or that they will just take too long to fix it
> and it's not worth your time, but I sometimes wonder how often people have
> even tried this approach lately - certainly I haven't seen much
> complaining lately about trying to talk to them *before* posting it on
> a list.  There are often sympathetic ears at some of these companies,
> although it can be hard to find them (and perhaps if anyone ever does
> find one at any company it might be worth posting about it and telling the
> rest of us who to contact in the future).
>
> Again, I think it's great what lotus did, and I'm certainly all for
> places like the l0pht and yuri and sod and so on (just to name a few
> places) - it's obvious that there are a lot of bright and talented
> people out here.  But I haven't seen much talent in the ol' PR dept.
> lately.
>
> Just some thoughts -
>
> -- d