Bugtraq mailing list archives
Re: Cisco 675 Denial of Service Attack
From: Damir Rajnovic <gaus () CISCO COM>
Date: Wed, 6 Dec 2000 14:08:57 +0000
Hello again, At 23:31 05/12/2000 -0800, J Edgar Hoover wrote:
premium price for a premium brand product for my home, and now I'm following up by providing free a service that is worth more than the product itself.
We are doing what we can. If that is not sufficient we will try better. If we can not satisfy customers they can choose not to use Cisco. We know that we are not the only one (despite what marketing is saying). These are facts of life and we must live with them.
It is the unfortunate truth that neither the advisory or patch will help the average home user. They will probably never know about them. Which
Which is sad but true. Then again, we can not do anything there. We are trying to address forums like Bugtraq in a hope that people who are in charge will notice our advisories and upgrade their boxes. We can not force anyone to upgrade.
brings up another point... why is a product like this, destined for a home user, shipped with such poor default security? The problems with SNMP have
Good question. I am also asking that question over and over. Not only for DSL. I still do not have an answer (well, I do, time to market, people do not pay for security but features, competitors, blah, blah) which will satisfy me.
Cisco really think home users want anonymous remote users seeing their
Think? I do not think. Ask my wife, she will confirm that. PSIRT tries to correct things. Unfortunately, most of the people think in the terms of flashing lights and nice GUIs.
The IP filter rules made mistakes wrt incoming and outgoing directions.
I will check that and if that is true it will be fixed (hopefully in 10 months or so 8-) ).
Which situation is worse for the corporate bottom line, "Cisco releases patches for most of their routers" or "15 year old canadian cripples internet with Cisco bug"?
I do not know. I ask people who are buying Cisco. Personally, I would love to be without both titles if possible. I do not consider releasing patches as a success. It is just a sign that we have not done job properly the first time (whenever that was). Even less I would like your second title.
You probably already have some highly skilled technical people. Do they audit products before they ship? Are recommendations applied to products before they go to market? If the answer is no, I'd say the core problem is more corporate than technical.
Answer to all questions is yes. We do have technical people and are seeking more. We do have recommendations and tests are done. Sometimes tests are not sufficient sometimes something else happen to be broken. I can not answer that fully. We are using corporate and technical measures to fix whenever we find something that is broken. But still, shit happens. Cheers, Gaus ============== Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> Phone: +44 7715 546 033 4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB ============== There is no insolvable problems. Question remains: can you accept the solution?
Current thread:
- Re: Cisco 675 Denial of Service Attack, (continued)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
- Re: Cisco 675 Denial of Service Attack Erik Parker (Dec 02)
- Re: Cisco 675 Denial of Service Attack Kee Hinckley (Dec 05)
- Re: Cisco 675 Denial of Service Attack CDI (Dec 02)
- Re: Cisco 675 Denial of Service Attack Erik Parker (Dec 02)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
- Re: Cisco 675 Denial of Service Attack Shane Youhouse (Dec 02)
- Re: Cisco 675 Denial of Service Attack CDI (Dec 05)
- Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 05)
- Message not available
- Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 06)
- Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 07)
- Message not available
- Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 07)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)