Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 (fwd)

[Alfred Huger <ah () SECURITYFOCUS COM>]

I am responding to this post personally as the VulnHelp address is not
really suited for it.

"Jim Duncan Wrote:"
> That's not true; the FIRST maintains a method for competing vendors to
> share sensitive information like this and to coordinate public
> announcements regarding vulnerabilities.

This may very well be the case, but curiously after asking several smaller
vendors (ie. not the Sun and HP's of the world) they had no idea such a
forum existed. For that matter niether did I, or anyone at SecurityFocus
including Elias. Is this a new service? I searched the CERT/CC and the
FIRST site for it to no avail. A URL would be greatly appreciated.

>  There have been major events
> in the past in which the Unix vendors that were members of FIRST at the
> time (http://www.first.org/team-info/) were brought together by one of
> the Unix vendors, advised of the vulnerability, worked out a schedule,
> and then fixed the problem.  When they were ready, they published all
> at the same time.

That's excellent. We are not arguing that it has never worked before, we
were stating that this type of event will most likely happen again. I am
not being a fatalist here, just pragmatic. Vendor cooperation is often
dismal and to be frank I doubt CERT/CC or anyone else currently in
the industry has the time, resources or will to address the situation. It
is I think a reality we are simply going to have live with and do our best
to circumvent.

For your example of 3 vulns where coordination worked I can give you 30
where it did not. Competing interests, timelines, egos etc. make this
an easily reproducable event.

> FIRST is often criticized, but it's better than nothing, and stating
> that there is no such forum is decidedly counterproductive.

So is keeping this forum a virtual secret. CERT/CC monitors this list,
some insight here would be appropriate. However, even with this forum
provided by FIRST it's unlikely to really address the problems we are
seeing. If the community in general had a great deal of faith in FIRST
organizations as a whole, Bugtraq would not be so busy. This is not a
condemnation of CERT/CC or FIRST it's simply a statement about the current
state of affairs in the community. I will be more than happy to take this
discussion offline with folks should they wish.


> > It's likely that this type of incident will happen again.
>
> Let's hope not.  This is outrageous, and shows a distinct lack of
> maturity in the industry.  To earn the respect of the rest of the
> world, we have to do better than this.  You can start by advocating
> involvement in existing organizations that _do_ work, rather than
> reconciling yourself to the opinion that it's hopeless.

The post was not a dooms day speech. The fact that we formed VulnHelp at
all shows that we still have hope. However, it's likely that this problem
will *always* be a problem. We just need to do our best to deal with it.

> Assume that mistakes _will_ happen; then what becomes important is how
> you handle them.  Let's learn from this and prevent it in the future.


Agreed.


-al

Alfred Huger
VP of Engineering
SecurityFocus.com