Bugtraq mailing list archives
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 (fwd)
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Tue, 5 Sep 2000 09:02:46 -0700
I am responding to this post personally as the VulnHelp address is not really suited for it. "Jim Duncan Wrote:"
That's not true; the FIRST maintains a method for competing vendors to share sensitive information like this and to coordinate public announcements regarding vulnerabilities.
This may very well be the case, but curiously after asking several smaller vendors (ie. not the Sun and HP's of the world) they had no idea such a forum existed. For that matter niether did I, or anyone at SecurityFocus including Elias. Is this a new service? I searched the CERT/CC and the FIRST site for it to no avail. A URL would be greatly appreciated.
There have been major events in the past in which the Unix vendors that were members of FIRST at the time (http://www.first.org/team-info/) were brought together by one of the Unix vendors, advised of the vulnerability, worked out a schedule, and then fixed the problem. When they were ready, they published all at the same time.
That's excellent. We are not arguing that it has never worked before, we were stating that this type of event will most likely happen again. I am not being a fatalist here, just pragmatic. Vendor cooperation is often dismal and to be frank I doubt CERT/CC or anyone else currently in the industry has the time, resources or will to address the situation. It is I think a reality we are simply going to have live with and do our best to circumvent. For your example of 3 vulns where coordination worked I can give you 30 where it did not. Competing interests, timelines, egos etc. make this an easily reproducable event.
FIRST is often criticized, but it's better than nothing, and stating that there is no such forum is decidedly counterproductive.
So is keeping this forum a virtual secret. CERT/CC monitors this list, some insight here would be appropriate. However, even with this forum provided by FIRST it's unlikely to really address the problems we are seeing. If the community in general had a great deal of faith in FIRST organizations as a whole, Bugtraq would not be so busy. This is not a condemnation of CERT/CC or FIRST it's simply a statement about the current state of affairs in the community. I will be more than happy to take this discussion offline with folks should they wish.
It's likely that this type of incident will happen again.Let's hope not. This is outrageous, and shows a distinct lack of maturity in the industry. To earn the respect of the rest of the world, we have to do better than this. You can start by advocating involvement in existing organizations that _do_ work, rather than reconciling yourself to the opinion that it's hopeless.
The post was not a dooms day speech. The fact that we formed VulnHelp at all shows that we still have hope. However, it's likely that this problem will *always* be a problem. We just need to do our best to deal with it.
Assume that mistakes _will_ happen; then what becomes important is how you handle them. Let's learn from this and prevent it in the future.
Agreed. -al Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 (fwd) Alfred Huger (Sep 05)