Dailydave mailing list archives

RE: Lynn / Cisco shellcode

From: Michael J Freeman <mfreeman451 () yahoo com>
Date: Thu, 28 Jul 2005 21:46:12 -0700 (PDT)

Of course you won't wait around, someone else might
publish it first and steal all the credit.

It makes sense in most cases for researchers to not
publish vulnerabilities until a patch is out. I think
people should do like what eEye does, you have a
webpage saying "this is pending" or you release "half"
an advisory discussing the problem but not giving away
enough details. badpack3t most recently gave the
perfect example of this, putting out a screenshot of a
vulnerability in RDP. It certainly gained a lot of
attention and put a fire under Microsoft's butt,
without giving away the crown jewels.

2cents.



--- Dennis Cox <dcox () tippingpoint com> wrote:

I'm going to respond to myself - because I didn't
feel I was clear. My point is if a vulnerability is
so severe and the company who's product has the
vulnerability takes an unreasonable amount of time
to resolve the issue what route can one take? In
this case Cisco announced that it will issue the
security bulletin tomorrow I believe. That's only
because Mr. Lynn forced their hand. I don't want
ISS, iDefense or heck my company sitting on a
vulnerability for a year or two just to appease some
company. There has to be some other alternative. The
security companies don't have one - their lawyers
force them to keep quiet would be my guess. 

One could go anonymous of course but that's scary in
many regards - something has to have teeth.

So does that mean that perhaps the government (or a

government type agency (e.g. UN)) should become a
notification point for vulnerabilities in >the
future? I realize it's got ton's of downsides (too
numerous to list) but the upside is pressure. They
can put ton's of pressure on Cisco and >Oracle (700
day's was mentioned before which is an ungodly
amount of time) to fix the vulnerability by denying
government purchases of that >vendors equipment
until such a time as the vulnerability is resolved. 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com

https://lists.immunitysec.com/mailman/listinfo/dailydave



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Lynn / Cisco shellcode, (continued)
- - - Re: Lynn / Cisco shellcode ET LoWNOISE (Jul 28)
    - Re: Lynn / Cisco shellcode Alex Stamos (Jul 28)
    - Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 28)
    - Re: Lynn / Cisco shellcode Michael Silk (Jul 28)
    - Re: Lynn / Cisco shellcode Michael J Freeman (Jul 28)
    - Re: Lynn / Cisco shellcode Pukhraj Singh (Jul 29)
- RE: Lynn / Cisco shellcode Todd Towles (Jul 28)
- RE: Lynn / Cisco shellcode Dowd, Mark (ISS Atlanta) (Jul 28)
- RE: Lynn / Cisco shellcode Dennis Cox (Jul 28)
- RE: Lynn / Cisco shellcode Dennis Cox (Jul 28)
  - RE: Lynn / Cisco shellcode Michael J Freeman (Jul 28)
- RE: Lynn / Cisco shellcode Thor Larholm (Jul 29)
- RE: Lynn / Cisco shellcode surreal (Jul 29)
  - Re: Lynn / Cisco shellcode Ron Guerin (Jul 29)
  - Re: Lynn / Cisco shellcode Anthony Zboralski (Jul 29)
- Re: Lynn / Cisco shellcode Thor Larholm (Jul 29)
- RE: Lynn / Cisco shellcode surreal (Jul 29)
  - Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 30)
    - Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 30)
    - Re: Lynn / Cisco shellcode Nicholas Cross (Aug 01)