Firewall Wizards mailing list archives

Re: recent disclosure debates

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 15 Dec 2002 21:42:24 -0500 (EST)


This part of Mark Sala's post caught my eye though, and reading through
the slashdot archive is interesting also:

http://developers.slashdot.org/comments.pl?sid=44855&threshold=-1&commentsort=0&tid=172&mode=thread&cid=4653012


Re:Did ISS tell bind maintainers?
by Florian Weimer (fw () deneb enyo de) on Tuesday
November 12, @06:43PM (#4655265)
(User #88405 Info | http://www.enyo.de/fw/)
Does anyone know if ISS did the right thing, or are
they being big doo-doo-heads?


In this case, ISS did not rush ahead. This was a
coordinated release. Of course, something went
horribly wrong, but I don't think ISS is to blame for
it (maybe they could have warned ISC that their
approach wouldn't work out, though).


Thanks,

Ron DuFresne


On Sun, 15 Dec 2002, Barney Wolff wrote:

On Sun, Dec 15, 2002 at 09:14:53PM -0500, R. DuFresne wrote:


This posting was pretty enlightening on the issue:


Well, no, it wasn't.  Despite all the verbiage, the fact remains that
ISS released the vulnerability before patches were available to many
or most of the people who needed them.  If ISC actually refused to
release the patches until after the notice, one would think ISS would
have said that, but they didn't.  So I'm forced to conclude that they
released the notice on the scheduled day without checking that ISC
had actually released the patches.  Both parties look very bad, but ISS
is the one more immediately at fault for the premature release, imho.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
  - Re: recent disclosure debates R. DuFresne (Dec 15)
    - Re: recent disclosure debates Barney Wolff (Dec 15)
    - Re: recent disclosure debates R. DuFresne (Dec 15)
    - Re: recent disclosure debates Adam Shostack (Dec 16)
    - Re: recent disclosure debates Paul Robertson (Dec 16)
    - Re: recent disclosure debates Adam Shostack (Dec 16)
    - Re: recent disclosure debates Paul D. Robertson (Dec 16)
    - Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)