Re: recent disclosure debates

["Paul D. Robertson" <proberts () patriot net>]

On Sun, 15 Dec 2002, R. DuFresne wrote:

[This is purely my personal perspective on this issue, and isn't intended 
to be the postition of TruSecure.  I originally wrote my thoughts up on 
the events back when the disclosure happened, there's enough blame to go 
around- and I think it's been hashed enough, so I won't post my rant 
unless there's specific things that need addressed, but I'd like to 
comment on some of the things here...]

> This posting was pretty enlightening on the issue:

I beg to differ...

> Date: Sat, 16 Nov 2002 06:37:08 -0800 (PST)
> From: <mark_sala () yahoo com>
> Subject: bind 8 info update regarding ISS
> To: bugtraq () securityfocus com
>
> Upfront, Like to recognize that ISS has been doing a
> great job at finding very critical but obscure
> vulnerabilities in popular services.  I'm guessing
> that there has been alot of other security experts
> that have audited the source code of Bind, SSH, etc
> and overlooked the discrepencies that ISS picks up on.
>  
>
> Russ Cooper, the Surgeon General of TruSecure, blasted
> ISS publicly on the Symantec Bugtraq mailing list with
> an opinion on how ISS is irresponsible for not working
> with the ISC to properly patch Bind and how they
> unethically updated their own products. 
> http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0

No, what Russ blasted ISS for was for not following the rules of OIS, an 
organization that ISS is a member of, so obviously for not following the 
disclosure rules that ISS itself agreed to.  Anything else is a 
mischaracterization of Russ' posting.

Blaming ISC doesn't absolve ISS of its duty in being a good security 
company instead of the bearer of harmful information.  While ISS certainly 
has a right to use vulnerability information to as marketing collateral, 
part of the responsibility that comes from doing so is taking the lumps 
that get handed out when you do that and things go wrong.

[snip]

> If TruSecure, Russ Cooper's employer, ever found a
> vulnerability, I would expect them to update their
> products also. When's the last time TruSecure spent
> any R&D Money finding vulnerabilities and released an
> advisory?  

TruSecure doesn't do press releases based on vulnerabilities we find, any 
more than we do them on vulerabilities other people find.  A lot of that 
has to do with our prior agreements with security product vendors through 
ICSA Labs, though most of us[2] really wouldn't be comfortable with our 
marketing department getting in the middle of a research <-> vendor or 
Labs <-> vendor relationship (even when that vendor isn't a customer.)
  
We've found vulnerabilities in the past, we've worked with others who 
discover vulnerabilities in the past- in none of those cases[1] 
have we alerted our marketing department, issued press releases, or even 
customer advisories in cases where fixes weren't already verified as 
available if the vulnerability wasn't public.

"First, do no harm" is a standard that should apply to security companies.
"First, do marketing" doesn't seem to have the same ring to it.

Even before I worked at TruSecure, I reported vulnerabilities to vendors 
directly, and let them fix them and notify their customers about them.  
That's stood me in good stead with several vendors over time. 


Paul
[1] To the best of my knowledge for the almost 3 years I've been with 
ICSA/TruSecure, and everything I've heard before that timeframe.
[2] I think I speak for everyone in Research and the Labs when I say this.  
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards