Firewall Wizards mailing list archives
Re: recent disclosure debates
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 15 Dec 2002 22:03:24 -0500 (EST)
On Sun, 15 Dec 2002, R. DuFresne wrote: [This is purely my personal perspective on this issue, and isn't intended to be the postition of TruSecure. I originally wrote my thoughts up on the events back when the disclosure happened, there's enough blame to go around- and I think it's been hashed enough, so I won't post my rant unless there's specific things that need addressed, but I'd like to comment on some of the things here...]
This posting was pretty enlightening on the issue:
I beg to differ...
Date: Sat, 16 Nov 2002 06:37:08 -0800 (PST) From: <mark_sala () yahoo com> Subject: bind 8 info update regarding ISS To: bugtraq () securityfocus com Upfront, Like to recognize that ISS has been doing a great job at finding very critical but obscure vulnerabilities in popular services. I'm guessing that there has been alot of other security experts that have audited the source code of Bind, SSH, etc and overlooked the discrepencies that ISS picks up on. Russ Cooper, the Surgeon General of TruSecure, blasted ISS publicly on the Symantec Bugtraq mailing list with an opinion on how ISS is irresponsible for not working with the ISC to properly patch Bind and how they unethically updated their own products. http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0
No, what Russ blasted ISS for was for not following the rules of OIS, an organization that ISS is a member of, so obviously for not following the disclosure rules that ISS itself agreed to. Anything else is a mischaracterization of Russ' posting. Blaming ISC doesn't absolve ISS of its duty in being a good security company instead of the bearer of harmful information. While ISS certainly has a right to use vulnerability information to as marketing collateral, part of the responsibility that comes from doing so is taking the lumps that get handed out when you do that and things go wrong. [snip]
If TruSecure, Russ Cooper's employer, ever found a vulnerability, I would expect them to update their products also. When's the last time TruSecure spent any R&D Money finding vulnerabilities and released an advisory?
TruSecure doesn't do press releases based on vulnerabilities we find, any more than we do them on vulerabilities other people find. A lot of that has to do with our prior agreements with security product vendors through ICSA Labs, though most of us[2] really wouldn't be comfortable with our marketing department getting in the middle of a research <-> vendor or Labs <-> vendor relationship (even when that vendor isn't a customer.) We've found vulnerabilities in the past, we've worked with others who discover vulnerabilities in the past- in none of those cases[1] have we alerted our marketing department, issued press releases, or even customer advisories in cases where fixes weren't already verified as available if the vulnerability wasn't public. "First, do no harm" is a standard that should apply to security companies. "First, do marketing" doesn't seem to have the same ring to it. Even before I worked at TruSecure, I reported vulnerabilities to vendors directly, and let them fix them and notify their customers about them. That's stood me in good stead with several vendors over time. Paul [1] To the best of my knowledge for the almost 3 years I've been with ICSA/TruSecure, and everything I've heard before that timeframe. [2] I think I speak for everyone in Research and the Labs when I say this. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)