Full Disclosure mailing list archives
it's all about timing
From: full-disclosure () lists netsys com (Don)
Date: Thu, 1 Aug 2002 12:27:59 -0700
well, by your own admission, HP legal department was strong arming you, which is just plain wrong, it seems to me, from what i have read around here and other lists, story is not smeared at all, my understanding of the story was and still is, HP thinks they are too big and have good lawyers, and thus think they have a right threaten you and the public. and according to you, that is exactly the way it is, no smearing involved. and btw, that is quite honorable and admirable that you and your team worked for so long and so hard to help HP, too bad they havent showed the same type of attitude towards you as well. high five to You on that. I find it dispicable that HP would even suggest any legal actions upon you in this matter. and as a result, I find myself looking at other Manufacturers printers, any HP product will be the last on my lists to be considered. good job HP, another happy customer. please note the sarcasm in that statement. Don
-----Original Message----- From: John Scimone [mailto:sert () snosoft com] Sent: Wednesday, July 31, 2002 12:57 PM To: full-disclosure () lists netsys com; Florin Andrei; bugtraq () securityfocus com Subject: Re: [Full-disclosure] it's all about timing I agree with this. However, in the Snosoft case the facts has been smeared by all the different stories going around. I will not get into it in detail but we have been working with HP on this for 4+ months, bending over backwards for them to keep everything out of the eyes of the public. All the time putting up with threats of suit for nonsense issues. The bottom line is that we went above and beyond what is reasonable for a research group to do because we knew how serious the issue is, and after managing to do this for so long something got leaked which was inevitable with the amount of people working on the problem. I believe if instead of it being a leak we released an advisory on the issue (we couldn't do this b/c of HP's legal department strong-arming us) after 2 months nevermind 4 months it would have been more than reasonable. Look for an official statement tonight on our website www.snosoft.com with the exact details but I'm sick of going through the day listening to the facts get smeared b/c of false reports. -sert On Wednesday 31 July 2002 09:26 pm, Florin Andrei wrote:(i'm going to go a little bit further from the HP/Snosoftcase, so don'tbe surprised if some of the statements below do not fit 100% in that case) All these problems will vanish if people will choose to disclose vulnerabilities in a responsible way. Sure, HP's response has been harsh. But every security problem (especially when it's accompanied by an exploit) should be reported first to the vendor! There should be no exception from this rule. The person doing the reporting should give the vendor a reasonableperiod oftime to fix it; say, a few weeks or so. Only if the vendor does nothing in these weeks, only then the report/exploit/whatever should be made public. If hacker H writes a comment on Slashdot, making public an exploit against some software made by vendor V, and does not notify Vin advance(say, 2...4 weeks in advance), and then V sues H, then who's right? H is right, because (s)he disclosed a vulnerability, and disclosing is good. V is right, because not being warned in advance, their customers are left to the mercy of script kiddies. H is wrong, because (s)he's obviously looking for cheap publicity (i published a zero-day exploit; mine is bigger), not for improving security. V is wrong, because they are filing a lawsuit against open disclosure, which is not a good thing. See? And the solution is so simple: DO NOT publish "zero-day exploits". Give the damn vendors an early warning. Only if they are lazy and do nothing within a reasonable time (2...4 weeks), only then you areentitled to goslashdot-happy. I'm a big fan of open disclosure, freedom of speech, etc. Butpeople wholook for cheap publicity are not my favourites. If H is goingto publishthe exploit without early warning, i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. However, if there was an early warning, within a reasonable time, like one month or so (unlike some popular security companies did recently), and the vendor did nothing and didn't provide a good reason for the delay (because such reasons could exist, if you think of it), then H is 100% entitled to publish whatever exploit he likes. It's all about timing. It's all about being reasonable.
Current thread:
- Re: it's all about timing, (continued)
- Re: it's all about timing Tom Perrine (Aug 01)
- Re: it's all about timing Adam Megacz (Jul 31)
- RE: it's all about timing Scott, Richard (Aug 01)
- Re: it's all about timing Sunil James (Aug 01)
- it's all about timing Timothy J.Miller (Aug 01)
- it's all about timing Alan Rouse (Aug 01)
- it's all about timing Rohny Jotton (Aug 01)
- Re: it's all about timing Steven M. Christey (Aug 01)
- Re: it's all about timing Georgi Guninski (Aug 02)
- Re: it's all about timing Colin Stefani (Aug 01)
- it's all about timing Don (Aug 01)
- it's all about timing Dunbar, Gregory (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Kurt Seifried (Aug 02)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Evrim ULU (Aug 02)
- it's all about timing Juliao Duartenn (Aug 02)
- it's all about timing KF (Aug 05)
- it's all about timing ATD (Aug 05)
- it's all about timing ATD (Aug 05)
- it's all about timing Evrim ULU (Aug 02)