Re: [VulnDiscuss] HP Full Disclosure Story

[full-disclosure () lists netsys com (Ron DuFresne)]

Of course your interpretation of events does not account for two other
matters;

HP's recent threats towards snosoft

And Tamir's not being an American or english speaker by first order <I
fell in this case, if HP wanted to not be misconstrued, they would have
gone much farther out of their way to attempt to clarify their stand
*prior* to making the threats they did.  Their jumping right into threat
mode seems to back up the first point made, that the snosoft deal had left
HP in a situation of thinking they could roll over any researchers who
found their errors and were not satisfied with taking an eternity on the
backfield..

Thanks,

Ron DuFresne


On Sun, 25 Aug 2002, Jonathan Rickman wrote:

> On Fri, 23 Aug 2002, Kevin Spett wrote:
>
> > I think it'd be great if people made a habit of posting researcher-vendor
> > communications like this.  They say a lot about a company's attitude and
> > policy regarding security and can help sysadmins, developers, security
> > professionals, etc. decide whether they would want to buy from them.  This
> > would be a good way for vendors to show the community that they react to
> > reports of vulnerabilities in a responsible, communicative and friendly
> > manner.  It would also be a good way to expose vendors such as HP who fail
> > miserably to do so.
>
> I think it is also very important to keep all parts of the conversation
> intact. There is a significant portion of this particular conversation
> that was not included, which I suspect, sent the conversation on the
> downward spiral. No offense to Tamer, but this strikes me as a case of a
> researcher who insisted on setting HP's rules for them "on the fly" as it
> were. HP has a policy in place. Flawed or not, they have to work within
> the confines of that policy. They were fairly candid with you...and I
> quote:
>
> "Let me be very candid here, you are not the first to assume
> that a $50 billion corporation will drop all the other security
> issues we are working on in order to work on yours because
> you threaten to publish. It has never changed the course of
> our work internally; we will continue to work on the issue
> until it is tested and finished."
>
> Honestly, that sounds pretty reasonable to me, considering that we do not
> have the privilege of reading the communication from you. For all we know,
> your email to them, consisted of "ph33r m3 HP, eye will dr0p dis 0day b0mb
> on yo @z in 10 minutes if joo do not r3zpect my skillz!!!" Once again,
> Tamer, no offense intended, but that part of the conversation does seem to
> be critical, since that's where things turned south. As for their
> September 11th remarks, I consider that pretty tasteless and cliche, and I
> seriously doubt that that is the "Company Line", but rather the work of
> one individual who has not learned to toe that "Company Line" quite right.
>
> Another possibility is that the folks at HP were slow to pick up on the
> fact that English is obviously not your first language, and ask for
> further clarification. Sometimes that is a source of confusion, even
> when dealing with someone who writes fairly well, such as yourself.
>
> I think Dan at HP summed the whole thing up best when he said,
> "We did reply, and you are making the assumption that your
> issue is the only one we have to work on, and that it is
> the most important."
>
> I suspect that he hit the proverbial nail right on the head with that one.
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.