Information Security News mailing list archives

Re: Instant Messenger flaw fixed; hackers criticized for little warning

From: InfoSec News <isn () c4i org>
Date: Mon, 7 Jan 2002 01:28:11 -0600 (CST)

Forwarded from: Aj Effin Reznor <aj () reznor com>

"InfoSec News was known to say....."

"I think that's pretty dangerous," said Chris Wysopal of the
security company AtStake, "especially since they pretty much
acknowledged that they hadn't gotten a response back from AOL
yet."

Russ Cooper, who moderates a popular security mailing list and
works for the security firm TruSecure, said Conover's action was
irresponsible because it helped hackers.

"I think it's better to provide details of the exploit and then
let other people write the actual code," Cooper said. "It lets the
technical community have the information they need without letting
idiots have the information they want."



Without (again) igniting the flames of full disclosure (cuz c'mon, we
all know knowledge is power, right? ;) and not to contradict Mr.
Wysopal and Mr. Cooper, whom I both respect greatly, we do need to
question the silence from AOL.  It sounds, and no specifics were
given, as tho w00w00 waited the better part of a working week to hear
back from AOL.

RFP's excellent disclosure notification guidelines gives five (5)
working days for a response to be made from vendor to person(s)
notifying of a potential vulnerability.

FIVE days to *respond*.  Not to patch, not to rewrite code, just to
send a simple *email* back.  Those not familiar with the guidelines I
mention may find them at: http://www.wiretrip.net/rfp/policy.html

I can't say if w00w00 would have delayed their disclosure, and thing
is, neither can anyone else *but* w00w00.  However, AOL's muteness is
not only deplorable but sadly, expected, and largely typical.

1 email.  Prevent fiasco.  *duh*

Do I think AOL "got what they deserve" ?  Maybe.  Haven't made up my
mind yet....

Also, while I'm at it (for those still reading :) I do believe Mr.
Cooper and Mr. Wysopal missed out that w00w00 was using this to
leverage the lunacy which is the DMCA.  Sure, they'd prolly have
released their exploit code anyways, but (A) they made it far less
harmless than it easily could have been and (B) the DMCA is still a
joke, which more people should really do something about.


-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

Current thread:

Instant Messenger flaw fixed; hackers criticized for little warning InfoSec News (Jan 04)
- <Possible follow-ups>
- Re: Instant Messenger flaw fixed; hackers criticized for little warning InfoSec News (Jan 07)
- RE: Instant Messenger flaw fixed; hackers criticized for little warning InfoSec News (Jan 07)
- RE: Instant Messenger flaw fixed; hackers criticized for little warning InfoSec News (Jan 08)