nanog mailing list archives
RE: Vendor Vulnerability Release Problem
From: "Hannigan, Martin" <hannigan () verisign com>
Date: Tue, 1 Feb 2005 13:25:52 -0500
-----Original Message----- From: mathews () uhunix2 hawaii edu [mailto:mathews () uhunix2 hawaii edu]On Behalf Of Robert Mathews Sent: Tuesday, February 01, 2005 11:01 AM To: Hannigan, Martin Subject: Re: Vendor Vulnerability Release Problem On Tue, 1 Feb 2005, Hannigan, Martin wrote:Date: Tue, 01 Feb 2005 01:17:42 -0500 From: "Hannigan, Martin" <hannigan () verisign com> To: "'nanog () merit edu'" <nanog () merit edu> Subject: Vendor Vulnerability Release Problem [ .... ] They did concur that the current system is broken. This ispart of thereason I decided to post this. To let everyone know that this is a problem and the vendors agree.Martin: Thank you for posting this note, as the subject item is of immense interest to me personally, and to many within US Government. My question, which I will pose to you shortly -- is a broader one; one that goes beyond the world of ISPs and NSPs to the vastness of the IT world. Still, your concerns are very much valid in such an area as well. Before I go forward, I would like to disclose that I do not attend NANOG meetings regularly. With regard to your post Martin, I would like to ask you -- just how you see it, when you say: that "they did concur that the current system is broken." Studies done within Government indicate a LARGER problem than 'after-incident action' which directly points to vendor acknowledgement itself. I am not at liberty to provide further details to the studies or their details but, it suffices to say that vendor behavior is seen as a significant problem. So, what of Vendor Behaviour?
There appeared to be a consensus that the current methodology is broken. The vendors stated this themselves. The two presenters would need to clarify that further. As far as vendor behavior is related, I can't comment on that. It was clear, at least to me, there is no transparent or uniform method of distributing serious vulnerabilities. At least that participants of NANOG are aware of. I will concur that the vendors may not currently have a way to proceed with these problems, but I don't know that the operator community, ground zero for these vulnerabilities, hasn't been consulted as a whole. ((archives)).
I *was disappointed in was the harsh criticism of DHS. Thevendors calledDHS and the Pentagon the biggest source of leaks related to'their' securityvulnerabilities. I don't know if that's true, but if theyare, I hopethey're leaking to the right people.Since I was not there for the discussion, I could not appropriately relate to the exchange held but, I would just like to understand if I may -- what the perception by the many gathered of DHS and the Pentagon were respectively.
My interpretation of the event was that the speakers considered DHS and the Pentagon to share some level of responsibility as to why vendors can't detail serious vulnerabilities. The feedback seemed to deride the Pentagon more than DHS. I can't gauge what the participants felt. As a guess, I think it was believable in the way it was presented. The overall impression was that the relevant government agencies are not credible. (I disagree from my own experience).
If you feel that this matter would be of interest to the NANOG community, do feel free to re-post.
Reposted whole.
-M<Thank you for your time Martin.. Best, Robert. ------- ************************************************************** ************* * Robert Mathews, MSc. - Mgmt. (Honors), Ad.PD. - Econ. (Honors) * Chancellor's Professor of Science & * Distinguished Senior Scholar on * National Security Affairs & U.S Industrial Preparedness * @ University of Hawai'i * Telephone: 315.853.7853 (NY) / 703.655.7124 (VA/WDC) * Telecopier: 808.933.3473 (HI) / 315.859.1998 (NY) * E.mail: mathews () hawaii edu
Current thread:
- Vendor Vulnerability Release Problem Hannigan, Martin (Jan 31)
- RE: Vendor Vulnerability Release Problem Jerry Dixon (Feb 01)
- <Possible follow-ups>
- RE: Vendor Vulnerability Release Problem Hannigan, Martin (Feb 01)