RE: Vendor Vulnerability Release Problem

["Hannigan, Martin" <hannigan () verisign com>]

> -----Original Message-----
> From: mathews () uhunix2 hawaii edu [mailto:mathews () uhunix2 hawaii edu]On
> Behalf Of Robert Mathews
> Sent: Tuesday, February 01, 2005 11:01 AM
> To: Hannigan, Martin
> Subject: Re: Vendor Vulnerability Release Problem
>
>
>
>
> On Tue, 1 Feb 2005, Hannigan, Martin wrote:
>
> > Date: Tue, 01 Feb 2005 01:17:42 -0500
> > From: "Hannigan, Martin" <hannigan () verisign com>
> > To: "'nanog () merit edu'" <nanog () merit edu>
> > Subject: Vendor Vulnerability Release Problem
> >
> >
> >             [ .... ]
> >
> > They did concur that the current system is broken. This is 
> part of the
> > reason I decided to post this. To let everyone know that this is a
> > problem and the vendors agree.
>
>
> Martin:
>
> Thank you for posting this note, as the subject item is of immense
> interest to me personally, and to many within US Government.  
> My question,
> which I will pose to you shortly -- is a broader one; one 
> that goes beyond
> the world of ISPs and NSPs to the vastness of the IT world. 
> Still, your
> concerns are very much valid in such an area as well.
>
> Before I go forward, I would like to disclose that I do not 
> attend NANOG
> meetings regularly.
>
> With regard to your post Martin, I would like to ask you -- 
> just how you
> see it, when you say: that "they did concur that the current system is
> broken."  Studies done within Government indicate a LARGER 
> problem than
> 'after-incident action' which directly points to vendor 
> acknowledgement
> itself.  I am not at liberty to provide further details to 
> the studies or
> their details but, it suffices to say that vendor behavior 
> is seen as a
> significant problem.  So, what of Vendor Behaviour?

There appeared to be a consensus that the current methodology
is broken. The vendors stated this themselves. The two presenters
would need to clarify that further.

As far as vendor behavior is related, I can't comment on that. 

It was clear, at least to me, there is no transparent or uniform 
method of distributing serious vulnerabilities. At least that 
participants of NANOG are aware of. 

I will concur that the vendors may not currently have a way
to proceed with these problems, but I don't know that the operator
community, 
ground zero for these vulnerabilities, hasn't been consulted as a 
whole. ((archives)).

> > I *was disappointed in was the harsh criticism of DHS. The 
> vendors called
> > DHS and the Pentagon the biggest source of leaks related to 
> 'their' security
> > vulnerabilities. I don't know if that's true, but if they 
> are, I hope
> > they're leaking to the right people.
>
>
> Since I was not there for the discussion, I could not 
> appropriately relate
> to the exchange held but, I would just like to understand if 
> I may -- what
> the perception by the many gathered of DHS and the Pentagon were
> respectively.

My interpretation of the event was that the speakers considered
DHS and the Pentagon to share some level of responsibility as to
why vendors can't detail serious vulnerabilities. The feedback
seemed to deride the Pentagon more than DHS. I can't gauge what
the participants felt. As a guess, I think it was believable in 
the way it was presented.

The overall impression was that the relevant government 
agencies are not credible. (I disagree from my own experience).


> If you feel that this matter would be of interest to the 
> NANOG community,
> do feel free to re-post.

Reposted whole.

> > -M<
>
> Thank you for your time Martin..
>
>
> Best,
> Robert.
> -------
>
> **************************************************************
> *************
> * Robert Mathews, MSc. - Mgmt. (Honors), Ad.PD. - Econ. (Honors)
> * Chancellor's Professor of Science &
> * Distinguished Senior Scholar on
> * National Security Affairs & U.S Industrial Preparedness
> * @ University of Hawai'i
> * Telephone:  315.853.7853 (NY) / 703.655.7124 (VA/WDC)
> * Telecopier: 808.933.3473 (HI) / 315.859.1998 (NY)
> * E.mail: mathews () hawaii edu