RE: [ISN] Full Disclosure: How Much Security Info Is Too Much?

From: InfoSec News (isnat_private)
Date: Fri Oct 05 2001 - 00:51:46 PDT

Next message: InfoSec News: "RE: [ISN] Firing (and Hiring) Hackers"

Previous message: InfoSec News: "[ISN] MS Security Plan: OK, Kind Of"
Maybe in reply to: InfoSec News: "[ISN] Full Disclosure: How Much Security Info Is Too Much?"
Next in thread: InfoSec News: "Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Marc Maiffret <marcat_private>

Ya Lyman is a good guy just screwed the facts a bit. I been meaning to
email him to let him know that...

I still hate the canned phrase "came under fire" since we never really
did come under fire for anything. Unless coming under fire means two
ignorant people rambled their mouths about a topic they had no
understanding of. :-]

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities


| -----Original Message-----
| From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
| Of InfoSec News
| Sent: Thursday, October 04, 2001 1:05 AM
| To: isnat_private
| Subject: Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?
|
|
| Forwarded from: Kim Zetter/PCWORLD <kzetterat_private>
|
| Per Jay Lyman's story about full disclosure at NewsFactor Network
| (http://www.newsfactor.com/perl/story/13871.html), he wrote:
|
| > Experts agree that advisories, by their very nature, may be a heads-up
| > to hackers. eEye Security came under fire for disclosing the Code Red
| > vulnerability in June before Microsoft had released a patch for the
| > hole, and again for releasing detailed information after Code Red was
| > controlled, which some blamed for the success of the Code Red II virus.
|
| I'm not sure where Lyman got his info but, according to eEye (and per
| the story I wrote about it at
| http://www.pcworld.com/news/article/0,aid,60744,00.asp )
|
| the company notified Microsoft of the vulnerability in May and waited
| a month for the patch to be produced before making their announcement
| simultaneously with Microsoft's posting of the patch in June.
|
| In fact, Marc Maiffret of eEye says that they were scheduled to post
| the announcement a week earlier, but Microsoft contacted him to ask
| for more time, saying there was a problem with the patch and they
| needed another week to fix it.
|
| EEye complied. Jay Dyson correctly noted that Microsoft publicly
| thanked the company for waiting until they had prepared the patch.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "RE: [ISN] Firing (and Hiring) Hackers"
Previous message: InfoSec News: "[ISN] MS Security Plan: OK, Kind Of"
Maybe in reply to: InfoSec News: "[ISN] Full Disclosure: How Much Security Info Is Too Much?"
Next in thread: InfoSec News: "Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 03:32:47 PDT