RE: [ISN] Full Disclosure: How Much Security Info Is Too Much?

From: InfoSec News (isnat_private)
Date: Fri Oct 05 2001 - 00:51:46 PDT

  • Next message: InfoSec News: "RE: [ISN] Firing (and Hiring) Hackers"

    Forwarded from: Marc Maiffret <marcat_private>
    
    Ya Lyman is a good guy just screwed the facts a bit. I been meaning to
    email him to let him know that...
    
    I still hate the canned phrase "came under fire" since we never really
    did come under fire for anything. Unless coming under fire means two
    ignorant people rambled their mouths about a topic they had no
    understanding of. :-]
    
    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    
    
    | -----Original Message-----
    | From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    | Of InfoSec News
    | Sent: Thursday, October 04, 2001 1:05 AM
    | To: isnat_private
    | Subject: Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?
    |
    |
    | Forwarded from: Kim Zetter/PCWORLD <kzetterat_private>
    |
    | Per Jay Lyman's story about full disclosure at NewsFactor Network
    | (http://www.newsfactor.com/perl/story/13871.html), he wrote:
    |
    | > Experts agree that advisories, by their very nature, may be a heads-up
    | > to hackers. eEye Security came under fire for disclosing the Code Red
    | > vulnerability in June before Microsoft had released a patch for the
    | > hole, and again for releasing detailed information after Code Red was
    | > controlled, which some blamed for the success of the Code Red II virus.
    |
    | I'm not sure where Lyman got his info but, according to eEye (and per
    | the story I wrote about it at
    | http://www.pcworld.com/news/article/0,aid,60744,00.asp )
    |
    | the company notified Microsoft of the vulnerability in May and waited
    | a month for the patch to be produced before making their announcement
    | simultaneously with Microsoft's posting of the patch in June.
    |
    | In fact, Marc Maiffret of eEye says that they were scheduled to post
    | the announcement a week earlier, but Microsoft contacted him to ask
    | for more time, saying there was a problem with the patch and they
    | needed another week to fix it.
    |
    | EEye complied. Jay Dyson correctly noted that Microsoft publicly
    | thanked the company for waiting until they had prepared the patch.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 03:32:47 PDT