Re: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning

From: InfoSec News (isnat_private)
Date: Sun Jan 06 2002 - 23:28:11 PST

  • Next message: InfoSec News: "[ISN] DOD bills bolster anti-terrorism spending"

    Forwarded from: Aj Effin Reznor <ajat_private>
    "InfoSec News was known to say....."
    > "I think that's pretty dangerous," said Chris Wysopal of the
    > security company AtStake, "especially since they pretty much
    > acknowledged that they hadn't gotten a response back from AOL
    > yet."
    > Russ Cooper, who moderates a popular security mailing list and
    > works for the security firm TruSecure, said Conover's action was
    > irresponsible because it helped hackers.
    > "I think it's better to provide details of the exploit and then
    > let other people write the actual code," Cooper said. "It lets the
    > technical community have the information they need without letting
    > idiots have the information they want."
    Without (again) igniting the flames of full disclosure (cuz c'mon, we
    all know knowledge is power, right? ;) and not to contradict Mr.
    Wysopal and Mr. Cooper, whom I both respect greatly, we do need to
    question the silence from AOL.  It sounds, and no specifics were
    given, as tho w00w00 waited the better part of a working week to hear
    back from AOL.
    RFP's excellent disclosure notification guidelines gives five (5)
    working days for a response to be made from vendor to person(s)
    notifying of a potential vulnerability.
    FIVE days to *respond*.  Not to patch, not to rewrite code, just to
    send a simple *email* back.  Those not familiar with the guidelines I
    mention may find them at:
    I can't say if w00w00 would have delayed their disclosure, and thing
    is, neither can anyone else *but* w00w00.  However, AOL's muteness is
    not only deplorable but sadly, expected, and largely typical.
    1 email.  Prevent fiasco.  *duh*
    Do I think AOL "got what they deserve" ?  Maybe.  Haven't made up my
    mind yet....
    Also, while I'm at it (for those still reading :) I do believe Mr.
    Cooper and Mr. Wysopal missed out that w00w00 was using this to
    leverage the lunacy which is the DMCA.  Sure, they'd prolly have
    released their exploit code anyways, but (A) they made it far less
    harmless than it easily could have been and (B) the DMCA is still a
    joke, which more people should really do something about.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 09:57:55 PST