Re: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning

From: InfoSec News (isnat_private)
Date: Sun Jan 06 2002 - 23:28:11 PST

Next message: InfoSec News: "[ISN] DOD bills bolster anti-terrorism spending"

Previous message: InfoSec News: "[ISN] Learning to love the computer, warts and all"
Maybe in reply to: InfoSec News: "[ISN] Instant Messenger flaw fixed; hackers criticized for little warning"
Next in thread: InfoSec News: "RE: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Aj Effin Reznor <ajat_private>

"InfoSec News was known to say....."
 
> "I think that's pretty dangerous," said Chris Wysopal of the
> security company AtStake, "especially since they pretty much
> acknowledged that they hadn't gotten a response back from AOL
> yet."
> 
> Russ Cooper, who moderates a popular security mailing list and
> works for the security firm TruSecure, said Conover's action was
> irresponsible because it helped hackers.
> 
> "I think it's better to provide details of the exploit and then
> let other people write the actual code," Cooper said. "It lets the
> technical community have the information they need without letting
> idiots have the information they want."


Without (again) igniting the flames of full disclosure (cuz c'mon, we
all know knowledge is power, right? ;) and not to contradict Mr.
Wysopal and Mr. Cooper, whom I both respect greatly, we do need to
question the silence from AOL.  It sounds, and no specifics were
given, as tho w00w00 waited the better part of a working week to hear
back from AOL.

RFP's excellent disclosure notification guidelines gives five (5)
working days for a response to be made from vendor to person(s)
notifying of a potential vulnerability.

FIVE days to *respond*.  Not to patch, not to rewrite code, just to
send a simple *email* back.  Those not familiar with the guidelines I
mention may find them at: http://www.wiretrip.net/rfp/policy.html

I can't say if w00w00 would have delayed their disclosure, and thing
is, neither can anyone else *but* w00w00.  However, AOL's muteness is
not only deplorable but sadly, expected, and largely typical.

1 email.  Prevent fiasco.  *duh*

Do I think AOL "got what they deserve" ?  Maybe.  Haven't made up my
mind yet....

Also, while I'm at it (for those still reading :) I do believe Mr.
Cooper and Mr. Wysopal missed out that w00w00 was using this to
leverage the lunacy which is the DMCA.  Sure, they'd prolly have
released their exploit code anyways, but (A) they made it far less
harmless than it easily could have been and (B) the DMCA is still a
joke, which more people should really do something about.


-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] DOD bills bolster anti-terrorism spending"
Previous message: InfoSec News: "[ISN] Learning to love the computer, warts and all"
Maybe in reply to: InfoSec News: "[ISN] Instant Messenger flaw fixed; hackers criticized for little warning"
Next in thread: InfoSec News: "RE: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 09:57:55 PST