Forwarded from: Aj Effin Reznor <ajat_private> "InfoSec News was known to say....." > "I think that's pretty dangerous," said Chris Wysopal of the > security company AtStake, "especially since they pretty much > acknowledged that they hadn't gotten a response back from AOL > yet." > > Russ Cooper, who moderates a popular security mailing list and > works for the security firm TruSecure, said Conover's action was > irresponsible because it helped hackers. > > "I think it's better to provide details of the exploit and then > let other people write the actual code," Cooper said. "It lets the > technical community have the information they need without letting > idiots have the information they want." Without (again) igniting the flames of full disclosure (cuz c'mon, we all know knowledge is power, right? ;) and not to contradict Mr. Wysopal and Mr. Cooper, whom I both respect greatly, we do need to question the silence from AOL. It sounds, and no specifics were given, as tho w00w00 waited the better part of a working week to hear back from AOL. RFP's excellent disclosure notification guidelines gives five (5) working days for a response to be made from vendor to person(s) notifying of a potential vulnerability. FIVE days to *respond*. Not to patch, not to rewrite code, just to send a simple *email* back. Those not familiar with the guidelines I mention may find them at: http://www.wiretrip.net/rfp/policy.html I can't say if w00w00 would have delayed their disclosure, and thing is, neither can anyone else *but* w00w00. However, AOL's muteness is not only deplorable but sadly, expected, and largely typical. 1 email. Prevent fiasco. *duh* Do I think AOL "got what they deserve" ? Maybe. Haven't made up my mind yet.... Also, while I'm at it (for those still reading :) I do believe Mr. Cooper and Mr. Wysopal missed out that w00w00 was using this to leverage the lunacy which is the DMCA. Sure, they'd prolly have released their exploit code anyways, but (A) they made it far less harmless than it easily could have been and (B) the DMCA is still a joke, which more people should really do something about. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 09:57:55 PST