On Tue, 8 Oct 2002, Paul D. Robertson wrote: > On Tue, 8 Oct 2002, Mikael Olsson wrote: > > > The above technique was cooked up by me, <mikael.olssonat_private>, > > and I would like to thank ICSA labs for taking the time to verify it > > against their certified products in spite of me having no hard evidence > > to support my theories. > > I'd personally like to thank Mikael for allowing ICSA Labs to work with > the vendors to get the products *fixed* and *tested* prior to this going > out.[1] > > Mikael was incredibly patient, helpful and most of all interested in > fixes. The reason that firewalls that were originally vulnerable are > fixed and at most require an update, instead of a panic attack is due to > the way this was reported and handled. > > All the full-disclosure ranting in the world doesn't stop the fact that > we've got fixed products *before* we've got wild attack code. This does > mean that you have to upgrade when your vendor says "time to upgrade," or > try to do rush upgrades when CERT advisories come out. If you can't trust > your vendor though, you really ought to think about why you're using that > vendor's products in a security context. > In a better world I think many researchers would take a stance as Mikael, or be willing to adopt the RFP policy in disclosure <it looks to have been updated to a newer version recently?>. Exploits prior to warning/patches are certainly not a good thing<TM>. Yet, one has too look at vendors outside those that only produce security products on which their reputations hinge in looking at the full disclosure issue. I know it's been tackled here and elsewhere alot, and quite a bit recently in various formats. But, when a major OS/hardware vendor threatens to use the DCMA to go after a security consulting/research site for disclosing issues they <the major vendor> have held under their belts for years, if not months, then we have a totally different situation then that was faced here. It seems folks that produce security products and code might well understand the consequences of not acknowledging potential risks to their name and ventures when exploitable issues are found with their offerings, and are willing to work with researchers in addressing those issues then some of the larger vendors in the OS/hardware realms often are. Getting vendors to work with researchers in such instances would be a grand thing<TM> as opposed to reckless threats of legal retribution after they have been advised of the issues by the researcher<s> who discovered the issues. While times have changed in this realm with a number of vendors, it has well been slow work with some in the industry. Afterall, bugtraq was founded with good reason, no mater their shifts of disclosure policies as they have been grown and been acquired in the recent economic understimulas. I certainly feel that many researchers would take a more reasonable approach to disclosure issues if they did not find vendors constantly ignoring matters that have been disclosed to them with their offerings, and when sitting for periods doing nothing to fix the issue, then making threats to sue or otherwise damage the researchers for finally disclosing the problems for others to mitigate on their own or pressure their offending vendors to deal with the problems with their products. Do not get me wrong here, I'm not a proponent of 0day code being released hither and tither, but, I'm also wary of not knowing what my adversaries might know, and feel that if at least one or more researchers know, as well as the vendor, there are great chances that others might well know what I've not had time to find on my own. I know many here, as I myself have observed, changes in disclosure policies of various researchers and mailing lists over the years. And I've seen alot of information hit those venues of information sharing without the older tendency to *require* a 0day sploit to prove the point of the information disclosure. Granted there is not total compliance in this, there's alot of mistrust and lack of patience and cooperation still permeating the IT world at large. Afterall the little guys all know the bigger fish are out to get em. And we certainly could use more Mikeal's in this world. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 14:35:19 PDT