-----BEGIN PGP SIGNED MESSAGE----- On Tue, 27 Nov 2001, H C wrote: > I've read over Magni's advisory several times to make sure I have an > understanding of what he did. I'm not so much concerned with the issue > of whether or not this is a viable issue, or whether or not Gibson > tracks usage. I'm more interested in how this relates to the overall > issue of Full Disclosure. After all, the past month or so has seen > hellNbak's call for Information Anarchy, almost immediately followed by > the forming of Microsoft's 'disclosure coalition'. I've long since forgotten who said it first (possibly Benjamin Franklin), but if I were given the choice between a free government and restricted press versus a restricted government and a free press, I would invariably choose the latter. Microsoft's "disclosure coalition" is nothing more than a synthesis of the worst of both worlds, offering us nothing but a restricted government in terms of security, and a restricted press in terms of vulnerability disclosure. All told, I would much prefer the former (hellNbak's "Information Anarchy") over the latter (Microsoft's "disclosure coalition") since the former places the power in the hands of all who care to know, rather than in the hands of what can only be deemed a capriciously exclusive cabal. > Along those lines, the argument has been made that we already have the > RFPolicy, so why not simply follow that? I'm all for that. I heartily concur that adherence to the RFPolicy is the ideal solution, but it is not simply ideal because of the obviously reasoned approach it outlines; rather, RFPolicy is is ideal because it is *voluntary*. > Now, while Magni's advisory specifically avoids fully describing the > exploit in detail, I can't seem to find anything in the advisory where > he refers to having notified Gibson of this vulnerability at any point. I'd noticed that portion was missing as well, though it didn't give me cause for concern as it appears this vulnerability had been previously and publicly discussed in an open forum. This alone necessitates an acceleration of the advisory process. Simply put, if I ran a server farm that got breached on a large scale and the intruder defaced its web sites with the method used in the intrusion, then all bets are off with respect to vendor notification. The beast is already in wild. The same holds true if a vulnerability is talked over in a public setting. All that said, I believe the immediacy was also warranted, given the puffery Gibson solicited during his XP/DDoS media blitz. Nothing is more abhorrent than hypocrisy; especially in security circles. > If Gibson was informed of this vulnerability, when and how was he > informed, and what was his response (if any)? If Magni had informed > Gibson, why was this never mentioned in the advisory? I don't know that it's the advisory author's responsibility to give a full narrative of 4W&H of notification. I've found a simple one- or two-liner is sufficient (date notified and date of response [if any]). > Perhaps the companies that signed on with Microsoft saw the way the > winds were blowing, and decided that in order to do the greatest good > for the community, they'd side with MS... The greatest good has nothing to do with it. To lift a phrase from the 1992 Presidential campaign, "It's the Economy, Stupid." Times are tough for high-tech businesses. With enough of a war chest, Satan himself could get plenty of companies to hop on board his platform. People feign outrage when an advisory is released without proper vendor contact. I personally consider the assault on the First Amendment that requires individuals and companies to engage in self-censorship (under threat of turbo-legal harassment under the auspices of the DMCA and other abominations) to be a much more grave outrage. My $0.02 on the matter. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPAO39blDRyqRQ2a9AQFRwQP/VzBHyfd50/2JZ4gmFwh03LY5xE9xsrLm 01w1hPMHF1xCLM0ntVGmTJujbZmsNEA6+P2R8c01Dl2ptQplEJ5y7wjKtpsE/ThJ nq+AKYchlHJd16BaQkcci7xbCX8awpZX+jx6VVmtK8N5nNRZyijTZvbDKFklejTs F/gUC6WC73Q= =TPNZ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 09:06:37 PST