> Microsoft's "disclosure coalition" is nothing more > than a > synthesis of the worst of both worlds, offering us > nothing but a > restricted government in terms of security, and a > restricted press in > terms of vulnerability disclosure. I offer up Simple Nomad's words: http://www.nmrc.org/InfoAnarchy/sn.txt > I heartily concur that adherence to the RFPolicy is > the ideal > solution, but it is not simply ideal because of the > obviously reasoned > approach it outlines; rather, RFPolicy is is ideal > because it is *voluntary*. That is the only flaw I see at all...that the policy is voluntary. Identifying vulnerabilities is a GOOD THING(tm). Doing so responsibly is a BETTER THING(tm). > I'd noticed that portion was missing as well, > though it didn't > give me cause for concern as it appears this > vulnerability had been > previously and publicly discussed in an open forum. > This alone > necessitates an acceleration of the advisory > process. I have followed the current discussion, but haven't seen where this issue has been discussed previously. Also, previous discussions about the issue weren't addressed or referenced in the advisory. Also, rather than posting an 'advisory' that seems to have the primary purpose of disparaging Gibson, wouldn't it be simpler to just identify the issue, and then recommend a fix (ie, blocking the pertinent IP range)? > Simply put, if I ran a server farm that got > breached on a large > scale and the intruder defaced its web sites with > the method used in the > intrusion, then all bets are off with respect to > vendor notification. So notifying the vendor in order to get a needed patch is out the window? Or are you saying that notifying the vendor and then observing a 30-day waiting period for public disclosure is out the window? I would recommend the following...immediately notify the vendor and request immediate attention (as the issue is currently *in the wild*), and then release the advisory that describes the issue, with a section of the advisory stating that the vendor has been notified. > The > beast is already in wild. The same holds true if a > vulnerability is > talked over in a public setting. It has long been known that there are a wide variety of "public settings". Some would consider IRC to be a "public setting", but it is impossible to for everyone to monitor all "public settings". The only way for such an argument to hold is if a specific set of "public settings" are identified, and everyone agrees to use only those settings for their discussions. Otherwise, saying that Gibson should have known about it already b/c it was discussed somewhere on the Internet is just so much bs. > All that said, I believe the immediacy was also > warranted, given > the puffery Gibson solicited during his XP/DDoS > media blitz. Nothing is > more abhorrent than hypocrisy; especially in > security circles. What I find abhorrent is the argument that simply b/c you don't agree with someone, he deserves to be slapped down and discredited at every opportunity. In the larger scheme of things, who really cares? So Gibson made a big stink about XP...so what? What was it that upset everyone? That he has a different opinion with regards to some issue? Or was the problem his choice of colors and fonts on his web page? > I don't know that it's the advisory author's > responsibility to > give a full narrative of 4W&H of notification. I've > found a simple one- > or two-liner is sufficient (date notified and date > of response [if any]). Sure. I never asked for the full 4W&H. However, that one- or two-liner was nonexistent. > The greatest good has nothing to do with it. To > lift a phrase > from the 1992 Presidential campaign, "It's the > Economy, Stupid." Times > are tough for high-tech businesses. With enough of > a war chest, Satan > himself could get plenty of companies to hop on > board his platform. Interesting point. Perhaps I should have rephrased that to say "the greater good, as such is identified by each company"... > People feign outrage when an advisory is released > without proper vendor contact. I, for one, do not "feign" anything. Nor am I outraged. I simply find a great number of contradictions between the theory and the practice of full disclosure. The responsible thing to do would be to contact the vendor. RFPolicy even mentions as much. Whether the advisory author chooses to allow an arbitrary period of time to pass in order to allow the vendor to respond is up to him. This situation could have been handled differently. As it is, Magni's advisory comes off as just another rant against Gibson. Sure, sure...I know. Port scans are used as the precursors to an attack of some sort. Sure. I spent a great deal of time handling "abuse@" emails for a large ISP, so I know what people think of port scans...or what they consider to be port scans. I also know from being a consultant that a lot of admins leave vulnerable systems on the Internet w/ little to no protection. But in the end, the issue with Gibson's web site is that someone can "anonymously" port scan another site. Be that as it may, they're still going to have to connect directly to the site, or use some other proxying mechanism, in order to exploit anything they find. > I personally consider the assault > on the First Amendment > that requires individuals and companies to engage in > self-censorship > (under threat of turbo-legal harassment under the > auspices of the DMCA and > other abominations) to be a much more grave outrage. Can you elaborate on what you consider to be this assault on the First Amendment? Is it the DMCA? __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 10:41:11 PST