Bugtraq mailing list archives
CERT, CIAC, etc. and unethical practices
From: owner-bugtraq () NETSPACE ORG (Thamer Al-Herbish)
Date: Fri, 20 Dec 1996 15:49:54 -0500
In light of the recent discussion that has taken place in regards to {CERT,CIAC,AUSCERT,HP,SGI,etc} and their lack of ethics when it comes to crediting other peoples research; I am happy to announce a LARGE company that just did the exact opposite! In the past when L0pht has released advisories we suffered the same neglect that SOD, ASR, 8lgm, and individual authors all recieved by vendors and 'so-called' Reponse teams. And why not? After all, we are providing the exact same service and do not consider ourselves any better or worse than the next group that espouses bugs in code. Why is it that such organisations feel a need to not mention the people who discover a vulnerability, post such a diluted abstract of the problem as to be of negligable use, and plagurize information as their own? I don't know. Just when you thought the world was completely dark and morbid, and that CERT, Auscert, FreeBSD, NetBSD, HPUX, SGI, etc. were about to succeed in stealing all of the Christmas joy....We came across a very large company that did the *right* thing! Several days ago [12/12/96] Weld Pond of the L0pht released an advisory on problems with sites running Lotus Domino 1.5 (http://www.l0pht.com/advisories.html). Lotus took this in-stride and used the information to make some quick changes to improve the security of their product and worked out a plan to incorporate more robust fixes into their future builds. After all, that's what the information is there for: Educate the people that _just because someone says 'secure' doesn't mean that it is_; Let the vendors fix the problem and regain trust in the hacker community that they aren't selling snake oil. If you check out Lotus' domino page (http://domino.lotus.com) you will notice on their front-page a reference to our advisory (they even spelled L0pht correctly!) and, upon following the link, find a description and some fixes for it. Kudos to Lotus! What does this mean to me? This tells me that Lotus is a) quick to fix problems that they are alerted to in a public forum, b) honest in citing references for work that other people have done, and c) confident enough in their product that they don't feel a need to slide every disparraging remark under the carpet and perform spin doctoring. These points in turn would make me feel more comfortable as a user of this product. (Hey other companies, are you getting any of this?!?!?!?!?) If a company the size of Lotus (hrmmm owned by IBM now right?) can do this I believe smaller groups such as those previously mentioned in this thread should stop hiding behind the 'hackers are all evil' shroud and follow suit! Thanks to Lotus for hopefully blazing a path of responsibility in the realm of crediting the people who provide the valuable service of finding bugs in vendor products. I don't suppose we can expect to see public appologies to the people that were wronged by the other agencies in the near future. sigh. Perhaps we can hope, in lieu, to see an investigation into unethical business practices. mudge () l0pht com
Current thread:
- Re: CERT/AUCERT, (continued)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Slow vendor response Alan Cox (Dec 20)
- CERT Bashing, etc Aleph One (Dec 19)
- Re: CERT/AUCERT Yuri Volobuev (Dec 19)
- Re: CERT/AUCERT Tung-Hui Hu (Dec 19)
- TCP bug on old Solaris box ? Gilles Soulet (Dec 20)
- Re: TCP bug on old Solaris box ? Nathan Lawson (Dec 21)
- Buffer overflow in Linux's login program Joe Zbiciak (Dec 22)
- Solaris 2.5 x86 aspppd (semi-exploitable-hole) Thamer Al-Herbish (Dec 20)
- CERT, CIAC, etc. and unethical practices Thamer Al-Herbish (Dec 20)
- ANNOUNCE: Crack v5.0a available... Alec Muffett (Dec 20)
- Security Survey Aleph One (Dec 20)