CERT, CIAC, etc. and unethical practices

[owner-bugtraq () NETSPACE ORG (Thamer Al-Herbish)]

In light of the recent discussion that has taken place in regards to
{CERT,CIAC,AUSCERT,HP,SGI,etc} and their lack of ethics when it comes
to crediting other peoples research; I am happy to announce a LARGE
company that just did the exact opposite!


In the past when L0pht has released advisories we suffered the same
neglect that SOD, ASR, 8lgm, and individual authors all recieved by
vendors and 'so-called' Reponse teams. And why not? After all, we
are providing the exact same service and do not consider ourselves
any better or worse than the next group that espouses bugs in code.


Why is it that such organisations feel a need to not mention
the people who discover a vulnerability, post such a diluted
abstract of the problem as to be of negligable use, and
plagurize information as their own? I don't know.


Just when you thought the world was completely dark and morbid, and that
CERT, Auscert, FreeBSD, NetBSD, HPUX, SGI, etc. were about to succeed in
stealing all of the Christmas joy....We came across a very large company
that did the *right* thing!


Several days ago [12/12/96] Weld Pond of the L0pht released an advisory
on problems with sites running Lotus Domino 1.5
(http://www.l0pht.com/advisories.html).

Lotus took this in-stride and used the information to make some quick
changes to improve the security of their product and worked out a plan
to incorporate more robust fixes into their future builds. After all,
that's what the information is there for: Educate the people that _just
because someone says 'secure' doesn't mean that it is_; Let the vendors
fix the problem and regain trust in the hacker community that they aren't
selling snake oil.

If you check out Lotus' domino page (http://domino.lotus.com) you will
notice on their front-page a reference to our advisory (they even
spelled L0pht correctly!) and, upon following the link, find a description
and some fixes for it. Kudos to Lotus!

What does this mean to me? This tells me that Lotus is a) quick to
fix problems that they are alerted to in a public forum, b) honest in
citing references for work that other people have done, and c) confident
enough in their product that they don't feel a need to slide every
disparraging remark under the carpet and perform spin doctoring. These
points in turn would make me feel more comfortable as a user of
this product. (Hey other companies, are you getting any of this?!?!?!?!?)

If a company the size of Lotus (hrmmm owned by IBM now right?) can do
this I believe smaller groups such as those previously mentioned in
this thread should stop hiding behind the 'hackers are all evil' shroud
and follow suit!

Thanks to Lotus for hopefully blazing a path of responsibility in the
realm of crediting the people who provide the valuable service of
finding bugs in vendor products.

I don't suppose we can expect to see public appologies to the people that
were wronged by the other agencies in the near future. sigh. Perhaps
we can hope, in lieu, to see an investigation into unethical business
practices.

mudge () l0pht com