Re: Bashing response teams

[ahuger () secnet com (Alfred Huger)]

On Sun, 22 Dec 1996, Gene Spafford wrote:

> publish *fixes*.  What gets posted here and elsewhere tend to be
> exploits and the teams aren't going to acknowledge people who post
> exploits!

Why not? Many of us here would like to understand *how* somthing is broken
as opposed to taking a reponse teams word for it.

> Furthermore, if a problem is posted which no one else has
> found and there is zero evidence it is being misused yet, you have
> made their lives (and ours) more difficult -- they are hardly going to
> thank you or acknowledge you for that, either.

Your making an awfully big assumption there. What type of proof do you
need? A response team should be exactly that, a response team, a group of
people who respond to pressing problems and notify the public. As it
stands, most of the response teams in operation now do nothing more than
*react* to issues that are already conflagurated. I for one would like to
know I have a problem before Jon Q Cracker lets me know by breaking root
on my box.

As for making their lives more difficult, it they have difficulty with
full disclosure and feel not properly accrediting people is a proper way
of venting their frustrations. I suggest they find a differant vocation.
Furthermore I would suggest they get used to it, full disclosure is the
norm now for better or for worse.

> Think about it -- do you tend to thank the person who helped you
> change your flat tire, or do you thank the people who scattered the
> broken glass in your driveway?

This is a misleading analogy. I would thank the guy for pointing out I had
tires which had a production flaw. People who write proof on concept code
and publish it, tend to force a vendors hand. This IMO is a good thing.
Response teams who cater to a vendors schedule, by and large are serving
mainly the interests of the vendor. The vendor would prefer to keep
problems quiet, fix them, and *hope* crackers are not already popping root
all over the net with bug X.

> bet on getting any mention, though, if you only point out a
> vulnerability and/or an exploit.  That's simply the way those teams
> work.

And as I think many of the people are trying to point out, this is wrong
way to 'work'.



/*************************************************************************
Alfred Huger                                            Phone: 403.262.9211
Secure Networks Inc.                                    Fax: 403.262.9221
Calgary, AB                                             ahuger () secnet com
Suite 440 703 6th Avenue S.W.
T2P-0T9
"Sit down before facts as a little child , be prepared to give up every
preconcieved notion, follow humbly wherever and whatever abysses nature
leads, or you will learn nothing" - Thomas H. Huxley
**************************************************************************/