Bugtraq mailing list archives
Re: Bashing response teams
From: ahuger () secnet com (Alfred Huger)
Date: Sun, 22 Dec 1996 21:43:35 -0700
On Sun, 22 Dec 1996, Gene Spafford wrote:
publish *fixes*. What gets posted here and elsewhere tend to be exploits and the teams aren't going to acknowledge people who post exploits!
Why not? Many of us here would like to understand *how* somthing is broken as opposed to taking a reponse teams word for it.
Furthermore, if a problem is posted which no one else has found and there is zero evidence it is being misused yet, you have made their lives (and ours) more difficult -- they are hardly going to thank you or acknowledge you for that, either.
Your making an awfully big assumption there. What type of proof do you need? A response team should be exactly that, a response team, a group of people who respond to pressing problems and notify the public. As it stands, most of the response teams in operation now do nothing more than *react* to issues that are already conflagurated. I for one would like to know I have a problem before Jon Q Cracker lets me know by breaking root on my box. As for making their lives more difficult, it they have difficulty with full disclosure and feel not properly accrediting people is a proper way of venting their frustrations. I suggest they find a differant vocation. Furthermore I would suggest they get used to it, full disclosure is the norm now for better or for worse.
Think about it -- do you tend to thank the person who helped you change your flat tire, or do you thank the people who scattered the broken glass in your driveway?
This is a misleading analogy. I would thank the guy for pointing out I had tires which had a production flaw. People who write proof on concept code and publish it, tend to force a vendors hand. This IMO is a good thing. Response teams who cater to a vendors schedule, by and large are serving mainly the interests of the vendor. The vendor would prefer to keep problems quiet, fix them, and *hope* crackers are not already popping root all over the net with bug X.
bet on getting any mention, though, if you only point out a vulnerability and/or an exploit. That's simply the way those teams work.
And as I think many of the people are trying to point out, this is wrong way to 'work'. /************************************************************************* Alfred Huger Phone: 403.262.9211 Secure Networks Inc. Fax: 403.262.9221 Calgary, AB ahuger () secnet com Suite 440 703 6th Avenue S.W. T2P-0T9 "Sit down before facts as a little child , be prepared to give up every preconcieved notion, follow humbly wherever and whatever abysses nature leads, or you will learn nothing" - Thomas H. Huxley **************************************************************************/
Current thread:
- Bashing response teams Gene Spafford (Dec 22)
- Re: Bashing response teams Alfred Huger (Dec 22)