Bugtraq mailing list archives
Re: RSA Aceserver UDP Flood Vulnerability
From: vin () SHORE NET (Vin McLellan)
Date: Wed, 19 Jul 2000 23:53:51 -0400
JJ Gray <nexus () PATROL I-WAY CO UK> wrote:
The original post I made (I don't expect egotistical kudos or anything
but a > quick "cheers to" would have been nice in the bulletin ;-)) did indeed
indicate that RSA did not see this as an issue. That was an error on the part of some section of the support organisation within RSA, and it should have been escalated - seems I inadvertantly discovered another problem, though procedural in nature - I find it somewhat annoying that a public post was required for this potential issue to be investigated. Apart from the obvious ethical and professional reasons for contacted the vendor, I wanted to create full reproducibilty to ensure that it was not a factor of my enviroment - I
hate to
cry "wolf!". Especially when I was dismissed as a result of this.
<snip>
[...] I do not know for certain as no-one has contacted me for any real technical information as regards my (former) test lab, nor am I aware of the specs of the RSA test boxes.
With due respect to JJ Gray, his note ignores or overlooks several personal and legal factors which I believe conditioned RSA's response to his initial trouble report -- and made RSA's response to his subsequent publication of his DoS concern on Bugtraq and NTBugtraq far more awkward and reserved than would otherwise have been the case. I'm not in a position to second-guess anyone, but I was a consultant to RSA as RSA's Advanced Tech Support team attempted to reproduce the problem Mr. Gray described. As I saw it, RSA -- and (from the other side) Mr. Gray's then-employer, a RSA Certified Reseller in the UK -- both responded to this incident quite differently than they would have responded to any similar report from a random engineer at one of the 12,000-plus ACE/SecurID customer sites. Although Mr. Gray, a recent hire, didn't seem to realize it at the time, RSA distributors and resellers have a complex and multi-level contractual and fiduciary relationship with corporate RSA. RSA Resellers (like the firm Mr. Gray worked for) routinely get access to confidential info on RSA's products, marketing plans, early reports of security issues, implementation problems, etc. Although Mr. Gray didn't seem to realize it at the time, a RSA Reseller or distributor also has several alternate high-priority channels by which a Reseller can contact various levels of RSA's management to voice concerns or highlight real or potential problems in the RSA products it sells and supports. A company like RSA succeeds or fails largely on the basis of its business partnerships. RSA was doubtless surprised and disturbed to confront a public post from someone who worked for one of its Resellers -- from "within the family," so to speak. Mr. Gray's work-affiliation flipped up all sorts of cautionary flags and restricted direct contact while people tried to sort out what might be at stake. I was brought in when Mr. Gray posted to Bugtraq and NTBugtraq. Being a mere consultant to RSA, (and thus wholly expendable;-) I jumped in to exchange e-mails (both public and private) with Mr. Gray. I briefed him on the status of the RSA inquiry, and I sought his further assistance in tracing the problem he had reported. He was, as I noted earlier, friendly and helpful. Mr. Gray's loss of his new job was -- he led me to believe -- the result of some disagreement within his firm's senior management as to whether he, and/or his immediate superior, had acted appropriately, given the firm's own internal procedures and its contractual ties to RSA. I don't pretend to understand what happened within that org, but -- rumors to the contrary -- RSA did not seek Mr. Gray's dismissal. When RSA executives learned of it, after the fact, they were very concerned that it might be counterproductive. (If Gray had not chosen to conduct himself like a professional gent, I think it might have also been a gratuitous media mess.) I regret that Mr. Gray got sacked. (I could argue from experience that it happens to the best of us;-). I was pleased to see another prominent UK security firm snap him up. (For whatever its worth, this greybeard thinks JJ is a conscientious and talented young professional.) I suspect, however, that even Mr. Gray now recognizes that his public comments about his experiences and this incident have been somewhat oversimplified... just because he so blithely ignores the real and potential ramifications of his vendor/reseller connection. For good or ill, no one else involved was able to ignore them quite so completely. Suerte, _Vin Vin McLellan The Privacy Guild Boston, MA, USA
Current thread:
- Re: RSA Aceserver UDP Flood Vulnerability Frank Darden (Jul 14)
- <Possible follow-ups>
- Re: RSA Aceserver UDP Flood Vulnerability JJ Gray (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 19)