Bugtraq mailing list archives

Re: RSA Aceserver UDP Flood Vulnerability

From: vin () SHORE NET (Vin McLellan)
Date: Wed, 19 Jul 2000 23:53:51 -0400


         JJ Gray <nexus () PATROL I-WAY CO UK>  wrote:

The original post I made (I don't expect egotistical kudos or anything

but a  > quick  "cheers to" would have been nice in the bulletin ;-)) did
indeed

indicate  that RSA did not see this as an issue. That was an error on the
part of some section of the support  organisation within RSA,  and it should
have been escalated - seems I inadvertantly discovered another  problem,
though procedural in nature

- I find it somewhat annoying that a public post  was required for this
potential  issue to be investigated. Apart from the obvious ethical and
professional reasons for contacted the vendor,  I wanted to create full
reproducibilty to ensure that it was not a factor of  my enviroment  - I

hate to

cry "wolf!".  Especially when I was dismissed as a result of this.


<snip>

[...] I do not know for certain as no-one has contacted me  for any real
technical  information as regards my (former) test lab, nor am I aware of
the specs of  the RSA test boxes.


         With due respect to JJ Gray, his note ignores or overlooks several
personal and legal factors which I believe conditioned RSA's response to
his initial trouble report -- and made RSA's response to his subsequent
publication of his DoS concern on Bugtraq and NTBugtraq far more awkward
and reserved than would otherwise have been the case.

         I'm not in a position to second-guess anyone, but  I was a
consultant to RSA as RSA's Advanced Tech Support team attempted to
reproduce the problem Mr. Gray described.  As I saw it, RSA  -- and (from
the other side) Mr. Gray's then-employer, a RSA Certified Reseller in the
UK -- both responded to this incident quite differently than they would
have responded to any similar report from a random engineer at one of the
12,000-plus ACE/SecurID customer sites.

         Although Mr. Gray, a recent hire, didn't seem to realize it at the
time, RSA distributors and resellers have a complex and multi-level
contractual and fiduciary relationship with corporate RSA.  RSA Resellers
(like the firm Mr. Gray worked for) routinely get access to confidential
info on RSA's products, marketing plans, early reports of security issues,
implementation problems, etc.

         Although Mr. Gray didn't seem to realize it at the time, a RSA
Reseller or distributor also has several alternate high-priority channels
by which a Reseller can contact various levels of RSA's management to voice
concerns or highlight real or potential problems in the RSA products it
sells and supports.  A company like RSA succeeds or fails largely on the
basis of its business partnerships.

         RSA was doubtless surprised and disturbed to confront a public
post from someone who worked for one of its Resellers -- from "within the
family," so to speak.  Mr. Gray's work-affiliation flipped up all sorts of
cautionary flags and restricted direct contact while people tried to sort
out what might be at stake.

         I was brought in when Mr. Gray posted to Bugtraq and
NTBugtraq.  Being a mere consultant to RSA, (and thus wholly expendable;-)
I jumped in to exchange e-mails (both public and private) with Mr. Gray. I
briefed him on the status of the RSA inquiry, and I sought his further
assistance in tracing the problem he had reported.  He was, as I noted
earlier, friendly and helpful.

         Mr. Gray's loss of his new job was -- he led me to believe -- the
result of some disagreement within his firm's senior management as to
whether he, and/or his immediate superior, had acted appropriately, given
the firm's own internal procedures and its contractual ties to RSA.

         I don't pretend to understand what happened within that org, but
-- rumors to the contrary -- RSA did not seek Mr. Gray's dismissal.  When
RSA executives learned of it, after the fact, they were very concerned that
it might be counterproductive.  (If Gray had not chosen to conduct himself
like a professional gent, I think it might have also been a gratuitous
media mess.)

         I regret that Mr. Gray got sacked. (I could argue from experience
that it happens to the best of us;-).   I was pleased to see another
prominent UK security firm snap him up. (For whatever its worth,  this
greybeard thinks JJ is a conscientious and talented young professional.)

         I suspect, however, that even Mr. Gray now recognizes that his
public comments about his experiences and this incident have been somewhat
oversimplified... just because he so blithely ignores the real and
potential ramifications of his vendor/reseller connection.  For good or
ill, no one else involved was able to ignore them quite so completely.

         Suerte,
                 _Vin

Vin McLellan
The Privacy Guild
Boston, MA, USA

Current thread:

Re: RSA Aceserver UDP Flood Vulnerability Frank Darden (Jul 14)
- <Possible follow-ups>
- Re: RSA Aceserver UDP Flood Vulnerability JJ Gray (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 14)
- Re: RSA Aceserver UDP Flood Vulnerability Vin McLellan (Jul 19)