Re: Very probable remote root vulnerability in cfengine

[David LeBlanc <dleblanc () MINDSPRING COM>]

At 08:48 AM 10/3/00 AEST, Shaun Clowes wrote:

> The security community is in great danger of being a victim of its own
sensationalism.
> Reports of problems that don't really confirm an issue are like the story of
> the 'boy who cried wolf'. There may or may not be a wolf, but if enough times
> reports like this are released which turn out not to be exploitable, massive
> amounts of credibility (along with sysadmin sleep) are lost. Eventually it
> leads to advisories being ignored en masse.

This is one very good reason to work with the vendor through the reporting
process. I see too many 'advisories' that are poorly researched, and being
in security operations, I have to spend a lot of time to sort out exactly
what the threat is or isn't. People telling me "suppose this or that is
vulnerable" isn't very helpful, either. I've also been on the other side of
this one and been one of the people producing advisories - I can't think of
a single issue where I had everything right in the first place - there have
usually been at least minor corrections - and a couple where I found out
that I was completely wrong. A cooperative vendor will tell you which bits
you have right and wrong. This allows you to produce higher quality
information. I'm not usually very happy to have to post "whoops - I screwed
up" to 30,000 readers.

Although I can't seem to find a link to it on the security focus web site,
I know they provide a service that tries to work with vendors. Russ Cooper
also does the same thing for people. If one's objective is to help make our
networks more secure, then high quality information and patch availability
are important.
David LeBlanc
dleblanc () mindspring com