Re: Cisco PIX Firewall (smtp content filtering hack)

["Deus, Attonbitus" <Thor () HAMMEROFGOD COM>]

> As a Cisco customer, I personally prefer to get notification as soon as
> possible.  Cisco has known about this bug, but they haven't notified their
> customers.  That is an example of stinky corporate non-ethics at
> work.  We should be notified instantly whenever new security
> vulnerabilities are discovered.

I certainly understand the individual want for such information:  it affords
the intelligent and competent admin a choice in
interim fixes or temporary policy changes.  However, it makes for poor risk
management at the global level.

The potential for malicious abuse is far greater when exploits that have no
patch are made available to the general public.

> Of course, this isn't Cisco's preference, so they choose instead
> to leave their customers in the field with equipment that has security
> problems which are certain to be discovered by a third party and possibly
> exploited.

They are not certain to be discovered- not individually and without
foreknowledge, anyway.  The probability exists, of course, but it is not
likely.  But here in lies the basis of the full disclosure game of chess.
Though there are vendors who will only release vulnerabilities and patches
against holes when they are forced to, there are also responsible and
concerned vendors who work diligently to not only quickly patch such issues,
but to look for interim fixes in the meantime.  Cisco and Microsoft are good
examples of the latter.

When working with such companies, it is always better to go directly to the
vendor and work to provide a solution without going to full disclosure, and
to release the kb with an associated solution.  When ego and self
publication are obviated, timely and thorough solutions are propagated.
People like Weld Pond and Rain Forest Puppy know this and practice this;
that (in addition to superior intellect) is what makes them, and others like
them, respected in the industry.

You and I (along with thousands of others) now know about this
vulnerability.  We would not have discovered it on our own, but we now know
what it does and how to use it against others if we chose to do so.  Had the
issued been taken directly to Cisco and kept under hat, even if it took
months, then we all would have been far safer.

----------------------------------------------------
Attonbitus Deus
thor () hammerofgod com


----- Original Message -----
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, September 20, 2000 9:46 AM
Subject: Re: Cisco PIX Firewall (smtp content filtering hack)