Bugtraq mailing list archives
Re: Cisco PIX Firewall (smtp content filtering hack)
From: Signal 11 <signal11 () MEDIAONE NET>
Date: Thu, 21 Sep 2000 12:59:00 -0500
customers. That is an example of stinky corporate non-ethics at work. We should be notified instantly whenever new security
I really hate to argue /against/ someone slamming a big corporation, but in this case I think I should. This is not an example of non-ethics, nor is it disregard for the customer. It is responsibility, clear and simple.
vulnerabilities are discovered. We always have one recourse and workaround, which is to decommission our Pix firewalls until things are fixed. Of course, this isn't Cisco's preference, so they choose instead
That isn't an option for some people. Some of us run turn-key solutions and can't simply swap things around. Some of us can only use approved products. Some of us work for stingy IT managers who won't budget something like a product switch. It is arrogant to assume that the way you do things is the same way all people do things. Some of us don't have other options!
to leave their customers in the field with equipment that has security problems which are certain to be discovered by a third party and possibly exploited. I think this scenario has mostly played out in this case.
You know, considering how many companies would have responded, personally I think Cisco did a good job here - they admitted there was a problem, they are actively working on the solution, and they are suitably humble (on THIS list anyway!) about the matter. Some companies outright publically deny a vulnerability exists... and then in the back pages some weeks later there'll be a small press release saying the software was updated to "address security concerns".
I wish vendors would get a clue and realize that their customers need secuity information RIGHT NOW, not when a fix is available. We must be able to assess our own security situation and take action based on the known risks. If we don't know about the risks, we can't assess them.
People in this industry seem apt to overlook something - basic human nature. I'll give you an example - in the horribly bad movie Armageddon an asteroid was going to slam into Earth, destroying all of civilization. They hatched a plan and saved us all, of course, by using moody music and lots of explosions but did you notice that in the movie they didn't tell the general public that disaster was very near at hand? People panic when you tell them things like that, and unless you have a solution available when you tell them, most people collapse into a gibbering, unthinking mass. This is the same reason why you probably don't tell your boss about everything you read on BugTraq! Ignorance, they say, is bliss. Society, corporations, organizations, people, and families all are able to function precisely because they *don't* have all the facts. The security industry is NOT the exception to this rule. Something to think about. Cheers, -- Signal 11 -o- BOFH, boredengineers.com The greatest disloyalty one can offer to great pioneers is to refuse to move an inch from where they stood.
Current thread:
- Cisco PIX Firewall (smtp content filtering hack) naif (Sep 19)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Deus, Attonbitus (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Signal 11 (Sep 22)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Leandro Dardini (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Fabio Pietrosanti (naif) (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Ioannis Migadakis (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)