Re: Cisco PIX Firewall (smtp content filtering hack)

[Signal 11 <signal11 () MEDIAONE NET>]

> customers.  That is an example of stinky corporate non-ethics at
> work.  We should be notified instantly whenever new security

I really hate to argue /against/ someone slamming a big corporation,
but in this case I think I should. This is not an example of
non-ethics, nor is it disregard for the customer. It is responsibility,
clear and simple.

> vulnerabilities are discovered.  We always have one recourse and
> workaround, which is to decommission our Pix firewalls until things are
> fixed.  Of course, this isn't Cisco's preference, so they choose instead

That isn't an option for some people. Some of us run turn-key solutions
and can't simply swap things around. Some of us can only use approved
products. Some of us work for stingy IT managers who won't budget
something like a product switch. It is arrogant to assume that the way
you do things is the same way all people do things. Some of us don't
have other options!

> to leave their customers in the field with equipment that has security
> problems which are certain to be discovered by a third party and possibly
> exploited.  I think this scenario has mostly played out in this case.

You know, considering how many companies would have responded, personally
I think Cisco did a good job here - they admitted there was a problem,
they are actively working on the solution, and they are suitably humble
(on THIS list anyway!) about the matter. Some companies outright
publically deny a vulnerability exists... and then in the back pages
some weeks later there'll be a small press release saying the
software was updated to "address security concerns".

> I wish vendors would get a clue and realize that their customers need
> secuity information RIGHT NOW, not when a fix is available.  We must be
> able to assess our own security situation and take action based on the
> known risks.  If we don't know about the risks, we can't assess them.

People in this industry seem apt to overlook something - basic human
nature. I'll give you an example - in the horribly bad movie Armageddon
an asteroid was going to slam into Earth, destroying all of civilization.
They hatched a plan and saved us all, of course, by using moody music
and lots of explosions but did you notice that in the movie they didn't
tell the general public that disaster was very near at hand?

People panic when you tell them things like that, and unless you have a
solution available when you tell them, most people collapse into a
gibbering, unthinking mass. This is the same reason why you probably
don't tell your boss about everything you read on BugTraq! Ignorance,
they say, is bliss.

Society, corporations, organizations, people, and families all are
able to function precisely because they *don't* have all the facts.
The security industry is NOT the exception to this rule. Something
to think about.

Cheers,


--
Signal 11 -o- BOFH, boredengineers.com
The greatest disloyalty one can offer to great pioneers is to
refuse to move an inch from where they stood.