funsec mailing list archives
RE: ISS: Pot, kettle, black, etc..
From: Josh Daymont <jdaymont () secureworks net>
Date: Wed, 5 Oct 2005 14:27:32 -0400
The opinions expressed in this email are my own and do not represent the opinions of my employer, Secureworks. In this case that gentleman from ISS marketing will surely get his hands slapped for making such a comment. Whether or not it is true doesn't really matter. The only people who really end up being frustrated in this case are the actual researchers themselves. These people pour their heart and soul, and even in some ways their ego into an effort they believe is increasing the security of the Internet, or at least is in some way supposed to make them "famous," and many vendors are not only slow to respond but actively stonewall or lie. I've been involved in cases were lawsuits were threatened against security companies. I know someone who has been involved in cases where a vendor's CEO started calling up random engineers at a particular security company screaming obscenities and various types of threats. We're talking about the CEO of a publicly traded company here. Nevermind the fact that this vendor was sent 10 notices/warnings over 9 months, including (I was told) a written warning sent in registered mail, all of which were ignored up until after the announcement was made. To co-opt a Fresh Prince/DJ Jazzy Jeff song: "sometimes vendors just don't understand." Most people who've been involved in disclosure issues for more than a couple of years have come to terms with this, I certainly have. I've wondered in the last year or so if vendors would continue act the way they did if they knew what some of these security companies large and small had begun doing with vulnerability information while they were sitting on it. Think there is a little bit of an intersection between vendor X's biggest customers and security company Y's? Think that security company is going to hold out on their biggest customers? If that same security company would give away that info to their biggest customers, think they would decline to sell it for a large lump sum to a vetted organization? If there's extra cash to be made when patches are slow to be developed think the security companies are going to push the issue with a vendor? Whether the vendors realize it or not, increasingly it's the researchers and companies funding research who are having the last laugh. It'll be interesting to see where things in this area go in the next few years. Josh -----Original Message----- From: Young, Keith [mailto:Keith.Young () montgomerycountymd gov] Sent: Wednesday, October 05, 2005 1:45 PM To: funsec () linuxbox org Subject: RE: [funsec] ISS: Pot, kettle, black, etc..
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID= 77789754-705d-4f65-85f3-3e2cd713e938&newsType=Latest%20News
How do ya like them apples? I seem to recall ISS was itself involved in the whole sordid "Ciscogate" embroglio...
Ah, but ISS Legal will have a different "agenda" than ISS Marketing. And honestly, he is right. Cisco, Oracle, and some small private Internet security firms are the worst in terms of getting fixes published even after vendor confirmation. Approximately 75% of the holes that I reported to these organizations still exist after years of product updates. I can't even imagine the frustration over threats of public disclosure that X-Force, RAZOR, and many of you deal with on a regular basis... The only thing that has kept me from public disclosure is lack of time for research/documentation. --Keith Keith Young, Security Official Department of Technology Services Montgomery County, Maryland phone - (240) 777-2955 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ISS: Pot, kettle, black, etc.. Fergie (Paul Ferguson) (Oct 05)
- <Possible follow-ups>
- RE: ISS: Pot, kettle, black, etc.. Young, Keith (Oct 05)
- RE: ISS: Pot, kettle, black, etc.. Josh Daymont (Oct 05)