Re: UK ISP threatens security researcher

[alex () pilosoft com]

On Fri, 20 Apr 2007, J. Oquendo wrote:

> alex () pilosoft com wrote:
> > I'm not sure if Simon's comment was tongue-in-cheek.
> >
> > I think if you are referring to "public disclosure", yes, I think
> > there's little point of doing this, unless you are seeking attention.
> > Of course, reporting a problem to vendor privately always makes sense.
> >
> > I'm not sure the debate on public disclosure vs private falls under
> > NANOG AUP.
>
> I beg to differ here on a few points...
>
> 1) Reporting to vendors... I don't know how many vendors from Microsoft
> on down I've reported issues to... Sometimes it works sometimes it
> doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge
> and take responsibility for their issues, else have the issues publicly
> disclosed.
This is getting into the discussion on whether public disclosure (and
attendant attention of script kiddies, public embarassment of vendor, and
"glory" to the reporter) is better way to get the bug fixed than working
with your vendor (who, presumably, receives $$$ from you on maintenance
contract or hopes to receive $$$ from you on the upgrade to next version).

> How would you feel if you used a product a company KNOWS lacks
> fundamental security controls and does little to fix it. How would you
> feel if AFTER the fact someone leveraged a method to affect you. How
> would you feel AFTER the fact, finding out they were told and did
> nothing for eons.
Vote with your wallet, use a vendor that is responsive to customer needs.

> I've disclosed a pretty bad denial of service bug. Tested not only by
> me, but by about six other individuals one in one of the world's biggest
> insurance agencies... Confirmed... Another in academia land...
> Confirmed... A professional pentester with a DoD contract...
> Confirmed... Sent it to MS... "Well it doesn't work" said the MS team...
> I didn't even bother disclosing it out after that. Not because it didn't
> work but because the last thing I wanted to see was something akin to
> another Smurf like attack on MS being part of my own shop where I work
> is MS based. I gave up. On occasion I will take a few minutes to find
> something stupid to break because I fiddle with things. Sometimes I
> release things publicly, sometimes I don't depending on what I perceive
> to be a level of severity. If its minor, it gets released and this is
> only because I've gotten tired of dealing with the idiotic policies
> these companies use to shoot themselves in their own foot.
It's your choice, it is not the only way.

<snip>
>  From Cisco, to Microsoft, to open source vendors (Asterisk), whomever,
> most times I will contact the necessary party... They fail to respond,
> it goes public. Same happened way back when with Computrace (LoJack for
> Laptops)... Where I contacted them over and over... They told me "You're
> wrong... After proving my points repeatedly... Finally I ended up
> pulling their card and posting their entire email transcription... I
> still have an NDA they wanted me to sign which is summarized as "We will
> pay you x amount of what you spend if you just... well shut up."
> Right.... I see nothing wrong with responsible public disclosure.
Responsible is the key word. There's been much discussion on the mailing
lists that are *more appropriate* to discuss full-disclosure what
constitutes responsible. Note that those mailing lists are not NANOG,
where this subject is tangential.

-alex