-----Original Message----- From: mathews@uhunix2.hawaii.edu [mailto:mathews@uhunix2.hawaii.edu]On Behalf Of Robert Mathews Sent: Tuesday, February 01, 2005 11:01 AM To: Hannigan, Martin Subject: Re: Vendor Vulnerability Release Problem
On Tue, 1 Feb 2005, Hannigan, Martin wrote:
Date: Tue, 01 Feb 2005 01:17:42 -0500 From: "Hannigan, Martin" <hannigan@verisign.com> To: "'nanog@merit.edu'" <nanog@merit.edu> Subject: Vendor Vulnerability Release Problem
[ .... ]
They did concur that the current system is broken. This is part of the reason I decided to post this. To let everyone know that this is a problem and the vendors agree.
Martin:
Thank you for posting this note, as the subject item is of immense interest to me personally, and to many within US Government. My question, which I will pose to you shortly -- is a broader one; one that goes beyond the world of ISPs and NSPs to the vastness of the IT world. Still, your concerns are very much valid in such an area as well.
Before I go forward, I would like to disclose that I do not attend NANOG meetings regularly.
With regard to your post Martin, I would like to ask you -- just how you see it, when you say: that "they did concur that the current system is broken." Studies done within Government indicate a LARGER problem than 'after-incident action' which directly points to vendor acknowledgement itself. I am not at liberty to provide further details to the studies or their details but, it suffices to say that vendor behavior is seen as a significant problem. So, what of Vendor Behaviour?
There appeared to be a consensus that the current methodology is broken. The vendors stated this themselves. The two presenters would need to clarify that further. As far as vendor behavior is related, I can't comment on that. It was clear, at least to me, there is no transparent or uniform method of distributing serious vulnerabilities. At least that participants of NANOG are aware of. I will concur that the vendors may not currently have a way to proceed with these problems, but I don't know that the operator community, ground zero for these vulnerabilities, hasn't been consulted as a whole. ((archives)).
I *was disappointed in was the harsh criticism of DHS. The vendors called DHS and the Pentagon the biggest source of leaks related to 'their' security vulnerabilities. I don't know if that's true, but if they are, I hope they're leaking to the right people.
Since I was not there for the discussion, I could not appropriately relate to the exchange held but, I would just like to understand if I may -- what the perception by the many gathered of DHS and the Pentagon were respectively.
My interpretation of the event was that the speakers considered DHS and the Pentagon to share some level of responsibility as to why vendors can't detail serious vulnerabilities. The feedback seemed to deride the Pentagon more than DHS. I can't gauge what the participants felt. As a guess, I think it was believable in the way it was presented. The overall impression was that the relevant government agencies are not credible. (I disagree from my own experience).
If you feel that this matter would be of interest to the NANOG community, do feel free to re-post.
Reposted whole.
-M<
Thank you for your time Martin..
Best, Robert. -------
************************************************************** ************* * Robert Mathews, MSc. - Mgmt. (Honors), Ad.PD. - Econ. (Honors) * Chancellor's Professor of Science & * Distinguished Senior Scholar on * National Security Affairs & U.S Industrial Preparedness * @ University of Hawai'i * Telephone: 315.853.7853 (NY) / 703.655.7124 (VA/WDC) * Telecopier: 808.933.3473 (HI) / 315.859.1998 (NY) * E.mail: mathews@hawaii.edu