alex@pilosoft.com wrote:
I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.
I'm not sure the debate on public disclosure vs private falls under NANOG AUP.
-alex
I beg to differ here on a few points... 1) Reporting to vendors... I don't know how many vendors from Microsoft on down I've reported issues to... Sometimes it works sometimes it doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge and take responsibility for their issues, else have the issues publicly disclosed. How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. I've disclosed a pretty bad denial of service bug. Tested not only by me, but by about six other individuals one in one of the world's biggest insurance agencies... Confirmed... Another in academia land... Confirmed... A professional pentester with a DoD contract... Confirmed... Sent it to MS... "Well it doesn't work" said the MS team... I didn't even bother disclosing it out after that. Not because it didn't work but because the last thing I wanted to see was something akin to another Smurf like attack on MS being part of my own shop where I work is MS based. I gave up. On occasion I will take a few minutes to find something stupid to break because I fiddle with things. Sometimes I release things publicly, sometimes I don't depending on what I perceive to be a level of severity. If its minor, it gets released and this is only because I've gotten tired of dealing with the idiotic policies these companies use to shoot themselves in their own foot. On the other hand, if I attempted to contact someone, got the cold shoulder, attempted again, and something was that bad, why should I be chastised after I decided to let others using that product know "Hey if you use that product... It might not be all that safe." I get flack whenever I release something in the wild and those whose messages go to my trash bin, know little about the fact that I'd made attempts to contact the vendor. From Cisco, to Microsoft, to open source vendors (Asterisk), whomever, most times I will contact the necessary party... They fail to respond, it goes public. Same happened way back when with Computrace (LoJack for Laptops)... Where I contacted them over and over... They told me "You're wrong... After proving my points repeatedly... Finally I ended up pulling their card and posting their entire email transcription... I still have an NDA they wanted me to sign which is summarized as "We will pay you x amount of what you spend if you just... well shut up." Right.... I see nothing wrong with responsible public disclosure. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams