On Fri, 20 Apr 2007, J. Oquendo wrote:
alex@pilosoft.com wrote:
I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.
I'm not sure the debate on public disclosure vs private falls under NANOG AUP.
I beg to differ here on a few points...
1) Reporting to vendors... I don't know how many vendors from Microsoft on down I've reported issues to... Sometimes it works sometimes it doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge and take responsibility for their issues, else have the issues publicly disclosed. This is getting into the discussion on whether public disclosure (and attendant attention of script kiddies, public embarassment of vendor, and "glory" to the reporter) is better way to get the bug fixed than working with your vendor (who, presumably, receives $$$ from you on maintenance contract or hopes to receive $$$ from you on the upgrade to next version).
How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. Vote with your wallet, use a vendor that is responsive to customer needs.
I've disclosed a pretty bad denial of service bug. Tested not only by me, but by about six other individuals one in one of the world's biggest insurance agencies... Confirmed... Another in academia land... Confirmed... A professional pentester with a DoD contract... Confirmed... Sent it to MS... "Well it doesn't work" said the MS team... I didn't even bother disclosing it out after that. Not because it didn't work but because the last thing I wanted to see was something akin to another Smurf like attack on MS being part of my own shop where I work is MS based. I gave up. On occasion I will take a few minutes to find something stupid to break because I fiddle with things. Sometimes I release things publicly, sometimes I don't depending on what I perceive to be a level of severity. If its minor, it gets released and this is only because I've gotten tired of dealing with the idiotic policies these companies use to shoot themselves in their own foot. It's your choice, it is not the only way.
From Cisco, to Microsoft, to open source vendors (Asterisk), whomever, most times I will contact the necessary party... They fail to respond, it goes public. Same happened way back when with Computrace (LoJack for Laptops)... Where I contacted them over and over... They told me "You're wrong... After proving my points repeatedly... Finally I ended up pulling their card and posting their entire email transcription... I still have an NDA they wanted me to sign which is summarized as "We will pay you x amount of what you spend if you just... well shut up." Right.... I see nothing wrong with responsible public disclosure. Responsible is the key word. There's been much discussion on the mailing
<snip> lists that are *more appropriate* to discuss full-disclosure what constitutes responsible. Note that those mailing lists are not NANOG, where this subject is tangential. -alex