On Sun, 18 May 2008, Suresh Ramasubramanian wrote:
Let's put it this way.
1. Yes there's nothing to patch, as such
2. It can be prevented by what's widely regarded as BCP on router security, and has been covered at *nog, in cisco training material, etc etc for quite some time now.
I am much less concerned about security conferences discussing this than about the (highly uninformed) publicity that accompanies these conferences.
Yes, this sounds a lot more like the bugtraq v/s full disclosure discussion than I'm comfortable with, but I still think this could have been handled a lot better.
It's easy to blame researchers for doing their studies, but the fact is, if one whitehat researcher has done work on it, it is already exploited in the wild. Gadi.
--srs
On Sun, May 18, 2008 at 7:27 PM, Dragos Ruiu <dr@kyx.net> wrote:
Bullshit. There is nothing to patch. It needs to be presented at conferences, exactly because people will play ostrich and stick their heads in the sand and pretend it can't happen to them, and do nothing about it until someone shows them, "yes it can happen" and here is how.... Which is exactly why we've accepted this talk. We've all known this is a possibility for years, but I haven't seen significant motion forward on this until we announced this talk. So in a fashion, this has already helped make people more realistic about their infrastructure devices. And the discussions, and idea interchange that will happen between the smart folks at the conference will undoubtedly usher forth other related issues and creative solutions. Problems don't get fixed until you talk about them. cheers, --dr
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog