Jon Lasser, 2002-06-26
Internet Security Systems violated community standards and common sense with its surprise Apache bug announcement.
Colapse all |
Post comment
Irresponsible Disclosure
2002-06-26
Anonymous (1 replies)
Anonymous (1 replies)
Irresponsible Disclosure
2002-06-26
joe90@hushmail.com
joe90@hushmail.com
It seems naive to me for us to assume that ISS posted this patch for any other reason than to promote themselves and gain commercially.
ISS's products are not that great and people, at least over here in the UK, are starting to realise this. Just look at what happened to BlackIce when they took ...
[ more ] [ reply ]
ISS's products are not that great and people, at least over here in the UK, are starting to realise this. Just look at what happened to BlackIce when they took ...
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-27
Please please please get a new UNIX writer! (7 replies)
Please please please get a new UNIX writer! (7 replies)
Mr. Lasser, you've drawn your last straw. In your past article I found it amusing how your tunnel-vision has blinded the obvious, but now I know you're just a plain dolt. Fair?! Life is not fair, and neither is security. If life were fair you'd be out of a job, along with the rest of SecFoc be...
[ more ] [ reply ]
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-27
Anonymous
Anonymous
Hmm... Jon's article actually seems to follow the general consensus of the Open Source Community. I haven't heard many (if any) praise ISS on their actions. And on top of that they are the "Big Company" that you speak of. Sure they included a patch, but by many accounts (including Apache's) it di...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Replace him! he disagrees with me and I know it all!
2002-06-27
epizz@ba.net (1 replies)
epizz@ba.net (1 replies)
Isn't the arrogance amazing?!
IMHO it's pretty irresponsible to basically invite every teen-age hacker to invade half the sites on the net.
But, Hey! It's a free country so I guess people can be as irresponsible and they want to be, as long as they can live with themselves.
...
[ more ] [ reply ]
IMHO it's pretty irresponsible to basically invite every teen-age hacker to invade half the sites on the net.
But, Hey! It's a free country so I guess people can be as irresponsible and they want to be, as long as they can live with themselves.
...
[ more ] [ reply ]
Re: Replace him! he disagrees with me and I know it all!
2002-06-28
Anonymous
Anonymous
Funny how the same people who are whining about ISS are the same folks would release a MS issue in a heartbeat without any notification.
And as Elias stated: "those who say that full disclosure is like yelling FIRE in a crowded theatre fail to realize one thing - the theatre IS on fire."
...
[ more ] [ reply ]
And as Elias stated: "those who say that full disclosure is like yelling FIRE in a crowded theatre fail to realize one thing - the theatre IS on fire."
...
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-27
Anonymous
Anonymous
It appears as though you have a decent case of tunnel vision... a type of malady that seems to infect quite a bit of people in the computer security field.
ISS simply supplying a patch (a patch, BTW, that does not adequately address the bug reported) in no way exhonerates them from any faux pas d...
[ more ] [ reply ]
ISS simply supplying a patch (a patch, BTW, that does not adequately address the bug reported) in no way exhonerates them from any faux pas d...
[ more ] [ reply ]
Anon poster is an "Irresponsible Disclosure"
2002-06-27
Anonymous
Anonymous
This Anonymous writer is completely off base, and it is he who should in fact head to the re-employment line and out of IT with his mentality. If the promise of E-Commerce i ever to be realized then standardized reporting is a must.
If one vendor plays cut throat when they all live in the same...
[ more ] [ reply ]
If one vendor plays cut throat when they all live in the same...
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-29
Tired of loud mouth open source freaks (1 replies)
Tired of loud mouth open source freaks (1 replies)
I think he hit the nail on the head!!! Every sysadmin around knows that every product is basically insecure if configured incorrectly, and is used at our own risk. That doesn't excuse behavior of releasing the bug 8 hours after informing the apache team. How possible is it that a large amount of ...
[ more ] [ reply ]
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-29
Anonymous
Anonymous
I feel that the last comment as written by a someone who does not grasp the spirit of the article. In talking abou speaking to the "group" of apache, there was no implied big buisness endorsement. The apache developers where thes ones who should of been contacted, and the patch that ISS provided d...
[ more ] [ reply ]
[ more ] [ reply ]
Damned if you do, damned if you don't
2002-06-27
TL (1 replies)
TL (1 replies)
Looking at peoples' attitudes, I don't think these kind of companies can get it right. Either they're accused of releasing vulnerability information too early and screwing the vendor (FVO "vendor" != Microsoft) or then they're accused of shady deals to keep security information hidden from the end-u...
[ more ] [ reply ]
[ more ] [ reply ]
Damned if you do (irresponsibly), damned if you don't (ever)
2002-06-28
Tor Slettnes
Tor Slettnes
I disagree - companies _can_ get this right. That's what Jon Lasser is talking about - guidelines for responsible release of vulnerability information.
If a vulnerability is found for the first time by a "white hat", the responsible thing for her (or him) to do is to inform the vendor of the sof...
[ more ] [ reply ]
If a vulnerability is found for the first time by a "white hat", the responsible thing for her (or him) to do is to inform the vendor of the sof...
[ more ] [ reply ]
The shoe is on the other foot
2002-06-27
Anonymous (10 replies)
Anonymous (10 replies)
People have been doing this to Microsoft for years. It is humorous to see how the Open Source community responds when the shoe is on the other foot. Now all we need is for someone to write an Apache worm that uses this chunking vulnerability to cascade across Apache servers worldwide. That would ...
[ more ] [ reply ]
[ more ] [ reply ]
The shoe is on the other foot..but just barely.
2002-06-27
K.M. Ellis
K.M. Ellis
Hardly. I challenge you to find a recent instance of this. Most everyone in the serious security community has, over the past two years or so, come to a consensus similar to the one Mr. Lasser elucidates: when you find a big bug, be careful and courteous. Even when dealing with Microsoft, who i...
[ more ] [ reply ]
[ more ] [ reply ]
The shoe is on the other foot
2002-06-27
Brian
Brian
I believe the reason this has been happening to Microsoft for years is simply because of the sheer number of vulnerabilities found by various individuals. Many of the people discovering vulnerabilities in Microsoft's products do not necessarily subscribe to the Responsible Disclosure rules; or at l...
[ more ] [ reply ]
[ more ] [ reply ]
The shoe is on the other foot
2002-06-28
Anonymous
Anonymous
That's a pathetic excuse and not even very accurate to boot. Microsoft is generally notified of issues but especially when it comes from a publically traded (or even private) research/security firm. Microsoft has in the past been very lazy about creating patches thus the move by some to go ahead a...
[ more ] [ reply ]
[ more ] [ reply ]
The shoe is on the other foot
2002-06-29
pseudoAnonymous
pseudoAnonymous
One vulnerability in 4.5 years compared to God know how many in IIS, and all the Microsofties come out of the woodwork.. If ISS had handled this incident the way they'd handle any Microsoft one, there wouldn't have been any problem. Instead, the dolts write a patch that doesn't work for many/most pe...
[ more ] [ reply ]
[ more ] [ reply ]
...but where should the foot be put?
2002-07-02
Andy Wood
Andy Wood
...even with the largest % of web servers being Apache how many systems will be affected with this mythological worm, not many I bet (ps, do you have the skill to write one?? DO IT OR SHUT UP!) . See the problem with the NIMDA and others are the worthless admins that let systems go unpatched ev...
[ more ] [ reply ]
[ more ] [ reply ]
Penalties
2002-06-27
Anonymous
Anonymous
ISS should face criminal charges for what they have done. They have given everyone the ability to compromise many servers. This could have been prevented if they were to follow the correct procedure. I think it is in the minds of most of the open source community that Chris Rouland and Mark Dowd fac...
[ more ] [ reply ]
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-28
System Engineer in UK
System Engineer in UK
As a Security person I find the attitude shown by the article a little strange.
Surely it is better to advise people of the potential for a systems compromise, than to keep it quiet, tell them a month down the line, only for them to find that they have been hacked????
As to some of the commen...
[ more ] [ reply ]
Surely it is better to advise people of the potential for a systems compromise, than to keep it quiet, tell them a month down the line, only for them to find that they have been hacked????
As to some of the commen...
[ more ] [ reply ]
Irresponsible Disclosure
2002-06-28
Anonymous
Anonymous
I think people were quick to jump on the bandwagon pointing fingers at ISS. Yes, they did release this advisory a little irresponsibly, but what if they kept this bug for themselves? Other researchers found the same bug, but we all (Apache users) could have been left vulnerable to this bug and all i...
[ more ] [ reply ]
[ more ] [ reply ]
Irresponsible Disclosure -- CYA
2002-06-28
Anonymous
Anonymous
Of course it is irresponsible for ISS to post this patch, especially due to the dearth of good system adminstrators who might be able to find a way to take a look at the patch attached to the advisory adapt it and then possibly use that adaption to 'survive' until Apache was able to fix this problem...
[ more ] [ reply ]
[ more ] [ reply ]
hehehe ! apachi is next victim
2002-06-29
ICMP_Z@yahoo.com (1 replies)
ICMP_Z@yahoo.com (1 replies)
i am very happy that new (and big) vulnerability find in apachi when poeple think only microsoft products are vulnerable to worms.
yes! it is time for other vendors to attention security when the usage of their products increase and common.
i am sure that a few weeks later you can see worms for ...
[ more ] [ reply ]
yes! it is time for other vendors to attention security when the usage of their products increase and common.
i am sure that a few weeks later you can see worms for ...
[ more ] [ reply ]
hehehe ! apachi is next victim
2002-07-01
Anonymous
Anonymous
Hmmm... yeah... when I look at Apache's track record
of critical/severe security problems happening every 4.5
YEARS or so... and compare it with the Micro$oft IIS
record of MONTHLY (and often times WEEKLY) vulnerabilities
being announced... I just don't understand why there
are so many pe...
[ more ] [ reply ]
of critical/severe security problems happening every 4.5
YEARS or so... and compare it with the Micro$oft IIS
record of MONTHLY (and often times WEEKLY) vulnerabilities
being announced... I just don't understand why there
are so many pe...
[ more ] [ reply ]
what i think about ms...
2002-07-03
Lysergsäurediethylamid
Lysergsäurediethylamid
I think Microsoft is currently and in coming future busy with programming Microsoft-Office-Games (like flipper XP in word and excel-star-flight-commander XP)...
Where from should they take their time and will for solving all their security problems if there are so many problems with overviewing t...
[ more ] [ reply ]
Where from should they take their time and will for solving all their security problems if there are so many problems with overviewing t...
[ more ] [ reply ]
[ more ] [ reply ]