This little 'threat' or FUD is just the latest parting shot by Vendors who don't want to have to take the time to write their code securely. This is further complicated by the rash of 'security professionals' that have recently added themselves to this field of endeavor after the lure of money in the last two years.

The 'security professionals' didn't work their way into this field but were promoted or read a book and are now professionals. Of course these type of person's would support the Vendors into a whole market sticking it's head in the sand.

I do remember 5-6 years ago when posting vulnerabilities to Microsoft about Windows NT 3.1, 3.5, and 3.51 as well as WFW 3.1, 3.11, and 95 got you the ever present response of that is just a theoretical bug. After that response Microsoft would just ignore the issue. Then someone started posting exploits adn Microsoft took notice and actually started fixing the issues and being a responsible corporate citizen (ok they are trying not succeding fully but I'll give them credit) and working with the community to fix the issues with their software.

Did Snosoft, or this guy, do something wrong? Well they gave the vendor time to respond, and per Snosoft's official statement (on their website I think it was) too many people knew about this long standing issue and one leaked it, or something to that effect. I don't know enough, or remember what I did read to make a really informed decision. If they followed the guidelines of a month or two waiting for the vendor for some sort of response and then released to protect the community, that I personally don't have an issue with them. There is probably a whole lot more to this story, that has been or has yet to be told.

Whitehat/blackhat/brownhat/greenhat whatever you want to call it, it is all our responsibilities as computer security professionals to interpret the data that comes out and to protect the companies as best as possible. By removing 90% of my arsenal to accomplish that mission by removing the knowledge neccessary to protect the company I work for, that is what is truly criminal. To that end I personally think there should be a criminal and possibly libel suit against the companies like HP that stifle (if that is where they were actually heading with this attempt) this information from getting where it needs to go and should that vulnerability result in losses to the companies I work for/protect.

If the security professionals are not able to interpret this data to protect the companies that they work for maybe it is time to step aside and let someone who can get in there. I'm sorry if that is a little raw, but a lot of my associates in this field feel essentially the same way about the lack of talent that we see regularily now available. Security is not just a lucaritve field, it is also one where there is more work to keep track of everything the Operating Systems and Networking professionals do and read and add to that Corporate rules and policies for security, and that only if you haven't added the Physical side of Security as well as Continuity planning to your daily activities.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/100/16125#16125