[Dshield] The Holy Grail
bytejump at gmail.com
Mon Aug 1 20:09:01 GMT 2005
On 8/1/05, Chris Brenton <cbrenton at chrisbrenton.org> wrote:
> On Mon, 2005-08-01 at 15:01, Scott Melnick wrote:
> > "Suing researchers is not going to make you secure. Alienating
> > the security community is not going to encourage people to come to you
> > and report problems and work with you." "
> To me, this hits a point that is even worse than remotely executing code
> on Cisco routers. In recent history we've had companies like Sybase,
> Sygate and Oracle file legal paperwork to put a gag order on security
> researchers. Now Cisco has joined in as well. This is *clearly* sending
> a message that if your intend to release the info to the public you
> should not approach the vendor first because you may get gaged. Better
> to just post it on the net, let the vendor find out along with everyone
> else and let them deal with the fall out.
I posted this to Full-Disclosure, but thought it would be relevant to
this discussion as well. It is, in my opinion, being overlooked by a
lot of folks.
In my opinion, probably the grossest error made by Cisco in all of
this was silently patching their IOS back in April. Anyone who's ever
used Cisco's software knows that you can never run the latest release,
unless you want things to break, and break badly. As a result, how
many organizations were at the latest, patched IOS release as of
BlackHat? Not many, I'd wager. If, however, Cisco had come clean and
told everyone that there is a serious problem in their IOS and
exploitation is being actively researched by Chinese hacker groups,
you'd see a lot more uptake of that April IOS release. Instead, Cisco
hangs their customers out to dry.
Shameful, just shameful.
More information about the list