By now most of you have seen this:

http://www.msnbc.com/news/592066.asp?0dm=C1BQT

I have a few comments on this, hopefully they will make it to the lists,
but I doubt Mr. Cooper will approve this post on his.

First, I speak for myself, not my employer, and especially not NMRC -
Simple Nomad is the only person authorized to speak for NMRC - I am simply
a member of this fine group.

Now for a simple but true statement - keeping vulnerability information to
yourself does not improve on security. Until vendors become more
responsive to reported issues RESPONSIBLE full disclosure is the only way.

Note the use of the term RESPONSIBLE - this is not what guys like Georgi
Guninski do - RESPONSIBLE is working with the vendor to get the issue
fixed. I am not going to rant on this - go read RFPpolicy at
www.wiretrip.net for guidance if you so desire.

What I really want to rant about is this little group that Mr. Cooper
wants to start up. We already know that groups like this will not improve
anything and we already know that Russ Cooper is not the person to be
handling this type of information. How do we know this?

Let us look at how Russ handled the MSADC/RDS issue a few years ago. Russ
took this information that one of his sheep err I mean faithful posters
gave him and kept it to himself for a day or so. Then, Mr. Cooper decided
that he needed some media attention so he called his buddy at MSNBC then
posted to his own list a high level vague rant about some new vuln he
knows about. Lucky for us, someone else came along and discovered the
issue and quickly posted it for all. Do we really want to hand Russ all
of our 0-days and trust that he will do the right thing? I certainly do
not.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend - I offend with my intent"

hellNbaknmrc.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]