OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life
From: Rustin Ross (rustinROSSMACH.COM)
Date: Tue Apr 25 2000 - 14:04:12 CDT

Look at RFP's contributions in total over the past year and a half. Cut the
guy some slack.

-----Original Message-----
From: Russ [mailto:Russ.CooperRC.ON.CA]
Sent: Monday, April 24, 2000 8:16 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: RFP2K03: Contemplations on dvwssr.dll and its affects on
life

RFP's **ORIGINAL** advisory, the one that was seen initially by Attrition,
Microsoft, and WSJ was **SUBSTANTIALLY** different than the one he sent to
Bugtraq and other lists. In the interest of fairness and honesty, Attrition
might publish that **original** advisory?

e.g. In RFP's **original** advisory, there was no mention that the scope of
the vulnerability was limited to users with Web Author permissions. His
**original** advisory claimed that you only needed to know the "backdoor
password" and how to obfuscate it (hence all the work on a script to do
that)...and *anyone* could access all of the .asp files on any FP site.

Minor nit? Anyone versus Web Authors? I think it was the *substance* of the
WSJ story, if not the advisory itself.

The entire 2nd paragraph of his **REVISED** advisory was contrived after the
WSJ story was locked, probably after discussions with me (when I told him
much of what was in that 2nd paragraph) or discussions with MS.

After receiving analysis of his advisory (from myself and others), RFP
**REVISED** it to present to the general public.

The revisions clearly attempt to mitigate the scope of the vulnerability
from what RFP originally said it was, to what he had now learned it was.
This was clearly a case of cover-my-ass by RFP, knowing he had misinformed
WSJ (and others) the night before.

In his inimitable fashion, his recent revisionist treatise is akin to
Montgomery's memory of WWII.

I published what I knew, retractions, and corrections by others. My actions
have been aired for all to see. Unfortunately RFP has chosen to forget many
things, and attempt to present you his after-thoughts, revised, and
incomplete.

Were it not for some very irresponsible statements by the moderator of a
Windows 2000 Magazine mailing list, I probably would not have bothered with
this clarification. Being labeled "irresponsible and stupid", however,
cannot be taken lightly.

Had it not been for the incorrect (at least) assertions that RFP made in his
**ORIGINAL AND UNPUBLISHED** advisory, WSJ would not likely have written a
story at all, and I certainly wouldn't have contributed to a story with such
limited scope.

Read the original quote from Steve Lipner in the WSJ, you can see how the
media writes their stories;

"The manager of Microsoft's security-response center, Steve Lipner,
acknowledged the online-security risk in an interview Thursday"

Sure, IMO Steve probably did acknowledge that there was an "online-security
risk" based on RFP's claims. Did he "confirm" it? Nope! Did he say
"Everything RFP has claimed is true!" Nope! Yet others re-wrote that section
of Ted's story to say that MS had "confirmed it."

"and described such a backdoor password as "absolutely against our policy"
and a firing offense for the as yet unidentified employees."

Well, obviously...duh. Of course such a backdoor would be described as
"absolutely against our policy." That's the only quote from Lipner,
everything else are Ted's words para-phrasing or explaining what he heard
Steve say as it pertained to RFP's **original** advisory.

Bottom line is that RFP **hyped** this story by giving it to the press/had
it given to them/knew it was going to the press. He then, after receiving
analysis from myself and/or MS that showed the vulnerability did not have
the scope he claimed, re-wrote his advisory to include that information and
make it appear that he wasn't hyping the issue. Could be that he also
informed WSJ about the revisions, if so, it was too late...they had already
gone to press with what they had. I know I couldn't contact Bridis from
Thursday evening through to Friday morning to revise my comments.

It should be a clear lesson to anyone who thinks they've discovered a
vulnerability, before you go to the press be sure you have all of the
analysis necessary to vet your own claims. IMNSHO, this can be done best
with sufficient time and the Vendor, for others it may be best to do it on a
mailing list. Its rarely best to go to the press first, as they usually
cannot make the same revisions you can in a given amount of time (and time
is an unknown quantity with the press).

From my perspective no more needs to be said about this issue...other than
an observation about the glaring lack of media coverage of a *real secret
backdoor* in Red Hat Linux?? Go figure, guess its not important.

Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net