OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: Matthew Pemble (mpembleISINTEGRATION.CO.UK)
Date: Thu Apr 27 2000 - 09:01:10 CDT

I think we have a number of "full disclosure" issues here, and I think this
particular vulnerability justifies full disclosure.

Security risks can fall into (incomplete, but I am supposed to be working)
the following areas:

1. Mistakes in design or coding which the vendor is happy to fix.
2. Mistakes in design or coding which the vendor can't / doesn't want to fix
3. Deliberate introduced vulnerabilities such as backdoors.

Obviously, to differentiate between the first two cases, you need to contact
the vendor. If they brush you off or deny all existence of the
vulnerability, go ahead and publish. If they are fixing it, they should
publish (and hopefully credit you.) Noting, in the latter case, that
vendor's own mailing lists are likely to reach more of their clients than
any security list.

However, in the third case, the vendor has deliberately broken the security
of their application. Don't we deserve to know that they have been so
massively dishonest - it could be them breaking into our systems, not the
script kiddies or crackers? In that instance, why not publish immediately?
Hopefully then, enough of their clients will complain that they are forced
to fix it.

Mind you, exactly how much information you should publish is another matter
...

Matthew Pemble

* Making mistakes for myself, not for my employer *

-----Original Messages snipped for bandwidth control -----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net