[102418] in North American Network Operators' Group
Re: IBM report reviews Internet crime
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Feb 12 17:10:53 2008
Cc: <michael.dillon@bt.com>, <nanog@nanog.org>
From: Owen DeLong <owen@delong.com>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <87tzke2c1b.fsf@mid.deneb.enyo.de>
Date: Tue, 12 Feb 2008 14:05:36 -0800
Errors-To: owner-nanog@merit.edu
On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:
> * Owen DeLong:
>
>> If the vulnerability cannot be corrected through a vendor patch,
>> then,
>> one has to wonder what, exactly the vulnerability is.
>
> You assume that a vendor patches a vulnerability once they learn about
> it. In my experience, this is not true. Sometimes it's easy to
> explain
> (product or vendor ceased to exist), sometimes it's not (some cross-
> site
> scripting issues I'm trying to straighten out; minor bugs to you
> perhaps, but huge media exposure because of their visibility and
> reproducibility--think FDIV bug).
No, I presume that a vulnerability identified as "cannot be resolved
through
vendor patch" means a vulnerability for which, even if a vendor patch
were
available, it would not resolve the vulnerability. A vulnerability
for which
a patch is not yet available, but, which could be resolved if the vendor
released a patch is a vulnerability which "CAN be resolved through
vendor patch when one becomes available."
It is unclear from the text provided which of our conflicting
definitions for
the term applies in IBM's text.
Owen
