[67226] in North American Network Operators' Group
Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Thu Feb 5 15:13:33 2004
Reply-To: "Rubens Kuhl Jr." <rubens@email.com>
From: "Rubens Kuhl Jr." <rubens@email.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: <nanog@merit.edu>
Date: Thu, 5 Feb 2004 18:07:20 -0200
Errors-To: owner-nanog-outgoing@merit.edu
My point is that is very unlikely that both bugs had been discovered by ISS
within the same time frame. Two days is also little time do develop and
test, which raises the suspicion on this issue.
I'm not against notification before disclosure, but it seems that the dates
on this announcement might have been changed in order to make the solution
appear to be developed in very little time. ("See ma, I'm damn fast")
Rubens
> Why is that bad? I have no objection to giving vendors a reasonable
> amount of time to fix problems before announcing the whole. Or is your
> point that two days hardly seems like enough time to develop -- and
> *test* -- a fix?
>
> --Steve Bellovin, http://www.research.att.com/~smb
