[25909] in bugtraq
Re: ISS Apache Advisory Response
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Fri Jun 21 18:30:23 2002
Mime-Version: 1.0
Message-Id: <p05111a03b9392a7c8d50@[192.168.1.104]>
In-Reply-To: <F3E7C024F0FD4E44BC78DB62CEBC16135682@atlmaiexcp02.iss.local>
Date: Fri, 21 Jun 2002 15:25:29 -0400
To: "Klaus, Chris (ISSAtlanta)" <CKlaus@iss.net>
From: Kee Hinckley <nazgul@somewhere.com>
Cc: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 6:06 PM -0400 6/20/02, Klaus, Chris (ISSAtlanta) wrote:
>In the case of this advisory, ISS X-Force provided an Apache patch and did
>not see a need for a long quiet period.
I do not believe that there are any circumstances in which a
non-vendor provided patch can be considered equivalent to a quiet
period. The belief that you can just issue a patch and consider the
problem solved shows a complete lack of understanding for the
software development process. Review, testing, and QA are all part
of that process--a third party patch is no substitute for those. And
no security researcher can claim to have a better understanding of
the ramifications of a problem than the vendor. This behavior also
completely ignores the fact that even for Open Source software there
is an issue of binary-only distributors who need to be given a
heads-up.
>Due to the general nature of open-source and its openness, the virtual
>organizations behind the projects do not have an ability to enforce strict
>confidentiality. By notifying the open source project, its nature is that
>the information is quickly spread in the wild disregarding any type of quiet
>period. ISS X-Force minimizes the quiet period and delay of protecting
>customers by providing a security patch.
You're kidding, right? "We had to make it public because we didn't
trust the vendor to keep it secret"? I expected an apology from
you--not a an attempt to justify your behavior. Some people just
don't know how to say, "Oops, I was wrong."
I see absolutely no reason that notification of open-source projects
should follow rules any different than those for closed-source
projects. The only time you should issue a patch without prior
notification is if there is no known maintainer for the software--and
even then it would be wise to run the patch by other people who use
the software first. ISS's behavior here has been completely
irresponsible, and has potential to seriously damage the reputation
of the Apache software. And as one of the thousands of system
administrators currently scrambling to update multiple servers on
multiple platforms scattered on hosting providers around the world, I
sincerely hope that ISS will retract this new definition of "quiet
period" that they have invented.
--
Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
