[25919] in bugtraq
Re: ISS Apache Advisory Response
daemon@ATHENA.MIT.EDU (dminor@houston.rr.com)
Sat Jun 22 12:51:08 2002
Date: 22 Jun 2002 06:56:36 -0000
Message-ID: <20020622065636.26933.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <dminor@houston.rr.com>
To: bugtraq@securityfocus.com
I've read through just about every single post regarding ISS and the Apache
bug, their advisory release, their defense, and the response of others throughout
the community regarding this issue.
I am not embarassed to say that I do not agree with ISS's defense. From an
ethical standpoint, I would interpret their handling of the release to be wrong
and a direct contradiction to some of the basic principles and standards under
which IT professionals conduct themselves. This incident had a negative impact
on many people (including the Apache develpment team) along with those of us
who are responsible for Apache systems. In the five years, I've been working
with Linux, I don't recall another incident being handled so poorly.
There are a lot of talented people working with open-source including the
end-users who use these products and I find it rather "dark" to single them
out by saying, "virtual organizations [??] do not have an ability to enforce
strict confidentiality." There is little to be gained by such a statement.
-- Patrick
"Opinions expressed are only mine."
