[funsec] ISS: Pot, kettle, black, etc..

Josh Daymont jdaymont at secureworks.net
Wed Oct 5 13:27:32 CDT 2005

The opinions expressed in this email are my own and do not represent the
opinions of my employer, Secureworks.

In this case that gentleman from ISS marketing will surely get his hands
slapped for making such a comment.  Whether or not it is true doesn't really
matter.  The only people who really end up being frustrated in this case are
the actual researchers themselves.  These people pour their heart and soul,
and even in some ways their ego into an effort they believe is increasing
the security of the Internet, or at least is in some way supposed to make
them "famous," and many vendors are not only slow to respond but actively
stonewall or lie.  I've been involved in cases were lawsuits were threatened
against security companies.  I know someone who has been involved in cases
where a vendor's CEO started calling up random engineers at a particular
security company screaming obscenities and various types of threats.  We're
talking about the CEO of a publicly traded company here.  Nevermind the fact
that this vendor was sent 10 notices/warnings over 9 months, including (I
was told) a written warning sent in registered mail, all of which were
ignored up until after the announcement was made.

To co-opt a Fresh Prince/DJ Jazzy Jeff song: "sometimes vendors just don't
understand."  Most people who've been involved in disclosure issues for more
than a couple of years have come to terms with this, I certainly have.  I've
wondered in the last year or so if vendors would continue act the way they
did if they knew what some of these security companies large and small had
begun doing with vulnerability information while they were sitting on it.
Think there is a little bit of an intersection between vendor X's biggest
customers and security company Y's?  Think that security company is going to
hold out on their biggest customers?  If that same security company would
give away that info to their biggest customers, think they would decline to
sell it for a large lump sum to a vetted organization?  If there's extra
cash to be made when patches are slow to be developed think the security
companies are going to push the issue with a vendor?  Whether the vendors
realize it or not, increasingly it's the researchers and companies funding
research who are having the last laugh.  It'll be interesting to see where
things in this area go in the next few years.


-----Original Message-----
From: Young, Keith [mailto:Keith.Young at montgomerycountymd.gov]
Sent: Wednesday, October 05, 2005 1:45 PM
To: funsec at linuxbox.org
Subject: RE: [funsec] ISS: Pot, kettle, black, etc..


> How do ya like them apples? I seem to recall ISS was 
> itself involved in the whole sordid "Ciscogate" embroglio...

Ah, but ISS Legal will have a different "agenda" than ISS Marketing. 

And honestly, he is right. Cisco, Oracle, and some small private
Internet security firms are the worst in terms of getting fixes
published even after vendor confirmation. Approximately 75% of the holes
that I reported to these organizations still exist after years of
product updates. I can't even imagine the frustration over threats of
public disclosure that X-Force, RAZOR, and many of you deal with on a
regular basis...

The only thing that has kept me from public disclosure is lack of time
for research/documentation.


Keith Young, Security Official
Department of Technology Services
Montgomery County, Maryland
phone - (240) 777-2955

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

More information about the funsec mailing list