PGP 8.0 released today

Michael H. Warfield
Fri Dec 13 19:23:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


	My ears were burning.  :-)

On Wed, Dec 04, 2002 at 07:24:48PM +0100, Olaf Gellert wrote:
> Hi,

> > And when you find a bug you have to report it to them only, and are only
> > allowed to publish it openly 30 days after you report it to them. So si=
> > you are officially (unofficially you change it yourself of course when =
> > know how, AND when they release the complete source) not allowed to
> > distribute any changed versions they want 30 days security by obscurity=
. :-(

> Well, this seems to become the industry standard as microsoft
> suggested. Even ISS seems to stick to the 30 days, as presented
> in their new policy for publishing information about security
> holes. I think, 30 days is quite a long time, but there HAS
> to be some time for the developers to fix the bug before
> anyone tries to develop exploits. Just think of the last
> security hole in apache, when ISS published their report
> just after the apache developers were informed (so they
> had 2 hours to fix the hole). This is bad style... And
> not only a pgp-issue.

	1) The Apache hole was already known in the underground.

	2) An exploit was known to exist (read the Gobbles confession to
bugtraq) and confirmed by subsequent postings to bugtraq.

	3) Systems had already been broken into and exploited (read the
Gobbles confession to bugtraq).  FWIW, we knew systems had been broken
into but we didn't know what OS.  Turns out, we had that point wrong.
We thought they were breaking into Windows systems with Apache.  Turns
out to have been *BSD systems.  Sigh...  You can only work with the
intelligence you are given.

	4) A fix for the known problem was provided.  Yes, it didn't fix
all the problems the Apache crew were working on.  It did (and even the
Apache group later had to admit this) fix the problems WE were aware of.
They corrected their statements and we updated our advisory to recommend
their patch.  End of story.

	ISS has 30 days as a GUILDLINE and is basically what we have
always had.  A guildline is a rule of thumb, NOT a rule of law.  I've
given vendors months to fix their stuff and some have needed it legitimately
and some have used it irresponsibly to shuck us off.  There was some
discussion about the entire ISS security disclosure guidelines including
warnings that way TOO many people would read the word "guidelines"
without having a clue as to the meaning of the word and think that this
was cast in cement.  In the same paragraph was the remark "unless other
arrangements have been made".  Of course, we didn't mention that
other arrangements are almost always made.  The only time "other arrangemen=
have not been made is when a vendor (rarely) refuses to acknowledge
any contact or communications at all.  Then the 30 days holds and the
clock is ticking...

	Under our published guidelines, even the Apache release was
covered under the acceleration clauses.

> Cheers, Olaf

> --=20
> Olaf Gellert                                            _ - __o
>                                    _- _`\<,_
>                       - (_)/ (_)
> ----------------------------------------------------------------------
> Most people would sooner die than think; in fact, they do so.
>         -- Bertrand Russell
> ----------------------------------------------------------------------

Michael H. Warfield,            | Main: (404)236-2600  Direct: (404)236-2807
Senior Researcher - X-Force     | Cell: (678)463-0932
Internet Security Systems, Inc. | E-Mail:
6303 Barfield Road              |
Atlanta, Georgia 30328          |
                                | PGP Key: 0xDF1DD471

 Michael H. Warfield    |  (770) 985-6132   |
  /\/\|=3Dmhw=3D|\/\/       |  (678) 463-0932   |
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (GNU/Linux)