Press Release Response

Press Release Response

Post by Jon Holstro » Tue, 14 Aug 2001 15:05:41

Quote:> A Call for Responsible Disclosure Guidelines for the Information Security
> Industry

> Updated: Mon, Aug 13 8:33 AM EDT

> HERNDON, Va. (BUSINESS WIRE) - By the time Code Red launched on July 13, a
> plethora of information was available on the worm, including the type of
> system it could infect, how quickly the worm would propagate and even the
> way in which it exploited systems. The public was extremely well informed
> and could find any detail it wanted to know about what could have possibly
> become the Internet's most devastating malicious code threat to date. But
> was this a good thing?

I say yes. More machines are now patched. People are more aware of the
importance of patching their systems quickly than ever before.

Quote:> Russ Cooper, surgeon general of TruSecure Corp. (,
> contends that full disclosure can actually help malicious code propagate
> and evolve into new strains. By making vulnerability and exploit
> information public before a software vendor can issue a patch and help
> customers secure their systems, organizations that practice full
> disclosure give hackers all the ammunition they need to launch a worm or
> virus.

The first paragraph mentioning Code Red, along with the second paragraph,
implies that eEye did *not* disclose to the vendor Microsoft before
releasing technical details, which is false. It does not mention that the
worm was an older worm with a more advanced buffer overflow technique than
what eEye came up with, and that this new buffer overflow was simply
grafted into an older worm. Instead by using carefully chosen words and
sentences, with a mix of facts and omissions, you have demonized eEye. Was
that intentional or coincidental?

Quote:> Mr. Cooper believes that the industry must develop responsible disclosure
> guidelines, established with an independent governing body that could
> develop and enforce such policies. The Responsible Disclosure Forum would
> advise vendors on the seriousness of threats to their software before
> making the information public. This would allow vendors and customers
> ample time to patch the vulnerability and minimize the effectiveness of
> any exploits launched. The Forum could also serve as an information
> resource to the media, ensuring an objective opinion on the seriousness of
> a threat, helping to guarantee responsible and useful reporting.

eEye *did* act responsibly. They worked with Microsoft and in a
coordinated effort, released their information at the same time. The
idea of a Responsible Disclosure Forum does not address that hackers could
(and do) disassemble all of the components of patches to determine what
was fixed, especially if it was a security patch. It does not address that
Microsoft has repeatedly added new features that are on by default without
telling anyone, which is evident when half of the workarounds for IIS
problems involve turning off a default setting that less than 1% of their
user base might ever use, let alone even heard of.

Let us not forget the entire RDS episode, when you were using this "inside
information" to get clients, only to have a clever hacker develop an
exploit based upon the limited technical knowledge you divulged publicly.

In all seriousness, do you *really* believe what you are saying when it
comes to full disclosure, or is this a ploy to get press? From where I
stand, you and the rest of the security industry (including myself)
benefit from this either way. Considering that most of the security
community seems to respect and appreciate the full disclosure movement,
can't you just accept that the genie has been let out of the bottle? We
should simply move on to more pressing issues, such as vendors taking
responsibility for writing decent code in the first place, and mechanisms
to automate and simplify patch management. But you will never ever get rid
of full disclosure at this point. Period.

BTW, do you know who has your complete and full support? People who break
into computer systems that hate the script kiddies who abuse their
privately-held exploits. They have an argument that full disclosure hurts
the underground community. Check out for an idea
of what I am talking about. My guess is they love you.

-         Simple Nomad          -     "No rest for the Wicca'd"     -

** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"


1. Important Press Release

Important to whom?

Press Release Source: Victor Industries Victor Industries Signs Canadian
Distributor Wednesday October 4, 1:00 am ET MCMINNVILLE, Ore.--(BUSINESS
WIRE)--Oct. 2, 2002--Victor Industries, Inc. (OTCBB:VICI - News) announced
that the Company has entered into an exclusive distribution agreement with
Servimex Canada LTD. Servimex will have exclusive distribution rights in
Canada, Mexico, Brazil, Argentina and Chile. "Leandro has arranged the
production of a Canadian approved version of our ENVIROLIZER(tm) box with
both French and English on the package. His initial order of 5 tons will be
shipped in one ton super sacks and boxed locally. We have been concentrating
our efforts at marketing primarily in the west so far but have received some
interest from the East coast as well. As I said in our last release I will
announce distributors as they are signed," said Carson Coleman CEO of the
Company. "The exclusive nature of Servimex Canada LTD is dependent on
certain minimum orders in which I have confidence Mr. Silva can meet and
hopefully exceed. We have to remember that this is the first product of its
kind offered on the market and to expect a lengthy educational process.
However, as the consumer comes to realize the convenience of watering and
fertilizing their plants less frequently as well as the environmental
benefits of reducing nitrate and phosphate pollution the Company believes
our orders will continue to increase." This news release may contain
forward-looking statements within the meaning of Section 27A of the
Securities Act of 1933, as amended, and Section 21E of the Securities
Exchange Act of 1934, as amended. Such statements are subject to risks and
uncertainties that could cause actual results to vary materially from those
projected in the forward-looking statements. The Company may experience
significant fluctuations in operating results due to a number of economic,
competitive and other factors. These factors could cause operation results
to vary significantly from those in prior periods, and those projected in
forward-looking statements. Information with respect to these factors which
could materially affect the company and its operations are included on
certain forms the company files with the Securities and Exchange Commission.

or Servimex Canada LTD Leandro Silva, 204/452-0964 Fax: 204/452-9936


2. About Gnats

3. NVIDIA press release

4. HELP!! MSDOS 6.0 Doublespace has taken over my computer!

5. Important Press Release

6. EPM load file list?

7. Start button presses but does not release

8. Windows Press Release

9. When will the next release of Windows 2000 professional Resource Kit release ?

10. ris disable or change the timeout of "Press F12 for Network Service Boot"

11. Windows batch job hangs until a key is pressed