lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.SGI.4.44.0208251854580.137440-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: Re: HP Full Disclosure Story

On Sun, 25 Aug 2002, Jonathan Rickman wrote:
> I think it is also very important to keep all parts of the conversation
> intact. There is a significant portion of this particular conversation
> that was not included, which I suspect, sent the conversation on the
> downward spiral.

It'd be interesting. However, I think it really comes down to two things.
Initially Tamer was fair with HP, and pretty much throughout, HP acted
with a typical corporate snootyness. It occurs to me that you are somewhat
of an apologist for the HP attitude.

> No offense to Tamer, but this strikes me as a case of a researcher who
> insisted on setting HP's rules for them "on the fly" as it were.

They'd better get used to it. Researchers, hackers, blackhats and script
kiddies simply don't give a damn about some "rules" or corporate policies
inside of some megacorp. This is something that suits can't seem to get
into their heads. You find a vulnerability then you set the rules on how
it gets released. Period. This is why things like the "responsible
disclosure" RFC are practically worthless in this regard. That is, of
course, unless the megacorp in question thinks it's better to have every
kidiot on the block know about their vulnerabilities before they do (which
happens quite a bit).
	IMHO, they are damn lucky that I don't have any of their hardware
or software around here, because if I find vulnerabilities they'll be the
dead last people to know about it.

> HP has a policy in place. Flawed or not, they have to work within the
> confines of that policy.

	I'm sure all script kids ask themselves "I'm I going to violate
this company's policy by owning them?" Seriously, do you think hackers
give a proverbial flying fuck about policies? HP's "policies" have already
created a lot of animosity toward them, and put them at a disadvantage
when compared to another company that is more friendly to vulnerability
disclosure. They are so stupid, they can't even see the value of the free
work being done for them by folks like Tamer. Stupid people often get
what's coming to them. I'd suspect that HP has pretty well pissed off the
small whitehat researcher community, and now that leaves he field a bit
more open to those who can use the opportunity to break them off some in a
more proper fashion.
	Personally, the only criticism of Tamer I can make is that he
wasn't cautious enough. HP could have responded by suing him or if he's
in some 3rd world country perhaps bribe the local authorities to act on
their "complaint".

> "Let me be very candid here, you are not the first to assume
> that a $50 billion corporation will drop all the other security
> issues we are working on in order to work on yours because
> you threaten to publish. It has never changed the course of
> our work internally; we will continue to work on the issue
> until it is tested and finished."
>
> Honestly, that sounds pretty reasonable to me,

	It sounds like typical corporate bureaucratic nonsense to me.
Again, you sound like a corporate apologist (albeit a weak one). First
off, let's take the $50 billion part and rewind back to the point when
they developed their crappy networking gear in the first place. Perhaps if
they spent more of that money on research, engineering, and quality
assurance, then they wouldn't be dealing with such situations at all.
Instead I see an awful lot of advertising and you can bet that HP is no
different than any other megacorp where the scientists and engineers make
peanuts compared to the executives, and in many cases even their
first-line managers.
	Another thing is that this HP cocksmoker has a very bad attitude.
Things might have been different if he said "Thanks for the info Tamer, we
are slammed right now but I know we can get this fixed in 30 days." What's
he do instead? He acts like a haughty prick and then when Tamer goes
public they scramble to release their own "advisory" ASAP. Sounds like he
dictated the rules after all.

> considering that we do not have the privilege of reading the
> communication from you. For all we know, your email to them, consisted
> of "ph33r m3 HP, eye will dr0p dis 0day b0mb on yo @z in 10 minutes if
> joo do not r3zpect my skillz!!!"

Well if you are some vice president of security or whatever BS title you
want to pick from this guy's sig, then you should be able to maintain your
cool when you see that the person you are dealing with has a legitimate
vulnerability and they've _at least_ given you the opportunity to address
it before they do drop it on the public. Like I said, it's more than I'd
have done for them. It reminds me of "... because he's holding a thermal
detonator!"

> Once again, Tamer, no offense intended, but that part of the
> conversation does seem to be critical, since that's where things turned
> south.

Nope, I disagree. It's not critical. We've seen the critical elements that
relate to our ongoing discussion of vulnerability disclosure. Again, even
if Tamer antagonized the guy he should still keep a level head enough to
do is job properly (which is to protect HP's security interests which he
is clearly not doing by antagonizing Tamer).

> As for their September 11th remarks, I consider that pretty tasteless
> and cliche,

... and pretty homogeneous with the rest of his attitude and remarks.

> and I seriously doubt that that is the "Company Line", but rather the
> work of one individual who has not learned to toe that "Company Line"
> quite right.

We are discussing a company that has been known to get lawyers involved
when exploits are published. Don't be so sure that jerks like this guy
aren't rampant in the "industry" end of security, and especially HP.
They've given plenty of evidence to make it seem like as a company they
are hostile to even "legitimate" vulnerability researchers.

> Another possibility is that the folks at HP were slow to pick up on the
> fact that English is obviously not your first language, and ask for
> further clarification. Sometimes that is a source of confusion, even
> when dealing with someone who writes fairly well, such as yourself.

So what? That gives them the right to be rude as hell and try to jerk
someone around?

> I think Dan at HP summed the whole thing up best when he said, "We did
> reply, and you are making the assumption that your issue is the only one
> we have to work on, and that it is the most important." I suspect that
> he hit the proverbial nail right on the head with that one.

Well first off as I read it Tamer made no such assumption. His only flawed
assumption was that they'd cooperate and act like professionals if he
disclosed this vulnerability to them. If they were truly too busy to work
on his issue they could have just been honest about that fact in a more
polite manner and it'd have been more professional. Furthermore, if they
don't have enough resources to fix vulnerabilities in a timely fashion and
hire professional folks then they should _get those resources_, instead of
some trite, inflammatory whining which insinuates that they can't be
bothered with yet another vulnerability which someone researched for them
for _free_.

aliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ