mailing list archives
Re: Cisco PIX Firewall (smtp content filtering hack)
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Thu, 21 Sep 2000 10:58:40 -0700
As a Cisco customer, I personally prefer to get notification as soon as
possible. Cisco has known about this bug, but they haven't notified their
customers. That is an example of stinky corporate non-ethics at
work. We should be notified instantly whenever new security
vulnerabilities are discovered.
I certainly understand the individual want for such information: it affords
the intelligent and competent admin a choice in
interim fixes or temporary policy changes. However, it makes for poor risk
management at the global level.
The potential for malicious abuse is far greater when exploits that have no
patch are made available to the general public.
Of course, this isn't Cisco's preference, so they choose instead
to leave their customers in the field with equipment that has security
problems which are certain to be discovered by a third party and possibly
They are not certain to be discovered- not individually and without
foreknowledge, anyway. The probability exists, of course, but it is not
likely. But here in lies the basis of the full disclosure game of chess.
Though there are vendors who will only release vulnerabilities and patches
against holes when they are forced to, there are also responsible and
concerned vendors who work diligently to not only quickly patch such issues,
but to look for interim fixes in the meantime. Cisco and Microsoft are good
examples of the latter.
When working with such companies, it is always better to go directly to the
vendor and work to provide a solution without going to full disclosure, and
to release the kb with an associated solution. When ego and self
publication are obviated, timely and thorough solutions are propagated.
People like Weld Pond and Rain Forest Puppy know this and practice this;
that (in addition to superior intellect) is what makes them, and others like
them, respected in the industry.
You and I (along with thousands of others) now know about this
vulnerability. We would not have discovered it on our own, but we now know
what it does and how to use it against others if we chose to do so. Had the
issued been taken directly to Cisco and kept under hat, even if it took
months, then we all would have been far safer.
thor () hammerofgod com
----- Original Message -----
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, September 20, 2000 9:46 AM
Subject: Re: Cisco PIX Firewall (smtp content filtering hack)