Information Security News
mailing list archives
RE: Full Disclosure: How Much Security Info Is Too Much?
From: InfoSec News <isn () c4i org>
Date: Fri, 5 Oct 2001 02:51:46 -0500 (CDT)
Forwarded from: Marc Maiffret <marc () eeye com>
Ya Lyman is a good guy just screwed the facts a bit. I been meaning to
email him to let him know that...
I still hate the canned phrase "came under fire" since we never really
did come under fire for anything. Unless coming under fire means two
ignorant people rambled their mouths about a topic they had no
understanding of. :-]
Chief Hacking Officer
eEye Digital Security
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
| Of InfoSec News
| Sent: Thursday, October 04, 2001 1:05 AM
| To: isn () attrition org
| Subject: Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?
| Forwarded from: Kim Zetter/PCWORLD <kzetter () pcworld com>
| Per Jay Lyman's story about full disclosure at NewsFactor Network
| (http://www.newsfactor.com/perl/story/13871.html), he wrote:
| > Experts agree that advisories, by their very nature, may be a heads-up
| > to hackers. eEye Security came under fire for disclosing the Code Red
| > vulnerability in June before Microsoft had released a patch for the
| > hole, and again for releasing detailed information after Code Red was
| > controlled, which some blamed for the success of the Code Red II virus.
| I'm not sure where Lyman got his info but, according to eEye (and per
| the story I wrote about it at
| http://www.pcworld.com/news/article/0,aid,60744,00.asp )
| the company notified Microsoft of the vulnerability in May and waited
| a month for the patch to be produced before making their announcement
| simultaneously with Microsoft's posting of the patch in June.
| In fact, Marc Maiffret of eEye says that they were scheduled to post
| the announcement a week earlier, but Microsoft contacted him to ask
| for more time, saying there was a problem with the patch and they
| needed another week to fix it.
| EEye complied. Jay Dyson correctly noted that Microsoft publicly
| thanked the company for waiting until they had prepared the patch.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.