|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Vendor Vulnerability Release Problem
> -----Original Message----- > From: [email protected] [mailto:[email protected]]On > Behalf Of Robert Mathews > Sent: Tuesday, February 01, 2005 11:01 AM > To: Hannigan, Martin > Subject: Re: Vendor Vulnerability Release Problem > > > > > On Tue, 1 Feb 2005, Hannigan, Martin wrote: > > > Date: Tue, 01 Feb 2005 01:17:42 -0500 > > From: "Hannigan, Martin" <[email protected]> > > To: "'[email protected]'" <[email protected]> > > Subject: Vendor Vulnerability Release Problem > > > > > > [ .... ] > > > > They did concur that the current system is broken. This is > part of the > > reason I decided to post this. To let everyone know that this is a > > problem and the vendors agree. > > > Martin: > > Thank you for posting this note, as the subject item is of immense > interest to me personally, and to many within US Government. > My question, > which I will pose to you shortly -- is a broader one; one > that goes beyond > the world of ISPs and NSPs to the vastness of the IT world. > Still, your > concerns are very much valid in such an area as well. > > Before I go forward, I would like to disclose that I do not > attend NANOG > meetings regularly. > > With regard to your post Martin, I would like to ask you -- > just how you > see it, when you say: that "they did concur that the current system is > broken." Studies done within Government indicate a LARGER > problem than > 'after-incident action' which directly points to vendor > acknowledgement > itself. I am not at liberty to provide further details to > the studies or > their details but, it suffices to say that vendor behavior > is seen as a > significant problem. So, what of Vendor Behaviour? There appeared to be a consensus that the current methodology is broken. The vendors stated this themselves. The two presenters would need to clarify that further. As far as vendor behavior is related, I can't comment on that. It was clear, at least to me, there is no transparent or uniform method of distributing serious vulnerabilities. At least that participants of NANOG are aware of. I will concur that the vendors may not currently have a way to proceed with these problems, but I don't know that the operator community, ground zero for these vulnerabilities, hasn't been consulted as a whole. ((archives)). > > I *was disappointed in was the harsh criticism of DHS. The > vendors called > > DHS and the Pentagon the biggest source of leaks related to > 'their' security > > vulnerabilities. I don't know if that's true, but if they > are, I hope > > they're leaking to the right people. > > > Since I was not there for the discussion, I could not > appropriately relate > to the exchange held but, I would just like to understand if > I may -- what > the perception by the many gathered of DHS and the Pentagon were > respectively. My interpretation of the event was that the speakers considered DHS and the Pentagon to share some level of responsibility as to why vendors can't detail serious vulnerabilities. The feedback seemed to deride the Pentagon more than DHS. I can't gauge what the participants felt. As a guess, I think it was believable in the way it was presented. The overall impression was that the relevant government agencies are not credible. (I disagree from my own experience). > If you feel that this matter would be of interest to the > NANOG community, > do feel free to re-post. Reposted whole. > > > > -M< > > Thank you for your time Martin.. > > > Best, > Robert. > ------- > > ************************************************************** > ************* > * Robert Mathews, MSc. - Mgmt. (Honors), Ad.PD. - Econ. (Honors) > * Chancellor's Professor of Science & > * Distinguished Senior Scholar on > * National Security Affairs & U.S Industrial Preparedness > * @ University of Hawai'i > * Telephone: 315.853.7853 (NY) / 703.655.7124 (VA/WDC) > * Telecopier: 808.933.3473 (HI) / 315.859.1998 (NY) > * E.mail: [email protected] >
|