In regards to the negative, one of the researchers I spoke with had the following comment:
"These are people who want to look smart. Whether they find something, or they can describe something a smart person found, they look smart. But if they can't describe the vulnerability -- because the details are not out -- the only way they can look smart is to disparage it. To admit it's good but to not know why is visibly weak. "Gordon "Fyodor" Lyon has made quite a detailed website dedicated to discussing Jack Louis's findings. I have previously made comments about his thoughts, but now respond in more detail.
Introduction
At the end of August 2008 we contacted CERT-FI about the DoS issues, who then began to contact vendors. In September we gave a talk at the Sec-T conference describing background information and demonstrating the issues. We continued to follow up with CERT-FI for feedback from the vendors. Not much progress was made in this time. At the end of September I met Brenno De Winter after giving a Security Metrics talk in Amsterdam.
After returning from Amsterdam, we agreed to a phone call with Brenno. This phone call was turned into a podcast and an initial story which was then syndicated via IDG's news network. Rsnake then blogged about it, which got onto Slashdot. Once on Slashdot, many other news networks started to pick up the story. I received many calls and emails for comment. I gave interviews in the hopes that they would have the most accurate and complete information available while writing their stories.
After these mainstream news outlets posted their stories, the Vendor Community took much more interest into the findings. We are now working closely with them to ensure they have a chance to fully understand the extent of the findings and prepare suitable solutions.
While it was our intention to release more details at the T2 security conference, we opted to continue to work closely with, and give more time to, the vendor and standards communities. We are not putting them under undue pressure to get poorly implemented rushed fixes out.
"While I know and respect these researchers, I've had enough of the recent spate of people announcing (supposedly) massive security vulnerabilities, then refusing to back up their claims with details until a talk weeks or months away."
We have backed up our claims for the critical vendors we believe to be affected. Furthermore, as demonstrated by our not releasing details at T2, this was not a ploy to hype up a talk. The issues we're describing are real and do affect the systems we have made claims about.
October 17 - Cisco says "the TCP vulnerabilities that Outpost24 announced are an extension of well-known weaknesses in the TCP protocol" (emphasis mine) and "Cisco PSIRT is aware of the vulnerabilities and is actively investigating what impact these vulnerabilities may have on Cisco products".
They go on to say that they are actively working with us and CERT-FI. They also state the best current mitigation is to white list which IP addresses are allowed to connect to your critical TCP services.
On this other Cisco alert page, the issues are listed as confirmed.
October 17 - CERT-FI updated their statement to include the following:
"We are researching and handling the issue with several vendors from all potentially affected branches of network equipment and software. Once we are fully aware of what types of network equipments and services are most possibly affected, we will make more vendor contacts. [...] we estimate that the full publication of the details of the issue may take until next year. CERT-FI will publish more information on the developments of the issue coordination as the coordination progresses."FAQ
Q: Where are the details for the findings?
A:The details are with the parties that can effect change. All vendors are encouraged to contact CERT-FI. We expect to go public with the details in 2009.
Researchers are of course free to speculate all they like. However, they should indicate that what they discover are their own findings, not Jack's.
Q: Where can I learn more about this situation?
A: This blog, CERT-FI, and the various vendor and standards bodies as more information is disclosed. Those who are not privy to the full and complete details may not be accurate sources of information on Jack's findings.
Q: What if I have more questions for you?
A: I can be reached at robert@outpost24.com
1 comments:
Thanks for keeping track of this issue Robert. I will link to this blog from NWW.com
Post a Comment