Rumors of MS involvement in Apache advisory

[chy at genuity.com (Chuck Young)]

Thanks for the research, Jim.

The debate rages on about full disclosure of vulnerabilities and whether the
discoverer should/should not notify the development team first and then
make/not make a public announcement, letting the world know that they found
it first due to their superior mental powers or strong market position or
both.  It is also an interesting point about publishing for blatant
recognition, especially when it is unwarranted.  I suppose our market
culture pushes some to publish trivial information to better market their
organization, but if money was not behind it, I think pride would be.

Personally, I am in favor of polite full disclosure where a self-realized
white or gray hat does not need to prove something to the world, but
realizes they have found something that could harm a lot of end users and
takes the steps needed to help those people who are *using* the tool.  To me
this would mean letting the developers know first and then telling the user
community immediately afterwards, as you never really know if they you are
the only one who knows about a new vulnerability at a given point in time,
and some developers simply will not fix software unless poop is publicly
smeared on them.  Perhaps this way everyone is treated equally (more or
less).

The main take aways for me on this issue was the speed at which the apache
development team (like many open source projects) made a working patch
available; was that one day? I do not think the proprietary folks can ever
match this.  A second issue is how great technology still does not guarantee
accuracy (or relevancy sometimes) in the information it rapidly
disseminates; it's still a bunch of guys - they just move faster.

---------------
Chuck Young
Security Consulting
Genuity E-Services
--------------------

-----Original Message-----
From: discuss-admin at blu.org [mailto:discuss-admin at blu.org]On Behalf Of
Jim Long
Sent: Saturday, June 22, 2002 11:59 PM
To: discuss at blu.org
Subject: Rumors of MS involvement in Apache advisory


Regarding rumors of Microsoft involvement in ISS announcement
of Apache flaw:

Robert La Ferla Said:
> Apache (and the big bad monopoly tactic)

> ...However, ISS, a Microsoft partner, did not tell the Apache
> developers first so no patch was available yet everyone running
> it was vulnerable. The article implied that Redmond is taking a
> new tactic on badmouthing open source software.

You did not say where the article was. I wanted to see how this
rumor was started so I did some searching for the article. Since
I went to the trouble of finding out, I will share what I found
with the discuss list:

First, the original advisory by ISS was complimentary toward Apache:

"The Apache Project is an open-source and volunteer collaboration
aimed to create and maintain a free, feature-rich, powerful, and
secure Web server implementation. Apache is well regarded as the
best, freely available Web server."

http://online.securityfocus.com/archive/1/277249/2002-06-15/2002-06-21/0

The advisory also included this info about Internet Security
Systems (ISS): "Founded in 1994, Internet Security Systems (ISS)
(Nasdaq: ISSX)is a pioneer and world leader in software and
services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems
is headquartered in Atlanta, GA, with additional operations
throughout the Americas, Asia, Australia, Europe and the Middle
East."

A poster on SlashDot said:
"I am also told that their patch doesn't fully solve the problem.
I am sure though that by awaking us to the problem they will get a
lot of great press just like any of the other companies currently
using useless bug announcements as press releases."
http://apache.slashdot.org/apache/02/06/17/1948249.shtml?tid=172

Note: in the above "company" was a link to McAfee Anti-Virus, and
"useless bug reports" was a link to commentary on "New Virus
Infects Picture Files."

The Register noted the above posting and made it sound more sinister:
"There was a posting at Slashdot suggesting that ISS was using the
premature advisory as a publicity stunt; and while there's
undoubtedly a lot to that, we have to wonder if there isn't
something even creepier behind it. Here we see ISS publishing a
vulnerability and a lame patch without so much as consulting the developer
of an open-source product, but we've never seen them try
to pull a stunt like that with Microsoft, say."
http://theregister.co.uk/content/4/25766.html

Robert mentioned that ISS is a Microsoft partner. This does not
necessarily mean that MS has any role in ISS's announcement about
Apache. ISS is a security solution company. My own feeling is they
wanted to be the heroes who announced the problem and provided the
solution. Actually providing a poor solution was not to their, or
Microsoft's benefit.

ISS partner information: ISS makes RealSecure)B? intrusion protection
solution, which works on top of, or in conjunction with, other
security products by ISS partners including Check Point
VPN/Firewall, Netegrity SiteMinder, Top Layer attack Mitigator,
Invoc Alarmpoint, Nokia devices, and Microsoft ISA Server (Internet
Security and Acceleration Server 2000).

All-in-all, I think ISS wanted the publicity, but they goofed. In my
humble opinion rumors of Microsoft's involvement (in this
particular instance) are unfounded.

Jim Long

--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Save up to $160 by signing up for NetZero Platinum Internet service.
http://www.netzero.net/?refcd=N2P0602NEP8

_______________________________________________
Discuss mailing list
Discuss at blu.org
http://www.blu.org/mailman/listinfo/discuss