Dear Mr. Aitel

re: Dear Mr. Aitel

bradley — Tue, 31 May 2005 19:24:00 GMT

So, what you are saying is this. If the Security vendor does not release a POC, then the exploit cannot be exploited? I guess you assume that no one outside of a "Security"company can write an exploit? Assuming you are secure while sticking your head in the sand will never work.

re: Dear Mr. Aitel

bradley — Mon, 23 May 2005 17:36:00 GMT

The point that needs to be made is that no security company should reveal in code exploits. This defeats the purpose of security. If the company produces exploit code that can be used to attack a public entity be it home or business users then that company should be held liable. The exploit is only used by those who are criminals and cause damage with their use. You can liken it to building a tunnel and then publishing an article that states that if you place explosives at this location the tunnel will collapse. The tunnel is sound as long as the information is not published and that the criminal does not have the information. How many businesses actually have the expertise to test the fixes? I would state that the vast majority does not have that ability, so who exactly are these public code samples being made available for? Other security firms? No because they are competitors, software vendor? No because if this is a legitimate firm they would have already provided the code to software vendor for a fix. So then who are we making the code available for. The only answer is to the hacking community so that this firm can say look we informed the software vendor of this issue. The issue blew up because the software vendor failed to act upon it in our (the security firm’s) time frame so we released it and look what happened.

Basically if a security company makes the code available then they should be liable for ALL damages. If they think that the fix does not work then they can test it after the software vendor releases the patch if it still fails then they can work with the company. If they chose not to work with a company then I see no reason that they should not be pursued for damages due to the release of the exploit to the hacking community.

The reasoning is that if the code fix by the software company does not work…. What does the security firm accomplish by its release other then exposing the customers?

re: Dear Mr. Aitel

bradley — Wed, 18 May 2005 17:15:00 GMT

No, the Linux community tells the small biz owner that they can 'roll their own patches'.

Yeah...right....

Apples and Oranges.

The point is he did not have to be so arrogant to egg on the disclosure of a serious issue. That's irresponsibility.

re: Dear Mr. Aitel

bradley — Wed, 18 May 2005 17:11:00 GMT

I think it's sad to say that you feel the need to send a letter like this to Dave Aitel, or ISS or anyone else for that matter. As a security professional this type of code is almost usually already out in the hands of the individuals who are writing up the "worm" code. POC especially in the case of what I do helps me verify my work. Such an instance would be to verify that the patch installed properly. Now I also understand that as a small biz user you might not have the time resources etc... to patch right away. But as this argument always goes, WHEN is the right time to release? Next week, Next month, Next year?

My advice to you would be instead of sending e-mails like this to companies that have talented people who can find bugs and then submit them to MS for free so they can fix a broken product that they have made billions on send one to MS and maybe advise them that it would be nice not to have such broken software. Or better yet, write your government for some legislation that would put vendors liable for corporate loss due to someone exploiting vulnerability in the crappy product that they released. Come on if you bought a car that have as many problems as MS Software and you took a large loss because of an accident don’t you think you’d sue the Car company / tire manufacture what ever?
Putting pressure on the messenger will not fix anything. Putting pressure on the vendor for more secure, more reliable software in the way of not upgrading or switching to a different product would probably help make a difference.

And BTW DUDE I’m not a large Linux / UNIX zealot that thinks things are that much sunnier on the other side of the street, everything has it’s “root compromise” issues. But you also don’t see all the Linux users out there saying DON’T RELEASE THE POC code cause I haven’t patched yet.

re: Dear Mr. Aitel

bradley — Thu, 12 May 2005 00:28:00 GMT

Hey...I'm from California...and he is a dude for egging on a POC like that.

re: Dear Mr. Aitel

bradley — Thu, 12 May 2005 00:27:00 GMT

Dude?

re: Dear Mr. Aitel

bradley — Mon, 09 May 2005 18:03:00 GMT

Could you use the word dude some more please... that would definitely help make your point.

re: Dear Mr. Aitel

bradley — Wed, 20 Apr 2005 00:03:00 GMT

For what it is worth, your efforts are appreciated. Even if it doesn't do any good, you have made me feel better too.