Perhaps you slightly misunderstood my "attitude" and are jumping to conclusions so that you can put a convenient label on me.
I am not saying that Cisco should keep security problems a secret, rather that dissemination of information about sensitive issues posing a security threat to many should be carefully considered and coordinated. If you have access to the applicable bug reports, you will see that it was exactly the PSIRT team who carefully edited/removed all enclosures to make sure that the information necessary to reproduce the attack is not easily extracted. All the protocol names were replaced by XXX, for example. Personally, I was impressed by the thorough job they did. The only hints I could find were the code diffs. Now, does this mean that Cisco wants to hide the problems? Not at all. As you say, Cisco has always been good at publishing security flaws. The Security Advisory in question is still being updated, too. So I think Cisco has deserved some patience and the right to decide when to publish what information. Having said that, I am not writing to this mailing list as a representative of Cisco. What I say is my personal opinion (and believe it or not, it is not influenced by the fact that I work for Cisco -- only what I do *not* say is influenced by that fact). I am using my Cisco email because it is convenient. I have hoped that people on this list are mature enough to realize this, but perhaps I was wrong. I will switch to Yahoo now. > Perhaps we should send your response to this to John >Chambers and see what he will say. Will you also tell your daddy/bigger brother about me? :) Thanks, Zsombor At 11:43 AM 7/18/2003 +0000, Peter Benac wrote: >I am glad you are not representative of the current Cisco Culture. > >Your attitude in this matter really is not acceptable and I would hope that >Cisco's attitude would be better. > >Any exploit hypothetical or not quickly spreads acrossed the internet faster >then Bill Gates can find another security flaw in Windows. > >My Solaris Servers that face the internet are under constant bombardment >from would be windows script kiddies. It doesm't matter to them whether I >have a Solaris System or a Windows System. They want to be real hackers and >will try anything that is posted. This applies to other systems as well. >Cisco has the major market share and therefore is the primary target. > >Cisco is not Microsoft, and never has been. They have always put their flaws >right in peoples faces. The infamous SNMP bug was published and fixed long >before CERT published it. Cisco has a PSIRT team whose soul function in life >is security risk accessment. > >I have never known Cisco to call a potential Security threat >"Entertainment". Perhaps we should send your response to this to John >Chambers and see what he will say. > >I still remember his e-mail address since I too am an ex-cisco employee. > >Regards, >Pete >---- >Peter P. Benac, CCNA >Emacolet Networking Services, Inc >Providing Systems and Network Consulting, Training, Web Hosting Services >Phone: 919-847-1740 or 866-701-2345 >Web: http://www.emacolet.com >Need quick reliable Systems or Network Management advice visit >http://www.nmsusers.org > >To have principles... > First have courage.. With principles comes integrity!!! > > > >I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72570&t=72463 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
