| Author |
Message
|
| malammik |
 Posted: Wed Apr 27, 2005 4:01 am Post subject: Ethics guidelines for vulnerability disclosure |
 |
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Wed Apr 27, 2005 10:36 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi Mikhail,
I am guessing that this posting is in reference to my posting early today about a new mq security hole?
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782
Since a Java app can do the same thing, I didn't think it was high on IBM's list of things to worry about (as you are well aware being a Java developer).
Speaking of responsibility, when is Netflexity going to become a sponsor at www.mqseries.net ? Or you don't walk the talk!
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| malammik |
| Posted: Wed Apr 27, 2005 11:15 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
Roger, you are right your posting propmted me to post the guidelines for ethical vulnerability disclosure however I think it should benefit many of us. I make no distintion between tangible and intangible assets when it comes to security. If we notice that our neighbor never locks his car at night, we dont run around the block and tell everyone that he or she does not lock that car. I thought it would be a good reminder to all of us. Also as a certified member of www.isc2.org I have to oblige to the following code of ethics.
http://www.netflexity.com/InformationSecurity5.shtml
In regards to walking the talk, I think Qflex Express is free and in my opinion is a sufficient contribution to the community on its own.
_________________
Mikhail Malamud
http://www.netflexity.com
http://groups.google.com/group/qflex |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Apr 27, 2005 12:15 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| malammik wrote: |
| If we notice that our neighbor never locks his car at night, we dont run around the block and tell everyone that he or she does not lock that car. |
I think Roger's post was more along the lines of:
Everyone already knows that dumba** doesn't lock his car doors. Roger just pointed out that with his new car (v6.0), he leaves the windows rolled down too!
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Apr 27, 2005 12:44 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Also, I think Roger's motivation was more along the lines of "Hey. I know y'all are all a bunch of parking lot attendants. It'll make your lives easier if you remember to check and see if the doors are locked when you park cars - because the drivers always forget!".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| malammik |
| Posted: Wed Apr 27, 2005 4:01 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
I agree with all of you. But we all need to be careful not too put each other in danger next time a serious vulnerability is discovered. Here is what I mean by example.
If you are a company operating in California (this is the only state where this is required, so far I hope) and you discover that the data containing sensitive information about ur customers, clients, etc had been compromised you must notify affected parties about the compromise. It's a great thing and I am all for it. It also costs companies millions of dollars in lost revenues and embarassment, etc. Here is the most important point. What do we consider a compromise? or what do we consider a sufficient reason to believe that the data is breached? It will vary from company to company but I will tell you that there are many ogranizations out there that will consider data to be compromised if it was running of an unpatched server with a severe vulnerability exposed for x amount of hours even if they do not have direct evidence to prove that the intrusion indeed took place. Conclusion? We all need to be very careful and work with the vendor upon discovery of the vulnerability.
In this case I agree with you guys and Roger that this is not a true vulnerability but rather another exploit in a known weakness of the product. It's like saying SMTP can be intercepted and read by an outsider. Well Duh? smtp does not encryp data therefore its a known weakness.
But what about next time when it is something a lot more serious?
Am I paranoid? I dont think so.
_________________
Mikhail Malamud
http://www.netflexity.com
http://groups.google.com/group/qflex |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Apr 27, 2005 11:44 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| malammik wrote: |
| In regards to walking the talk, I think Qflex Express is free and in my opinion is a sufficient contribution to the community on its own. |
what do you mean by this in relation to security?
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| malammik |
| Posted: Thu Apr 28, 2005 6:07 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Apr 28, 2005 6:24 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| malammik wrote: |
| RogerLacroix wrote: |
Speaking of responsibility, when is Netflexity going to become a sponsor at www.mqseries.net ? Or you don't walk the talk!
Regards,
Roger Lacroix |
|
ah ... missed that.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
|
|
