The Ashimmy Blog

Alan,

Just addressing your four points of inconsistencies above:

1. See http://tinyurl.com/lvqv6 for 118 articles in the press recently where we specifically advised that Microsoft was doing good things and that the more dangerous targets were non-Microsoft applications from vendors with a much more lax response to security issues. That's 118 articles to one t-shirt at an event that is known for it's humorous t-shirts.

Alans Response: 1. You may be saying this to the press as the CEO, but your employees and indirectly then your company are not totally conveying this message for sure and I have seen this first hand.

2. I know you aren't technical, being on the strategy side, but the terminology is what is catching you up here. It's non-malicious in the sense that it doesn't allow remote shell code to run, but can be used for denial of service attacks. Non-malicious does not equal harmless, it just means it isn't going to allow a hacker to steal information or gain access, but they can knock it over.

Alan's Response 2. On the non-malicious nature of the flaw, I defer to your technical folks definition.

3. This gets to the nature of authority and disclosure, which is the real issue in this whole debacle. Microsoft is a clear authority on their products, independent researchers make claims all the time on SANS that aren't seen as valid until reproduced by others. Microsoft telling people specifics about where the flaw lies and how to trigger it is much more dangerous than a SANS mail list posting as many, many more people get Microsoft advisories than are SANS subscribers. Microsoft, with all their authority, leaked information on how the flaw can be exploited in their own advisory, days in advance of the eEye advisory. The news story in this whole thing is that Microsoft themselves disclosed the public on the nature of the flaw in their advisory, then spun up the press machine to blame eEye for irresponsible disclosure. Kindly point to me where in our alert advisory where we disclosed information that would allow a hacker to exploit the flaw in the patch, until then, focus on the real source of the disclosure - Microsoft themselves.

Alan's Response 3. I understand your point on the advisory versus the exact "location" of the vulnerability. My point was not that though, it was that you already said that the exploit community knew about this. If they did, are you saying they didn't figure out where it was? I doubt it, unfortunately there are some pretty smart folks there. This goes to the heart of responsible disclosure, if the bad guys already know about these flaws (as they often do), where was the additional harm here? I think the issue is a red herring you threw out to cast more blame on MS in this matter.

4. Alan, this one crosses a line. We might disagree on responsible disclosure, we might have a differing opinion, but I certainly didn't expect to be called a liar by you. We did communicate this information directly with our customers through our alert email process, an email list with over 300,000 subscribers. Of course there is a marketing aspect to this for us, just as there is when you guys issue a nonsense press release confirming you stop an exploit in your Strataguard appliance - it would be news if you didn't, but that doesn't stop you from using an event to drive customer awareness. You must see, however, that an action can have multiple motives - it is entirely possible to provide information to customers on how they can mitigate the vulnerability and gain a marketing benefit from the exposure. Calling someone a liar is a serious ethical charge and not something that should be done casually and, frankly, I may have been off in expecting more from a C-level executive in your position.

Alan's Response 4. OK, I apologize here publicly. Saying you lied was a poor choice of words on my part. I think a better way of describing this would be obscuring your real motives which are purely self-motivated by wrapping them in the flag of good deeds. You know as well as I you can contact your customers without going to the press. You go to the press for marketing and self-promotional purposes. Hey, Ross, there is nothing wrong with that, but say that. Don't say this was to protect your customers. This is fundamentally where I have a problem with it. You and your company have chosen to build your business by finding and announcing vulnerabilities in other products. You may do so in a mostly responsible matter, but just as you say don't trust a vendor who puts marketing above security, I say don't trust a security vendor who puts marketing above security either! (emphasis added by Alan)

The thing that you seem to be missing in this entire thread and the XSS thread is that the term "responsible disclosure" depends as much on the word disclosure - the release of technical details that could put customers or vendors in a position of exposure - as it does on responsible. We didn't disclose any technical details; talking about the existence of a flaw isn't disclosure in the context of Full Disclosure or Responsible Disclosure. When you continued promoting information on the XSS attack against eEye.com, you were participating in disclosure (promoting the technical details to a broader audience) without following any of the existing practices of being responsible about it.

Hopefully we can move beyond this to a more professional and courteous level of discourse; posting quotes from private emails (especially ones with a notation of confidentiality at the bottom) and calling competitors liars isn't exactly the kind of dialog I think we should be engaging in, do you?

Thanks

RB

Additionally Ross posted a correction to his point #2 -