(ASCEND) Bottom line on Ascend Security debacle

To: ascend-users@max.bungi.com
Subject: (ASCEND) Bottom line on Ascend Security debacle
From: Scott Kozicki <skozicki@bluestar.net>
Date: Thu, 19 Mar 1998 08:27:11 -0600
Organization: BlueStar Communications
References: <199803182338.PAA08213@max.bungi.com>
Reply-To: skozicki@bluestar.net
Sender: owner-ascend-users@max.bungi.com

Speaking for the entire user community as a whole, Ascend needs to do
the following (before a shareholder lawsuit starts brewing):

o appoint or hire a 'security contact' for the company to handle any
issue related to security of their products
o advertise the email address and the phone number of this contact
o establish well known channels to this contact (CERT listing, buqtraq
database listing, hell... monitor alt.2600 while you're at it)

o provide patch for port 9 exploit within the week
o provide patch/upgrade of software that disables SNMP write access by
default (I believe this is the case already in v6, but not in v5)
o provide patch/upgrade of software that encrypts passwords in TFTP
configs or eliminates them altogether (I personally like being able to
have the passwords there, but at least encrypt them).

The issue of whether SNI handled the situation wrong or not is moot. The
point is WHAT IS ASCEND GOING TO DO ABOUT IT?! 

At any given moment, you can bet that there are at least a dozen
crackers trying everything to circumvent any piece of hardware/software
out there. The fact that rootshell got this info first makes no
difference. It is a clearinghouse for this kind of info, and usually is
the FIRST place to publically exchange this info. I'm glad to have it
around. It's saved my butt a million times and taught me a lot about
networking in the process.

But again, wasting time and resources 'deflecting' or doing spin control
is wasted. FIX THE BUG. When you've fixed the bug and implemented the
pieces listed above, then go on CNN and News.com and tell the world how
great you responded to the security problem, how you've stepped up your
support for security issues, and every one of your users loves you.

Cheers,
Scott Kozicki
BlueStar Communications
-- 
"If you don't get this message, please let me know
   and I will send you another one."
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Bottom line on Ascend Security debacle

From: sonny@caltel.com

Prev by Date: Re: (ASCEND) 2 Ip adress on Max 4000
Next by Date: Re: (ASCEND) Making sure of IP assignment
Prev by thread: (ASCEND) IP filters
Next by thread: Re: (ASCEND) Bottom line on Ascend Security debacle
Index(es):
- Main
- Thread