Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Bottom line on Ascend Security debacle
Ditto:
And well said.
Sonny Abalos
Calaveras Internet
At Thu, 19 Mar 1998 08:27:11 -0600
skozicki@bluestar.net wrote:
>Speaking for the entire user community as a whole, Ascend needs to do
>the following (before a shareholder lawsuit starts brewing):
>
>o appoint or hire a 'security contact' for the company to handle any
>issue related to security of their products
>o advertise the email address and the phone number of this contact
>o establish well known channels to this contact (CERT listing, buqtraq
>database listing, hell... monitor alt.2600 while you're at it)
>
>o provide patch for port 9 exploit within the week
>o provide patch/upgrade of software that disables SNMP write access by
>default (I believe this is the case already in v6, but not in v5)
>o provide patch/upgrade of software that encrypts passwords in TFTP
>configs or eliminates them altogether (I personally like being able to
>have the passwords there, but at least encrypt them).
>
>The issue of whether SNI handled the situation wrong or not is moot. The
>point is WHAT IS ASCEND GOING TO DO ABOUT IT?!
>
>At any given moment, you can bet that there are at least a dozen
>crackers trying everything to circumvent any piece of hardware/software
>out there. The fact that rootshell got this info first makes no
>difference. It is a clearinghouse for this kind of info, and usually is
>the FIRST place to publically exchange this info. I'm glad to have it
>around. It's saved my butt a million times and taught me a lot about
>networking in the process.
>
>But again, wasting time and resources 'deflecting' or doing spin control
>is wasted. FIX THE BUG. When you've fixed the bug and implemented the
>pieces listed above, then go on CNN and News.com and tell the world how
>great you responded to the security problem, how you've stepped up your
>support for security issues, and every one of your users loves you.
>
>Cheers,
>Scott Kozicki
>BlueStar Communications
>--
>"If you don't get this message, please let me know
> and I will send you another one."
>++ Ascend Users Mailing List ++
>To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
>To get FAQ'd: <http://www.nealis.net/ascend/faq>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
References: