Re: (ASCEND) Bottom line on Ascend Security debacle

To: <ascend-users@max.bungi.com>
Subject: Re: (ASCEND) Bottom line on Ascend Security debacle
From: sonny@caltel.com
Date: Thu, 19 Mar 1998 09:36:10 -0800
In-Reply-To: <35112B3F.74A0@bluestar.net>
References: <199803182338.PAA08213@max.bungi.com> <35112B3F.74A0@bluestar.net>
Sender: owner-ascend-users@max.bungi.com

Ditto:  
And well said.

Sonny Abalos
  Calaveras Internet
  

At Thu, 19 Mar 1998 08:27:11 -0600
skozicki@bluestar.net wrote:

>Speaking for the entire user community as a whole, Ascend needs to do
>the following (before a shareholder lawsuit starts brewing):
>
>o appoint or hire a 'security contact' for the company to handle any
>issue related to security of their products
>o advertise the email address and the phone number of this contact
>o establish well known channels to this contact (CERT listing, buqtraq
>database listing, hell... monitor alt.2600 while you're at it)
>
>o provide patch for port 9 exploit within the week
>o provide patch/upgrade of software that disables SNMP write access by
>default (I believe this is the case already in v6, but not in v5)
>o provide patch/upgrade of software that encrypts passwords in TFTP
>configs or eliminates them altogether (I personally like being able to
>have the passwords there, but at least encrypt them).
>
>The issue of whether SNI handled the situation wrong or not is moot. The
>point is WHAT IS ASCEND GOING TO DO ABOUT IT?! 
>
>At any given moment, you can bet that there are at least a dozen
>crackers trying everything to circumvent any piece of hardware/software
>out there. The fact that rootshell got this info first makes no
>difference. It is a clearinghouse for this kind of info, and usually is
>the FIRST place to publically exchange this info. I'm glad to have it
>around. It's saved my butt a million times and taught me a lot about
>networking in the process.
>
>But again, wasting time and resources 'deflecting' or doing spin control
>is wasted. FIX THE BUG. When you've fixed the bug and implemented the
>pieces listed above, then go on CNN and News.com and tell the world how
>great you responded to the security problem, how you've stepped up your
>support for security issues, and every one of your users loves you.
>
>Cheers,
>Scott Kozicki
>BlueStar Communications
>-- 
>"If you don't get this message, please let me know
>   and I will send you another one."
>++ Ascend Users Mailing List ++
>To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
>To get FAQ'd:	<http://www.nealis.net/ascend/faq>

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) Bottom line on Ascend Security debacle

From: Scott Kozicki <skozicki@bluestar.net>

Prev by Date: RE: (ASCEND) Filters and such...
Next by Date: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
Prev by thread: (ASCEND) Bottom line on Ascend Security debacle
Next by thread: (ASCEND) Finger?
Index(es):
- Main
- Thread