Slashdot Mirror


Secret Repairs Preceded TCP Flaw Release

efranco cuts and pastes: "Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches." We ran a story on a this a few days ago.

3 of 204 comments (clear)

  1. Re:Looks like this is the way it's gonna be... by burtman007 · · Score: 4, Interesting

    This poses an interesting dilema then: Is it better to release information on a discovered vulnerability if you know about it, or should you not release it and hope you can patch it before anyone else discovers it?

  2. Re:Cisco Fix by robslimo · · Score: 5, Interesting

    When the previous /. story was posted about the TCP flaw, I checked out the NANOG mailing list.

    There was plenty of discussion about it, including various vendor issues (Cisco and Juniper) & fixes, as well as some ISPs dragging their feet on implementing MD5 over peer links. I could tell from some of the things mentioned there that they (the network ops) had advance knowledge of the vulnerability.

    Most interesting was this about looking glasses being too free with info that would allow a TCP reset in one try.

  3. Re:Looks like this is the way it's gonna be... by Slime-dogg · · Score: 4, Interesting

    I am for that. If the information is not released after a reasonable amount of time, the company may never take responsibility for it being there. We've witnessed this several times from a certain big company. Also, the moment that the vulnerability goes public, there should be a side note that says "The company was repeated informed of this vulnerability over a span of X months , but chose not to improve the quality of their product."

    If massive numbers of users are infected by a virus created as a result of this announcement, then the company should be held completely responsible. They would have had months to address the issue, but chose not to.

    --
    You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.