RizWords – Daily Politics and Tech – EP53

RizWords – Daily Politics and Tech
Episode 53 – download link coming soon: check the feed for details: subscribe now

• A member of the TechPodcast Network @ techpodcast.com. If it’s Tech, it’s here.
• Remember, if you’re listening on the podcast recording, you can call into the show live if you tune in through TalkShoe.com at 2:30 PM EST every weekday.
• If you like the podcast (and you haven’t already given us a rating), head over and do so, and don’t forget to sign up for the discussion list.
• Other Podcast Plugs:
• TalkGirls comes on Tuesday nights. Check out the TalkGirls Podcast … it’s good times!
• Cotolo Chronicles: Frank is a good friend of the show, and an associate of the late great Wolfman Jack. Check out his podcast.
• NewsReal: Good friend to Art and I – has one of the best hours of news podcast each week.
• You Are the Guest: Bill Grady turns the microphone on the internet’s most interesting people.
• Sponsors:
• Try GoToMeeting for 45 days! Visit www.GoToMeeting.com/podcast to start your free trial today.
• J. Douglas Barker – Voice-overs for you! www.romancingthetone.com

A bunch of new startup acquisition news. We talk a bit about the acquisitions specifically, and then a bit in general about the prevalence in the news lately of all the startups getting bought:

Look For Confirmation of eBay/StumbleUpon Today
I’m hearing that the eBay/StumbleUpon acquisition will be officially announced sometime today. Keep an eye our for the press release. We originally broke this rumor in April when a term sheet was reportedly signed. The Wall Street Journal picked up the story earlier this month.

I don’t know if the price will be disclosed, or if the rumors of $75 million are roughly correct.

An Old Media company actually gets it right with a new media acquisition:

CBS Acquires Europe’s Last.fm for $280 million
The quickly growing music social network Last.fm has been acquired by CBS for $280 million in an all-cash deal.

UK based Last.fm launched five years ago and has become a social networking favorite with 15 million active users. It has become a massive repository for music information (artist and song wikis, listening data from users, etc.). In the U.S., companies like Pandora, MOG and iLike all compete with some of Last.fm’s features, although none of those startups has built the basic social network/community of last.fm.

The deal sees Last.fm’s management team staying in place and the site maintaining a separate identity.

Last.fm has been an attractive takeover target for some time. CBS as a buyer though is surprising and is a sure sign that the media giant is getting serious about Web 2.0. CBS acquired video blog WallStrip for $5 million earlier this month, and has been on a bit of a buying spree lately after filling out the management team on the interactive side of the business last year.

Previous TechCrunch coverage here.

This certainly explains why Last.fm was a little slow to jump on the Facebook Applications bandwagon last week – they were understandably distracted.

An interesting perspective on the same story:

Don’t Look Now, But Old Media May Be Figuring This New Media Thing Out
It’s not much, but there are a few signs that some “old media” companies are starting to figure out what makes new media tick. This morning’s announcement that CBS is buying last.fm for $280 million isn’t all that interesting on its own — but it’s one of a pattern of recent deals by so-called “old media” companies that have them looking to build or buy into communities, rather than just content. The mistake that many media companies have made over the last few years is the belief that the content was king — and as long as they had the content, the community would form naturally. What people are noticing is that the community is important and it’s hard work to build one. Of course, recognizing that is only the first step. The real question is what these companies will do to cultivate these communities. In most cases (MySpace being the one exception so far), these types of purchases tend to wither and die once they become part of a larger company (and the entrepreneurial souls of the community move on).

And other startup news:

Google buys anti-malware browser virtualization startup (Ryan Naraine/Zero Day)
Google has quietly made its first anti-malware acquisition, snapping up GreenBorder Technologies, a venture-backed company that sells browser virtualization security software.

And in political news, both Art and I are surprised we didn’t hear about this earlier:

Cyber-Spies Tracking Terror on Web
Dana Rosenblatt >writes on CNN.com:

There is an unconventional war being waged on the Internet. The battles here know no boundaries; and are fought from homes and offices from small Midwestern towns to Europe and the Middle East.

For the fighters in these battles weapons usually consist of no more than collected intelligence and computer programming skills.

It’s no secret anymore that active terrorist cells are currently operating freely and openly on the Internet, using propaganda tactics to illicit prospective recruits.

The emergence of these terrorist groups has spawned their nemesis: groups of researchers, hackers, and maverick computer geeks who cyber-stalk terrorist networks online and take them down.

More here.

Resembling a modern-day Clark Kent, Weisburd is a boyish 40-something former computer programmer who decided to use his background and skills to track terrorists following the terrorist attacks of 9/11.

He’s proved himself a force to be reckoned with, fighting — and winning — a war waged against the “dark side” of the Internet.

Weisburd’s reputation has earned him the nickname “the vigilante” in cyber space, a legacy he’s eager to shrug off.

“If I was a vigilante running a Web site, I would hurt you,” says Weisburd.

“If I find that you’re running a Web site for al Qaeda, I’m not going to hurt you. I’ll report you to people that will ask you to come quietly, and if you don’t go quietly, they may hurt you,” he says.

Art jumps for joy:

Fred Thompson to Form Presidential Committee

“Law and Order” star Fred Thompson — will make his flirtation with a White — House bid official this week, forming — a presidential committee and launching — a fundraising effort

His advisers say they do not expect to match the amount of money the others are raising, but profess to be unconcerned.

“He doesn’t need as much money as the others have raised,” said one supporter, noting that his Hollywood fame has already given him a boost in the polls. “He hasn’t raised nor has he spent a single dime so far. People should not expect that he will outraise anyone.”

We find a Democrat we like:

Lieberman in Iraq sees “progress,”
What a coincidence. Two years after Cheney said the insurgency was in its last throes, Joe Lieberman made essentially the same prediction.

CNN reports that Lieberman is on an unannounced “surprise” visit to Baghdad. Paula Hancocks followed Lieberman around. She talked to Lieberman and reported, “He said he was happy with the progress. He was devastated by the fact that May was turning in to the deadliest month since November 2004. But he said he did believe that this surge eventually would pay off and it would start to break the insurgency.”

And in people turning on the Democrats news:

Cindy Sheehan Quits as ‘Face’ of Anti-War Movement
Cindy Sheehan, the “peace mom” who made headlines in 2005 by staging a marathon protest outside President Bush’s Crawford, Texas, ranch, said Monday that she no longer wants to be seen as a leader of the anti-war movement.

Want to be part of the Rizzn-ite army? Indoctrination instructions here.

Hackers Declaring Cyberwar on Facebook and Myspace

I’ve been seeing this headline pop up all over the place the last few days: Hackers Declaring War On MySpace, Facebook? My question is: who are these hackers? Is there a central organisation of hackers that have decided to declare this war? Should Facebook and MySpace fight back? The best defense, after all, is a good offense.

(SC Magazine) “If the hackers know you have a particular interest, this can be used to target you in a phishing attack. They know what you’re into and can exploit this to obtain more information from you such as credit card details,” he said. “People are putting far too much information online and into the hands of identity thieves. Young people in particular, need to be very careful as it may come back to haunt them.”

Those of us with an above average IQ know the vulnerability MySpace, Facebook, and other social networking sites present to our identity. Still, all this hubub begs the question: where are these hackers?

Furthermore, should I join up? I’ve been a hacker for years, and there’s apparently some money in harvesting this information. Do these hackers have an HR department I can apply to?

It’s simply ridiculous to use terms like CyberWar and hackers when it comes to stories like this, but still the media persists.

/rizzn

CyberWar Update: The Next Generation

Why is it that everyone who is an ‘expert’ on China thinks they have some mystical abilities on the computer? There was an interview with an author on the blog Human Events Online that caught my attention this morning. I’ve seen this type of author before, and I’m rapidly becoming familiar with the type: they are convinced that there’s an upcoming war with China, and that they have all these awesome abilities to take us out and we’re not gonna see it coming.

Read the excerpt:

In Showdown, you raise the possibility of the Chinese’ waging cyberwar against the U.S., and Japan. What’s exactly would that mean?

China—as we illustrate in the last fictional scenario in Showdown—is rapidly building the most advanced offensive computer war capability in the world. If they decided to use it, they could—unless we counter it with our own massive buildup of defensive and offensive cyberwar capability—conquer America without firing a shot. They could do everything from disabling satellite networks to taking down the stock market and banking networks. America could be reduced to a 1940s existence in a matter of minutes. I don’t believe they have the ability to do this yet, but they will very soon.

[via Human Events Online]

See, I used to sortof be in the camp that thought that China might be a threat. The problem is that every time I read something said by these authors, they always talk about “CyberWar” like it’s something that could actually happen. CyberWar is somewhat tricky and deceptive term for online warfare. One imagines a keyboard of big red buttons that you can push to take out servers and transfer rich people’s money into other bank accounts. That simply is not the case, although it makes for rich, imaginative storylines that I’m sure everyone in Hollywood loves (ahem… Swordfish).

Smite buttons aside, CyberWar is a nuanced and very situational thing. Take for instance the real cyberwar taking place right now between spammers and anti-spammers. This week, the warm-conflict between the two groups escelated to what could actually be called a war. It’s been an ebb and flow back and forth between the seedy underbelly of the net where the spammers will develop new techniques to defeat filtering techniques, and the anti-spammers will develop better techniques.

Last week, as many of you probably read, anti-spam company Blue Security shut its doors in response to escalated targeted attacks by spammers at the company.

If you happened to have been away from the internet for the first week of May, you missed the story about how a spammer figured out Blue Security’s “opt-out” list by seeing who it clear out of his own list, and then proceeded to bombard them with even more spam. Immediately after this, a fairly massive denial of service attack was directed at Blue Security’s servers, which ended up taking out many other sites, including major blog provider Six Apart (which hosted a Blue Security blog). The decision to shut the company down appears to have been based on threats that another such attack was pending — and Blue Security’s belief that it wasn’t fair to take out other sites again. As skeptical as we were over Blue Security’s original model, and the risks it entailed, this still seems like bad news. It certainly will embolden spam attackers to hit hard at anyone who takes them on. In the end, perhaps that was the worst legacy of Blue Security’s system: it simply escalated the war with spammers to new, unfortunate, levels.

[via TechDirt]

The fact is that the internet is driven by commerce. Us old early adopters may not always like that, but it’s the fact of life. CyberWars like this tend to be driven by monetary interests. China has no vested economic interest in taking down our information infrastructure. Not only would it seriously inhibit their economic interaction with the United States, it’s also likely to be just as damaging to the rest of the world, as most of the world either does a large amount of business with us, or relies on American technology to survive. I’m a simple blogger in the boonies of East Texas and I see that, I can’t imagine that there are cyber-Hawks in the Chinese military who don’t.

/rizzn

I’m working on several original news stories that I will be posting here soon. I look forward to comments, questions, criticism and other assundrous comments from the peanut galleries on them.

If you do a search on the web for Factbook or Cyberwar (and perhaps couple it with rizzn in the keywords), you will come up with links all over the place to a series of articles I did in 2001 strongly tied with the Terrorism Factbook I compiled and the interview series I did for John Batchelor and Paul Alexander on WABC. To save you the time searching them, they are all archived here.

I intend to do an update three years later on these programs and how they are affected by the new Patriot Acts (one and the proposed second one). This means I’ll probably have to print out all one gazillion pages of the Patriot Act and actually read it top to bottom.

Furthermore, there’s a war a brewin’!

I pretty much alluded to this sort of thing happening in many of my OSINT posts not long ago. I also posted something here similarly on topic. Basically, the motivation to write this article is to toot my own prognosticating horn and to bank on it and make some more predictions in this arena. Stay tooned.

/rizzn

CyberWar Update #5

The latest Cyberwar Update

./mark.hopkins.aka.rizzn//

Rizzn’s Wartime Factbook: http://factbook.diaryland.com/

The Best UAV: http://www.unmannedaircraft.com

Rizzn’s Musical Stylings: http://rizzn.trance.nu

——————–

CyberWar Update #5

Update as of February 21, 2002

Report Assembled by Mark Hopkins

<markhopkins@mindless.com>

of Parallad Studios OSIS Project

Hello, my readers.  The focus of this mailer revolves around two news stories that have come out recently, but are reasons, as the first headline says, to “hug a hacker, before [he/she] goes underground.”

Most software hackers are quite familiar with the RFPolicy, written by Rain Forest Puppy.  The first article is a commentary on how the industry is moving away from the usage of this policy, and how this is a Bad Thing for the industry.

Especially in this day and age of quite a bit more malicious strains of hackers showing up as wards of different branches of the al-Qa’ida network, it is in society as a whole’s best interest to do as much as possible to embrace and encourage ethical hackers.

The second article is something of a far more sinister nature; it is the announcement by the US Government that cyberterrorists can now be bombed by the DOD.  Given the broad nature of the government’s definition of a cyberterrorist, compounded with the government’s newfound liberty in the

ability to search, seize, and rifle through the belongings of ‘cyberterrorists’ without either the hacker’s or a judge’s permission, the government now announces without a vote by the people, that they intent to

physically harm with military force, hackers.  I find this especially despicable and cringe for our collective future.

Can it be as bad as all that?  Read the article.  The statement was *intended* to sound sinister in nature, and it well acheives that purpose.

Also included in this issue is a complete text of the RFPolicy version 2 for your greater understanding.

If you have any questions, comments, article submissions, or criticizms, please send them to markhopkins@mindless.com.

Thanx to: l33td0g of hackinthebox.org, rain forest puppy of wiretap.net, Patrick Gray and Adam Pointon of IT.mycareer.com.au, and Nick Farrell of vnunet.com.

:::Hug a hacker, before they go underground:::

Wed, Feb 20 @ 09:12 AM :

http://www.it.mycareer.com.au/opinion/platform/2002/02/19/FFXZG1F5TXC.html

In June 2000 a hacker named RFP (Rain Forest Puppy) wrote the RFPolicy for vulnerability disclosure, which sought to create a set of rules by which individual hackers and researchers deal with security vulnerabilities. For the most part this has been the de facto policy that hackers have adhered to

and vendors have accepted. It created a framework that allowed a working relationship to form between hackers, security professionals and vendors.

Quoting from RFP: RFPolicy is an initiative to help establish concrete guidelines for disclosure of security problems. This was prompted due to many recent responses from vendors such as “we were never given a chance” or “there is an ‘unwritten’ standard of notifying the vendor X days ahead of time”. RFPolicy works like this: A hacker or “researcher” finds a vulnerability in software made by a vendor. The hacker contacts the vendor and alerts them to the vulnerability. The company then has time to investigate the problem. A patch can then be written and an “advisory” can be released. The advisory usually gives full credit to the hacker for finding the vulnerability. The hacker is free to disclose to the hacking community the exploit code for the vulnerability exactly one week after notifying the vendor.

Unfortunately, several large software vendors have chosen to move away from this model. Now when a hacker finds a hole in a software product, vendors demand that they be alerted to the problem immediately and that the hacker not discuss the details of the vulnerability publicly. The vulnerability details are never released and vendors threaten to sue anyone who dares to publish the exploit.

As a result, most vulnerability research and exploit codes have gone underground and vendors are often not notified of security holes in their software.

An exploit is coded and passed on to the underground hacking and cracking community only. This means that many computers are being hacked through undisclosed security holes.  Because the vulnerability is undisclosed, there is no patch or defence of any kind available, so the fight is lost before it begins.

But this is not where the problems associated with non-disclosure models end.

Full disclosure ensures that any patch released by a vendor has to work properly. When an exploit code is made public, the vendor comes under the scrutiny of the entire security community.

However, because teams of litigators under instruction from proprietary vendors are monitoring public security forums, many are now too scared to publicly post vulnerability information. Many are too eager to forget that the average hacker is no more than a software boffin with an enthusiasm for picking apart code. They strive to improve security on the Internet and scrutinise poor software engineering.

Perhaps large organisations believe their security images will benefit if talk of vulnerabilities in their products is pushed underground. Perhaps they are merely frustrated at being humiliated as security hole after security hole is found and made public.

Many argue that by keeping security issues transparent, vendors can benefit from the vast computing expertise of the new-millennium hacker.

:::Hackers face US bombing:::

[18-02-2002] : http://www.vnunet.com/News/1129301

The US government has warned that it could take military action against any terrorists who launch attacks through the internet. In a move that could send cruise missiles heading toward hackers’ houses, a White House technology adviser says the US “reserves the right to respond in any way appropriate” to tackle the growing number of internet warriors.

Advisor Richard Clarke says Iran, Iraq, North Korea, China, Russia and other countries are already having people trained in internet warfare.

Speaking at a Senate Judiciary subcommittee hearing on cyber-terrorism, Cl

arke said the US could use covert action but military action was one of the tools available to the president.

Mr Clarke refused to say what level of cyber-attack might lead to a military strike. “That’s the kind of ambiguity that we like to keep intentionally to create some deterrence,” he said.

This is despite the fact that the US has not found a foreign government or terrorist group using internet warfare.

Clarke added: “It does not mean that it has not happened or will not happen. If I was a betting man, I’d bet that many of our key infrastructure systems already have been penetrated.”

“There are lots of cases where there has been unauthorised intrusions but we have never been able to prove to our particular satisfaction that a particular government did it,” Mr Clarke said.

:::Full Text of the RFPolicty:::

////// Full Disclosure Policy (RFPolicy) v2.0 //////

This policy is available at http://www.wiretrip.net/rfp/policy.html

\ Executive overview for vendors and software maintainers

This policy states the ‘guidelines’ that an individual intends to follow. You basically have 5 days (read below for the definitions and semantics of what is considered a ‘day’) to return contact to the individual, and must keep in contact with them *at least* every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem.

This policy is not set in stone–in fact, it is encouraged that all parties regularly communicate with each during the process, adjusting as situations arise.

\ Table of contents

Purpose of this policy

Policy definitions

Policy

Detailed/commented explanation of policy

Difference between version 1 and version 2 of RFPolicy

RFPolicy FAQ

Using this policy

Credits

\ Purpose of this policy

This policy exists to establish a guideline for interaction between a researcher and software maintainer. It serves to quash assumptions and clearly define intentions, so that both parties may immediately and

effectively gauge the problem, produce a solution, and disclose the vulnerability.

First and foremost, a wake-up call to the software maintainer: the researcher has chosen to NOT immediately disclose the problem, but rather make an effort to work with you. This is a choice they did not have to make, and a choice that hopefully you will respect and accept accordingly.

The goal of following this policy, above all else, is education:

Education of the vendor to the problem (ISSUE, as defined below).

Education of the researcher on how the vendor intends to fix the problem, and what caveats might cause a solution to be delayed.

Education of the community of the problem, and hopefully a resolution. With education, through continued communication between the researcher and software maintainer, it allows both parties to see where the other one is coming from. Coupled with compensation*, the experience is then beneficial to the researcher, vendor, and community. Win/win/win for everybody.

(*Compensation is meant to include credit for discovery of the ISSUE, and perhaps in some cases, encouragement from the vendor to continue research, which might include product updates, premier technical subscriptions, etc. Monetary compensation, or any situation that could be misconstrued as extortion, is highly discouraged.)

\ Policy definitions

The ISSUE is the vulnerability, problem, or otherwise reason for contact and communication.

The ORIGINATOR is the individual or group submitting the ISSUE.

The MAINTAINER is the individual, group, or vendor that maintains the software, hardware, or resources that are related to the ISSUE.

The DATE OF CONTACT is the point in time when the ORIGINATOR contacts the MAINTAINER.

All dates, times, and time zones are relative to the ORIGINATOR.

A work day is generally defined in respect to the ORIGINATOR.

\ Policy

A. The ORIGINATOR will send email regarding the ISSUE to the MAINTAINER; the point in time when email is sent from the ORIGINATOR is considered the DATE OF CONTACT.

It is important that the ORIGINATOR review any documentation included with the object of the ISSUE for indication of a proper method of contact. That failing, the ORIGINATOR should check the web site of the MAINTAINER for methods of contact. Should the ORIGINATOR not be able to locate a suitable email address for the MAINTAINER, the ORIGINATOR should address the ISSUE to:

security-alert@[MAINTAINER]

secure@[MAINTAINER]

security@[MAINTAINER]

support@[MAINTAINER]

info@[MAINTAINER]

regardless of their existence. Anyone who could be deemed as a ‘MAINTAINER’ is encouraged to populate at least some of the above email addresses. Email auto-responses should not be considered as a message from the MAINTAINER.

Note: addressing the ISSUE to InterNIC handles may cause the email to be misdirected (for example, to a virtual hosting company who happens to host the MAINTAINER’s web site). Addressing the ISSUE to the above listed email addresses may cause the email to be received by non-authoritative persons (for example, to an online service provider who happens to have an user named ‘security-alert’).

B. The MAINTAINER is to be given 5 working days (in respects to the ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the end of 5 working days, the ORIGINATOR should disclose the ISSUE. Should the MAINTAINER contact the ORIGINATOR within the 5 working days, it is at the discretion of the ORIGINATOR to delay disclosure past 5 working days. The decision to delay should be passed upon active communication between the ORIGINATOR and MAINTAINER.

C. Requests from the MAINTAINER for help in reproducing problems or for additional information should be honored by the ORIGINATOR. The ORIGINATOR is encouraged to delay disclosure of the ISSUE if the MAINTAINER provides feasible reasons for requiring so.

D. If the MAINTAINER goes beyond 5 working days without any communication to the ORIGINATOR, the ORIGINATOR may choose to disclose the ISSUE. The MAINTAINER is responsible for providing regular status updates (regarding the resolution of the ISSUE) at least once every 5 working days.

E. In respect for the ORIGINATOR following this policy, the MAINTAINER is encouraged to provide proper credit to the ORIGINATOR for doing so. Failure to document credit to the ORIGINATOR may leave the ORIGINATOR unwilling to follow this policy with the same MAINTAINER on future issues, at the ORIGINATOR’s discretion. Suggested (minimal) credit would be:

“Credit to [ORIGINATOR] for disclosing the problem to [MAINTAINER].”

F. The MAINTAINER is encouraged to coordinate a joint public release/disclosure with the ORIGINATOR, so that advisories of problem and resolution can be made available together.

G. If the ISSUE is publicly disclosed, by a third-party, the ORIGINATOR is encouraged to discuss the current status of the ISSUE with t

he MAINTAINER; based on that discussion, the ORIGINATOR may choose to disclose the ISSUE The MAINTAINER is encouraged to credit the ORIGINATOR for discovering the ISSUE. Should the MAINTAINER disclose the ISSUE, or items supporting/relating to the ISSUE (patches, fixes, etc), the ORIGINATOR may choose to disclose the ISSUE.

\ Detailed/commented explanation of policy

This section serves to elaborate on the items in the policy, for better understanding.

A. Pretty self explanatory–the ORIGINATOR is to email the MAINTAINER about the problem. The ORIGINATOR should do their homework and try to find the correct address to email (by checking the MAINTAINER’s web site, by looking in documentation distributed with the software/product, etc). Emailing InterNIC handles or addresses such as ‘postmaster’ or ‘webmaster’ is not good, since they are most likely IT support staff and not the proper representatives to handle such a situation.

B. The MAINTAINER has 5 work days respond. Note that all times of work days are relative to the ORIGINATOR, not the MAINTAINER. Suggestion to the MAINTAINER: sooner is better than later–just because you have 5 days does not mean you need to take them all. The ORIGINATOR is technically free to do whatever they want to do after 5 work days–however, they should be fair and wait if the MAINTAINER shows adequate initiative to fix the ISSUE.

C. Just as the MAINTAINER shouldn’t ignore the ORIGINATOR, neither should the ORIGINATOR ignore the MAINTAINER. The ORIGINATOR should help the MAINTAINER recreate the problem, if necessary. It’s probably in the best interest of the ORIGINATOR to help the MAINTAINER confirm the problem–otherwise, the ORIGINATOR stands to disclose a potentially false ISSUE.

D. The MAINTAINER has to actively give status reports. Note that it’s the MAINTAINER’s responsibility to do so, and not the ORIGINATOR’s responsibility to request them.

E. If the ORIGINATOR does indeed take the time to follow this policy, they should be acknowledged not only for doing so, but in general, acknowledged for finding the problem. There are proper ways to cite references, credit sources, and otherwise respect the origination of information–I suggest vendors do the same. If you can not respect the ORIGINATOR enough for taking the time to notify you of the ISSUE, the ORIGINATOR (and possibly others) may feel reluctant to follow this policy with the same MAINTAINER in the future.

F. Making the problem and solution advisories available together allows the community to have immediate access to both the problem description and the appropriate fix.

G. If the MAINTAINER feels it’s appropriate to alert the public of the issue, then there’s no reason why the ORIGINATOR should not. Traditionally, alerting the community of a problem (but not providing full exploit details) has proven to be futile; other researchers are then just as likely to discover the problem as well–and they may not bide by the guidelines set by this policy. Therefore, if the issue is to be disclosed, all aspects of it should be disclosed. If a third-party discovers and publishes the vulnerability, the MAINTAINER and ORIGINATOR should evaluate the status of a fix, and act accordingly. No matter what, the MAINTAINER should always credit the ORIGINATOR.

\ Difference between version 1 and version 2 of RFPolicy

Version 1 required a 2 day initial contact period, and then a 5 day wait before disclosure. Due to all the possible ways ’2 days’ could be mishandled, it was removed in favor of a solid 5 day period.

The email section in version 2 was reworked to discourage emails to InterNIC handles, and encourage trying to locate the correct email address (RTFM

Version 2 better defines what should happen at the end of the initial 5 day waiting period.

Version 2 adds the provision for sustained contact from the MAINTAINER.

Version 2 defines possible actions should the ISSUE become public before disclosure by the originator.

“This is not a legal contract” mumbo-jumbo removed from version 2.

\ RFPolicy FAQ

Q. This policy uses dates and times for gauging responses. How do time zones/holidays/weekends/cultural differences factor in?

A. First off, as noted above, all dates and times are relative to the ORIGINATOR. Now, it is quite possible that a difference in date/time perspective occurs, due to: the ORIGINATOR being on a different continent than the MAINTAINER, the MAINTAINER having a different work week than the ORIGINATOR, the MAINTAINER being sick, the MAINTAINER taking an extended weekend, the MAINTAINER having a holiday, etc. Therefore the initial contact period was extended to 5 days–we feel that 5 days should be adequate to surmount any date/time differences.

Q. I’m a software maintainer, and I can’t possibly fix the problem in 5 days….

A. You don’t have to. If you (re)read the above, you have 5 days to establish communication. Provided you cooperate with the researcher and keep them ‘in the loop’, they should provide you with whatever time necessary to resolve the ISSUE (within fair reason).

Q. I’m a software maintainer, and I want more than 5 days!

A. Well, considering that, in general, you don’t have *anything* technically, this document hopes to provide you with at least 5. Be on your best behavior, cooperate with the ORIGINATOR, and you should get more.

Q. You mention compensation–do ORIGINATORs expect to be paid?

A. NO! (Well, they shouldn’t…I can’t definitely predict the expectations of people) Compensation, as mentioned in this policy, is meant first-and-foremost to be PROPER CREDIT. Academia has historically and religiously provided credit when referencing all types of works and research; the ISSUE provided by the ORIGINATOR should also be thought of as research, and the ORIGINATOR should be credited accordingly. Now, beyond that, it may be in the vendor’s best interest to promote good relations with the researcher, and one suggested way is to provide updates and product licenses. A lot of research is done on evaluation and trial versions of software–providing a single, full license/copy should produce little impact on the vendor, but greatly help the researcher. Another suggestion is to allow access to support sites/technical content, such as TechNet (if you happen to be Microsoft

\ Using this policy

This policy is free for anyone to modify, republish, sell, or otherwise use. The goal is to establish communication and interaction amongst the security community (users, researchers, and vendors)–not hamper it with copyrights and trademarks.

People are encouraged to use this policy or derivatives. You can make use this policy by supplying the URL (found at the top of this document) in the initial vendor contact email, and giving indication that you intend to following the guidelines stated.

If you intend to be an ORIGINATOR, we suggest you prefix your advisory sent to the MAINTAINER with something similar to:

“This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html. You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. This policy encourages open communication, and I look forward to working with you on resolving the problem detailed below.”

In addition, should the ORIGINATOR and MAINTAINER a

rrive at a unified resolution and disclosure, it may be of interest to contact the CVE officials (http://cve.mitre.org) to assign a CVE identifier to the

vulnerability. Doing so allows the vulnerability to be referenced and cataloged, facilitating it’s acceptance and use into the community.

\ Credits

Since this is an important part of what this policy attempts to achieve, I should follow the same advice.

Version 2 was drafted after extensive input of the community (some 400+ individual suggestions were received). Apologies for not listing all 400+.

Thanks to the following people for initial concepts and input (version 1):

Aleph1 [aleph1-at-securityfocus.com]

Steve Manzuik [steve-at-securesolutions.org]

Weld Pond [weld-at-atstake.com]

Russ Cooper [russ.cooper-at-rc.on.ca]

Special thanks to Russ Cooper for the large amounts of feedback that helped shape version 1 of this policy.

- rain forest puppy [rfp-at-wiretrip.net]

—

Information wants to be free! Get your friends to subscribe to the Rizzn’s Wartime Factbook update. An awareness in intelligence will result in our collective greater safety. Send them to http://factbook.notifylist.com

To view the facts surrounding the civilised world’s war versus terrorism, go to http://factbook.diaryland.com. Updated daily!

Information in this briefing completely accurate to the knowledge of the O.S.I.S. as of: 12:42 PM 2/21/2002. Stay tuned for updates.

This briefing is a service of Rizzn Do’Urden, Rizzn’s Wartime Factbook, and Parallad Studio’s Open Source Intelligence Service.

——————————————————-

Get your own free notify list at http://Notifylist.com !

to be removed from this mailing list, please go to:

http://members.notifylist.com/edit/quitlist?list_name=factbook-factbook&emai

l=rizzn@usa.com

Now playing: Slipknot – Pulse Of The Maggots (AKAradio.com: Judo’s Radio Revolution!)