Hello From A Security Researcher

[cybergibbons]

Thanks for the detailed reply Matt. I understand your position as an installer.

If some bloke on the interweb tried to reverse engineer software we had spend hundreds of thousands to develop then I'd be upset. You maybe trying to reverse engineer it from a interest point of view, but equally you might want to reverse engineer it to use non Texecom kit on their panels which would upset them and rightly so.

If I had developed a protocol used for security purposes, and someone was evaluating the security for free, I would love to hear from them.

Reverse engineering for the purposes of interoperability is protected in UK and EU law specifically.

[matthew.brough]

Thanks for the detailed reply Matt. I understand your position as an installer.

If I had developed a protocol used for security purposes, and someone was evaluating the security for free, I would love to hear from them.

Reverse engineering for the purposes of interoperability is protected in UK and EU law specifically.

You would, my experience of manufactures is they do not.

 

I think there is the concern if they talk about their issues, and it gets discussed commercially it could be suicide for them so its often easier to ignore the problem than face it. I have faced this with Honeywell in particular. I have some very high end Cisco firewalls on my network and I chose Cisco because (rightly or wrongly) their kit is perceived as top of the range and I just hope if there are any issues with it, as it's a security issue that Cisco will fix it. Do they in the real world address problems, I have no idea.

 

Don't get me wrong, as an installer who never usually gets involved with hardware but has an understanding of what happens under the hood I have a personal interest in the work you are exploring. Not sure as an industry the hunger is there to be honest.

[norman]

You seem a little angry that certain manufactures in the security industry make rubbish products, as if you have been effected by this personally?

Not just me then...

[cybergibbons]

You would, my experience of manufactures is they do not.

 

I think there is the concern if they talk about their issues, and it gets discussed commercially it could be suicide for them so its often easier to ignore the problem than face it. I have faced this with Honeywell in particular. I have some very high end Cisco firewalls on my network and I chose Cisco because (rightly or wrongly) their kit is perceived as top of the range and I just hope if there are any issues with it, as it's a security issue that Cisco will fix it. Do they in the real world address problems, I have no idea.

 

Don't get me wrong, as an installer who never usually gets involved with hardware but has an understanding of what happens under the hood I have a personal interest in the work you are exploring. Not sure as an industry the hunger is there to be honest.

You have a very similar experience to me then. I expect IT security equipment to remain secure, I expect issues to be disclosed, and I expect the vendors to be responsive.

I'm not angry, just genuinely interested in why disclosure seems to be frowned upon. It's like IT security 20 years ago.

[matthew.brough]

Not just me then...

I didn't mention Mosaic

[MrHappy]

I have some very high end Cisco firewalls on my network and I chose Cisco because (rightly or wrongly) their kit is perceived as top of the range and I just hope if there are any issues with it, as it's a security issue that Cisco will fix it. Do they in the real world address problems, I have no idea.

Will you get anything form Cisco w/o a maintenance agreement ?

[norman]

Are security issues disclosed by IT manufacturers?

 

Cannot see any benefit/likelyhood of security manufacturers having a page on their www site with back doors and flaws, can you?

 

You have a very similar experience to me then. I expect IT security equipment to remain secure, I expect issues to be disclosed, and I expect the vendors to be responsive.

[matthew.brough]

Will you get anything form Cisco w/o a maintenance agreement ?

Nope. It's actually BT that maintain it. I'm sure they are trying their best to save me from internet hackers.

Are security issues disclosed by IT manufacturers?

 

Cannot see any benefit/likelyhood of security manufacturers having a page on their www site with back doors and flaws, can you?

Only if they had a desire to go bust!

[cybergibbons]

Are security issues disclosed by IT manufacturers?

Yes, I cannot think of one IT security equipment vendor that doesn't have a vulnerability reporting method, and that doesn't at least have a disclosure policy. Cisco, for example, will fix issues, make the fix available, and then disclose the issue. There are numerous mailing lists and sites dedicated to this kind of reporting. Vendors who don't listen are named and shamed.

Cannot see any benefit/likelyhood of security manufacturers having a page on their www site with back doors and flaws, can you?

Can you see the advantage of Cisco doing it?

[norman]

Reporting after the fix yes, never going to happen prior though.