j0rDy wrote:ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even?
I think everyone's patience with ISI is still a bit thin after the relatively recent Corelan debacle.
SephStorm wrote:we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack.
That still seems obviously intentional. You don't accidentally make the same mistake on Twitter, Full Disclosure, here, the Backtrack Forums, etc.
It seems like ISI has a disconnect between the business side and the technical experts. I've worked at organizations like that before, and it's extremely frustrating. I imagine the news of someone discovering a vulnerability while working with Backtracking making it to someone in marketing or upper management, and once that happens, it's out of control and becomes an internet-wide embarrassment. I think it's important to distinguish the business itself from the individual professionals that work there and not disparage them personally. This situation was likely out of their hands (and most probably didn't find out about it until it was tweeted, etc.).
At the same time, a good instructor or (hopefully original) courseware doesn't excuse these types of mistakes. This whole situation was handled horribly. "Backtrack" attention-grabbing aside, they tweeted that they emailed muts a week before they released the news. First, you only give vendors a week to address vulnerabilities? Second, since they apparently new this was nothing specific to Backtrack, why are they emailing muts at all? Did they ever provide any notification to the wicd developers?
I think the worst part of all this is that the student elected to remain anonymous because they rushed this story to the figurative newsstand. That guy or gal got completely screwed. Who wouldn't want a feather in their cap for finding an exploit and writing a POC, even if it is rather trivial? Why not work with the developer, wait for an official patch to be released, and then post the write-up? It's even more ridiculous because the wicd guys could crank this patch out quickly; it's not like they'd be looking at an 18-month ETA from Oracle. Was this really such earth-shattering news that it couldn't wait a couple weeks?
Also, while this particular vulnerability was a non-issue, is this the type of disclosure we can expect from ISI? What if it was actually something serious? It seems a bit ironic to showcase this on their Ethical Hacking Training page.
The day you stop learning is the day you start becoming obsolete.