Irresponsbile Blogging

Over at the SANS Internet Storm Center Diary today’s handler is taking swipes at David Litchfield (calling him mean, spiteful, and rude as well as a grinch). You see Oracle patched some vulnerabilities that David found back in August. Nice guy that he is, he did not publicly announce the vulnerabilities until December 23rd, 4 months after patches were available.
Stuff like this is fine in a blog. Opinion is great. But when the name SANS is on the blog, you’re lending the SANS name to your personal opinion. It doesn’t matter if you have a disclaimer. It just seems like more and more the SANS ISC Diary is used for a bully pulpit (or in this case just blowing off steam). The ISC Diary should stick to aggregating reports about what is going on out on the Internet.
I did a quick Google to see if want the SANS handler said was true or if Litchfield had posted a response yet. I didn’t find any current response, but I did find a zdnet interview with Litchfield. He appears to be very mindful of not releasing vulnerability info prior to patches being available. For that he deserves a pat on the back. Not the lump of coal that SANS is presenting.
Its kind of funny that after giving Litchfield the pitchfork, they just kind of mention in massing that a Chinese group has released exploit code for unpatched windows vulnerabilities. Perhaps those are the guys that deserve the heat.