undefined | Better HN

0 pointstptacek2y ago0 comments

MegaZone as in Usenet MegaZone?

0 comments

8 comments · 1 top-level

MZMegaZone2y ago· 7 in thread

No, a MegaZone. Haven't you heard, we come in six packs now. ;-)

Yeah, very, very likely one and the same. Since 1989.

tptacekOP2y ago

Wow, that's a throwback. I was an ISP person back in the Portmaster era. You're at F5 now, I guess!

Can you say more about the CVE thing? That seems like the opposite of what Maxim Dounin was saying.

MZMegaZone2y ago

Yeah, I've been with F5 since 2010 - gotta love those old PortMasters though, Livingston was good times, until Lucent took over. I was there 95-98.

I don't know what else there is to say really. The QUIC/HTTP/3 vuln was found in NGINX OSS, which is also the basis for the commercial NGINX+ product. We looked at the issue and decided that, by our disclosure policies, we needed to assign a CVE and make a disclosure. And I was firmly in that camp - my personal motto is "Our customers cannot make informed decisions about their networks if we do not inform them." I fight for the users.

Anyway, Maxim did not seem to agree with that position. There wasn't much debate about it - the policy was pretty clear and we said we're issuing a CVE. And this is the result as near I can tell.

Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

kelnos2y ago

Oof. Presumably Dounin had other gripes about the company that had been building up? This seems like a pretty weird catalyst for a fork. Feels more like this was the last straw among many.

I get that CVEs have been politicized and weaponized by a bunch of people, but it seems weird to object that strenuously to something like this.

dgacmu2y ago

Oh my god, the Internet is such a small place. Good to hear you're doing well - we interacted a bit when I was running an ISP in the 90s as well. (Dave Andersen, then at ArosNet -- we ran a lot of PM2.5e and then PM3s).

And appreciate the clarification about the CVE disagreement.

1 more reply

rlaager2y ago

I don't know much about this situation, but from what I've read, you were clearly in the right. It doesn't matter if the feature is in optional/experimental code. If it's there and has a vulnerability, give it a CVE. The customers/users can choose how much they care about it from there.

> Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

I recently did exactly that when a vendor refused to obtain a CVE themselves. In my case, I was doing it as part of an effort to educate the vendor on how CVEs worked.

conartist62y ago

You bring up NGINX+, a commercial product with a CVE reporting policy, but just from reading the docs on it it doesn't support QUIC or HTTP/3. So I guess I can see why the maintainer would be mad about a commercial policy applying to noncommercial work in the absence of any real threat.

1 more reply

mholt2y ago

> Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

Even if third parties can file CVEs, do you think it hits different when the parent organization decides to do so against the developer's wishes? Why do he and F5 view the bugs differently? It sounds like the fork decision was motivated less by the actual CVEs and more about how the decision was negotiated (or not at all).

(PS. Thanks for participating in the discussion.)

1 more reply

j / k navigate · click thread line to collapse

0 comments

8 comments · 1 top-level

MZMegaZone2y ago· 7 in thread

No, a MegaZone. Haven't you heard, we come in six packs now. ;-)

Yeah, very, very likely one and the same. Since 1989.

tptacekOP2y ago

Wow, that's a throwback. I was an ISP person back in the Portmaster era. You're at F5 now, I guess!

Can you say more about the CVE thing? That seems like the opposite of what Maxim Dounin was saying.

MZMegaZone2y ago

Yeah, I've been with F5 since 2010 - gotta love those old PortMasters though, Livingston was good times, until Lucent took over. I was there 95-98.

Anyway, Maxim did not seem to agree with that position. There wasn't much debate about it - the policy was pretty clear and we said we're issuing a CVE. And this is the result as near I can tell.

Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

kelnos2y ago

Oof. Presumably Dounin had other gripes about the company that had been building up? This seems like a pretty weird catalyst for a fork. Feels more like this was the last straw among many.

I get that CVEs have been politicized and weaponized by a bunch of people, but it seems weird to object that strenuously to something like this.

dgacmu2y ago

And appreciate the clarification about the CVE disagreement.

1 more reply

rlaager2y ago

> Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

I recently did exactly that when a vendor refused to obtain a CVE themselves. In my case, I was doing it as part of an effort to educate the vendor on how CVEs worked.

conartist62y ago

1 more reply

mholt2y ago

> Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works.

(PS. Thanks for participating in the discussion.)

1 more reply

j / k navigate · click thread line to collapse