Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netscape Nondisclosing Mozilla Security Bugs?

Posted by timothy on from the how-best-to-best-the-kiddies dept.

AP writes: "Mozilla developers are contemplating disclosing Mozilla security bugs only to a limited group of people, unavailable to the public until a fix is found, as indicated in this news post and the discussion thread. Are Mozilla developers missing the point of open source (implying open security bugs) or are they under pressure from Netscape? Tell Mozilla developers what you think." Please read this post from MozillaZine, in which it is explained that there is mere open /discussion/ about security and disclosure in the mozilla security newsgroup. Thanks to Hard_Code for the hook-up.

5 of 123 comments (clear)

  1. BETTER than open source! by Anonymous Coward · · Score: 5

    Look, the point of open source software is that it is analagous to the scientific concept of "peer review". You'll notice that there is no scientific concept of "review by every lugnut who knows ftp". That's because scientists aren't prey to these libertarian/egalitarian visions in which "everyone can contribute". The fact is that the marginal contribution beyond the first hundred or so developers is pretty negligible.

    You have to think in terms of marginal benefit versus marginal cost. The Mozilla developers may not be super l33to sk33to, but they're at least competent to work on Mozilla. The various long-haired lugnuts, slashbots and script kiddies who will be filling up this thread with karma-whoring sermons on "give us the source!" are massively unlikely to add anything to the exercise but noise.

    This is the way forward. Open source, but peer review only during development. With a defined way to get into the "peer group". Thus shutting out the whiners and lamers, and not letting the whole product be compromised by someone's exploitation of a bug that they had no business seeing.

  2. Re:Limited disclosure is totally appropriate by arcade · · Score: 5

    What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?

    It should be openly published. Nobody can know for sure that they are the first to discover the bug. It could've been circulating in hidden circles for years - without anybody knowing.

    It is blatantly disrespectful to the customers not to open the bugs to the community. Only that way they may secure themselves.

    --
    Rune Kristian Viken
    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

    --
    "Rune Kristian Viken" - http://www.nwo.no - arca
  3. Security disclosure by Minupla · · Score: 5

    *sighs* OK, here we go again.

    1) Not disclosing a security hole does NOT make it go away.
    2) Software developers don't always know all the security holes being actively exploited. It is entirely possible that the hole we're being 'protected' from is in fact being exploited in the wild, and the only thing that's accomplished is we're not being careful in our use of the product until it can be patched.
    3) Non-disclosure tends to slow the repair of security holes in any environment, never mind open source, where your very strength is in your userbase.

    I personally would be in favor of draconian disclosure. When a security bug is discovered, pop up a dialog box, forcing me to read about the advisory and 'continue at own risk' until a fix can be developed and a notice of said fix distributed using the same draconian alert box.

    That way everyone who uses the product (rather then just those of us who read full disclosure lists like Bugtraq) knows what exactly is going on and can change their habits accordingly. Additionally you'll have every open source programmer on the planet competing to squash the bug.

    Seems like a no brainer to me people.

    ---
    Remove the rocks from my head to send email.
    ----
    Remove the rocks from my head to send email

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  4. Limited disclosure is totally appropriate by kevin805 · · Score: 5

    Everyone is whining about "security through obscurity". Well, sorry, the other forms of security are already gone -- that's what it means that there's a security bug. Security through obscurity is better than nothing.

    Unlike closed source projects, even a general description of the problem might be enough to find the exact bug, and to develop an exploit for an open source project. This means that it's even more critical that the nature of the bug isn't leaked until a solution or work-around is known.

    What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?

    Bruce Schneier addressed this in a recent cryptogram. See: http://www.counterpane.com/crypto- gram-0001.html

    Of course, there is the possibility of Netscape taking the microsoft approach -- just ignore it until actual damage is caused -- but I think this is unlikely. They are already agreeing that the bugs need to have a distribution other than netscape only. I think it's pretty unlikely they would let security bugs be swept under the rug.

    --Kevin

  5. Mozilla is still under development by zesnark · · Score: 5

    Mozilla is still under development and should not be treated as a release product. Security bugs should be published openly to ensure the fastest and most robust fix possible. There is no sense in concealing information about a product still under development. z