Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Disagree On How, When To Disclose Bugs

Posted by Zonk on from the bugs-under-your-hat dept.

darkreadingman writes to mention a post to the Dark Reading site on the debate over bug disclosure. The Month of Apple Bugs (and recent similar efforts) is drawing a lot of frustration from security researchers. Though the idea is to get these issues out into the open, commentators seem to feel that in the long run these projects are doing more bad than good. From the article: "'I've never found it to be a good thing to release bugs or exploits without giving a vendor a chance to patch it and do the right thing,' says Marc Maiffret, CTO of eEye Security Research, a former script kiddie who co-founded the security firm. 'There are rare exceptions where if a vendor is completely lacking any care for doing the right thing that you might need to release a bug without a patch -- to make the vendor pay attention and do something.'"

5 of 158 comments (clear)

  1. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  2. Re:Opinion Swing? by Loconut1389 · · Score: 2, Interesting

    MS should have a program whereby if you tell them first and let them patch it, they'll give some program or hardware (Zune?) to the first reporter of the bug, but if the exploit is released (by anyone) to the wild before the patch, then the offer is null and void. Assuming MS would play fair (and not have an insider leak the bug 2 hours before the patch), seems fair and easy good business for MS. Surely the cost of a Zune or a laptop would be less than the bad press costs.

  3. Re:2 months by Cylix · · Score: 4, Interesting

    The problem with setting any reasonably lengthy period of time is that it results in that much more infection and use. Basically, this grants any purchaser of a 0 day exploit roughly a 2 month window of opportunity to use their new found investment.

    Where as there may not be a patch to solve the problem, but perhaps there is a significant work around that could avoid some trouble.

    This is exactly why it is difficult to assign a window of disclosure to such issues. Not too terribly long ago, some of the larger firms managed to get together and settle on a 30 day notice.

    Also, you might also remember that a little company called Cisco was sitting on a vulnerability for quite a while until someone when psychotic over the deal.

    In the grand scheme of things it comes down to protecting your image. It almost seems like the policy on vehicle recalls. Unless X number of issues arise... just don't deal with it. However, if it becomes substantially used or finds the public eye... it suddenly becomes a much larger problem.

    Honestly, an arbitrary date is rather inflexible and a system that takes in effect the impact of the bug needs to be used. Pump out tons of crap software? That isn't exactly the problem of the common man, but rather the problem of the organization's software development model.

    Organizations and individual people lose time and money to support these industry bug shields. Again, a case by case determination depending upon the level of potential harm.

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  4. All's fair... by mandelbr0t · · Score: 4, Interesting

    Hackers are not under any obligation to disclose anything. I'm not aware of any law that either forces them to disclose a vulnerability that they have discovered, or any due process that must be followed to do so. I'm also not aware that writing or distributing proof-of-concept code is illegal. Judging by the number of large software vendors either in court (IBM, SCO) or deliberately misinterpreting existing legal documentation (Microsoft and Novell attack the GPL), the law is clearly the only deciding factor in how business will be done in the IT industry.

    Therefore, throw your morals and principals out the window. This is laissez-faire economics at it's best. Mud-slinging, sabotage, legal wrangling, death threats and more await as we determine just who has the best software. If these vendors are truly interested in some good-faith reporting from the people who are discovering the vulnerabilities, maybe a show of good faith on their part might be nice. There's absolutely no incentive to do anything in a reasonable or "nice" way, when dragging a hated vendor's name through the mud is both legal and cool.

    There's a few things I can think of that would improve matters and reach a common ground where truly malicious software is written only by a few bad apples:

    • Laws governing EULAs would reduce the weasel words that we click through blindly as we install software. Many EULAs that I've read actually have a clause that's different for the country of Ireland, as their so-called "lemon law" also applies to software. The EULA as it is written for the United States waives too many consumer rights to be valid in Ireland. Having clear guidelines for what rights you can waive by agreeing to a software EULA is vital.
    • Vendor incentives for disclosing information in accordance with their company policy. When RSA was released to the 'net community at large, there was a sizable reward for proving the ability to crack it. If vendors offered some kind of financial incentive to disclose bugs through their normal process, many people would opt for the immediate cash rather than going for the jugular.
    • Establish criminal and civil liability for writing bad software. Everything goes to a civil court these days, so it's often a battle of who has the better lawyer (mostly because there's no good laws governing EULAs...). What is the software provider's responsibility? Establish industry guidelines for QA testing for off-the-shelf software. Throw some people in jail for writing malicious software. Any company that misrepresents its software for the purpose of taking control of someone's machine should be subject to criminal liability. I don't want to hire a lawyer and roll the dice on a lawsuit. I want the police to press charges and the DA to prosecute, all without my involvement (unless I get to testify).

    Just to be perfectly clear: I am condoning the MOAB and any other MOxB. I've used too much bad software and seen too many vendors be held utterly unaccountable for their pre-meditated actions against the consumer. Lobby groups funded by these large vendors continue to erode consumer rights. If this is not how business is to be done, perhaps the industry leaders should set a better example.

    mandelbr0t
    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  5. Re:Opinion Swing? by linuxmop · · Score: 4, Interesting

    You are operating under false assumptions.

    There exists a community of underground hackers (crackers?) who search for exploits. They find them, trade them, sell them, and use them to steal data and resources. Gone are the days where script kiddies just hack for fun; there is a serious black market involved, since resource and identity theft can be very lucrative.

    When an exploit is discovered by a researcher, it is likely that the black hats have already discovered it. The software's users are already being harmed, although they may not realize it: smart hackers are good at covering their tracks.

    In this scenario, "responsible disclosure" is anything but responsible. By waiting until the vendor has patched the software, users are being harmed. On the other hand, immediate full disclosure has three important effects:

    One, it eliminates the black market for the exploit. If everyone knows about it, nobody will pay for it. This reduces the overall market for exploits and, compounded over many exploits, will drive hackers out of the market. If it is not profitable to find exploits, fewer people will do it.

    Two, it gives the users an opportunity to take action. If, through full disclosure, I find out that Internet Explorer has a serious security risk, I can switch to Firefox. If my Cisco router has a problem, I may be able to work around it with an alternate configuration. On the other hand, if a researcher reports the exploits to Microsoft and Cisco directly, black hats are free to exploit my computer and my router until patches are released (if they ever are).

    Three, it provides an incentive for vendors to write better software. If every software bug meant a black eye and angry users, you can be sure that there would be better software. On the other hand, the occasional well-timed patch looks like software "maintenance", a concept that shouldn't exist but sounds reasonable to the layman (after all, he has to have his car tuned up every so often, so why not his software?) The result of full disclosure, on the other hand, is more akin to an emergency recall; the producer has clearly made a mistake.

    The concern, of course, is that the black hats don't already have the exploit, and that full disclosure gives it to them. Yes, this is the risk of full disclosure. However, given that black hats have an economic incentive to find exploits, while researchers rarely do, we can expect the probability of this to be low. And even if they don't have the exploit, releasing it still shrinks the exploit market (why pay for exploit B when you can get exploit A for free), it still notifies users of a potential problem, and it still incents vendors to write better software.

    Full disclosure is responsible disclosure.