Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full-Disclosure Wins Again

Posted by CmdrTaco on from the mommy-where-do-patches-come-from dept.

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

25 of 122 comments (clear)

  1. A bug only exists... by InvisblePinkUnicorn · · Score: 4, Insightful

    A bug only exists if the public knows about it.

    1. Re:A bug only exists... by Billosaur · · Score: 2, Insightful

      Incorrect. A bug exists if a bug exists. A bug only gets fixed if the public knows about it, specifically the computer savvy segment of the population, since the average user can't tell a bug from a feature.

      --
      GetOuttaMySpace - The Anti-Social Network
    2. Re:A bug only exists... by xappax · · Score: 4, Insightful

      It's unfortunately not that hard to imagine that your sarcastic remark was serious - we constantly hear the same sentiment echoed very seriously in relation to computer security, electronic voting machines, even terrorism and criticism of the Iraq War.

      Sadly, we live in a world where most people in power actually believe that anyone who points out problems is just as bad as someone who causes and exploits problems.

    3. Re:A bug only exists... by TubeSteak · · Score: 2, Insightful

      Sadly, we live in a world where most people in power actually believe that anyone who points out problems is just as bad as someone who causes and exploits problems. Look at it from their point of view:
      Anyone who points out problems, is creating a problem.

      A lot of times, if you don't officially know about it, you don't have to officially do anything about it.
      --
      [Fuck Beta]
      o0t!
    4. Re:A bug only exists... by dmpyron · · Score: 2, Insightful

      Except that they officially knew about the problem. Assuming he had taken the time to sign his email. When they said they did know if they could fix it without a major rewrite, that was a tacit admission that they had known about it.

      At least he went to the company first and sat on it for a while. Lots of people publish first, then notify the maker. That definitely makes him a white hat in my book.

  2. does it have to be turned into law? by toQDuj · · Score: 4, Insightful

    I believe there is a system that forces a company into action if it delivers faulty products.

    Why then, should software be any different? Do we have to force companies to take action once a bug is submitted to them?

    B.

    --
    Every experiment which ends in a big bang is a good experiment.
    1. Re:does it have to be turned into law? by hateful+monkey · · Score: 4, Insightful

      The biggest reason this wouldn't work well right now is because there are so many pieces of software that are written by small companies that couldn't afford a massive change in liability laws. This would turn software into a business that needs an enormous amount of money to enter the market, which would essentially destroy small startups and leave the business to large well-funded corporations. Open source software would never be usable outside of a very narrow range of applications that present little to no legal liability unless a large company were willing to absorb their liability costs (insurance, etc.). As it stands even Microsoft states in its EULA that it does not warrant Windows or Office to be good for any purpose. If every student or business person could sue Microsoft for losing their important document minutes before their presentations, even Microsoft, with their billions in the bank, would not be able to stay in business long. In addition, the reason companies fix publicly disclosed bugs is not because of liability, it is because a known bug makes them look bad to prospective customers. If they had to worry about the sort of liability you are talking about they would be hesitant to fix any bug that didn't open them to a lawsuit, just in case the FIX created an issue they could be sued for.

  3. Adopt the cryptographer threat model by Ckwop · · Score: 5, Insightful

    In the threat-models used by cryptographers, the attacker is assumed to know everything except cryptographic keys and other pre-defined secrets. These secrets are small in number and small in size. Their size and their limited distribution means we can trust protocols based on these secrets.

    Software that is used by millions of people is the very antonym of a secret. Compiled source is routinely reverse engineered by black hats. Web-sites are routinely attached using vectors such as SQL injection. In short, you can't assume that any of the source code is secret. Taken to its logical conclusion, you must therefore assume the worst; that the black-hats know of far more bugs than you do. In fact, strictly speaking you assume they know every bug that exists in your software.

    In light of adopting such a severe threat-model, the argument over full disclosure is a non-debate. Black-hats with sufficient resources probably already know of the bug. The only people aided by disclosing it wide and publically are the people who run the software who can take evasive action. In contrast, you only told black-hats what they already know.

    Simon

    1. Re:Adopt the cryptographer threat model by Otter · · Score: 4, Insightful
      Taken to its logical conclusion, you must therefore assume the worst; that the black-hats know of far more bugs than you do. In fact, strictly speaking you assume they know every bug that exists in your software.

      But that's a ridiculous assumption! It makes sense in the context of cryptography research, but you're turning it into a assertion that publicizing software vulnerabilities doesn't have any negative consequences, which is absurd. There *are* two genuine conflicting sides here and you can't just wave one of them away.

      --
      What I'm listening to now on Pandora...
    2. Re:Adopt the cryptographer threat model by Ckwop · · Score: 4, Insightful

      But that's a ridiculous assumption! It makes sense in the context of cryptography research, but you're turning it into a assertion that publicizing software vulnerabilities doesn't have any negative consequences, which is absurd. There *are* two genuine conflicting sides here and you can't just wave one of them away.

      It's a ridiculous assumption until you try to work out how you can usefully weaken the assumption! Ask yourself this, how do you know how good the attacker is? They're not going to share their successes with you, in fact, they will probably never make contact with you.

      You are only as strong as your weakest link but with the vast distribution that's possible this days you have to expect to be up against the very best attackers. So what then is the plausible attacker your meant to be up against?

      Incidentally, this is why cryptographers choose such a harsh threat-model in which to place their protocols and ciphers. Only by designing against an attacker who is effectively omniscient can you truly get security. You need to look no further than Diebold to see what happens when you don't do this.

      Sure in the real world, disclosing vulnerabilities has an impact! Of course it does, but to say it decreases the security of the users of the software is simply nonsense. It may well do in the very short term, but in the longer term it is absolutely vital that full disclosure occurs if security is to improve.

      Simon

  4. The difference by InvisblePinkUnicorn · · Score: 3, Insightful

    Somehow I don't think that too many lives are being put at risk if EZPhotoSales has a bug in its software. Now a seat buckle on a car, that's a different story...

    1. Re:The difference by owlstead · · Score: 2, Insightful

      Those "highly important security-bugs" will most likely be found in OS or server components. Sure, that's a lot of software, but they aren't general purpose applications. I tried to exclude those products by writing "undemanding applications" and "memory leak or buffer overflow in a graphics application". So either I was still not clear enough or you were misunderstanding me for some other reason.

      Buffer overflows and such tend to not surface in normal applications, because you would have to go out of your way to exploit them or find them during testing, and then gain nothing at all. Of course, underlying libraries such as JPEG software might be used by either OS or application software, so general purpose libraries should be rather bug-free or they could cause serious problems (such as in Java or in browsers).

      I hope this makes things more clear for you.

    2. Re:The difference by db32 · · Score: 2, Insightful

      Ok, lets up the stakes. MS loves to tout their super success such as their claims about how machines running windows run the stock market. Boy I bet it would suck if they got hit with something obscure and nasty. Not enough, ok, lets go up again. There are tons of medical devices that run software from home grown code to Windows. Now...you can't go blindly patching a Windows box that runs complex medical equipment without intensive testing, not like "will it cause problems with our 'mission critical' intranet business portal" but "gee I hope there aren't any obscure oddities that might cause the machine to misdiagnose or kill anyone". Good thing MS slaps that label of "you can't hold us responsible for using our product if it is found to be defective". So...critical machine running power plant reactor stuff goes apeshit stupid because of a bug...oh well...good thing all the damages and deaths can't be pinned on the people who are truely responsible for allowing it to happen.

      It amuses me to no end that even tech people are so blind to the fact that a computer runs damn near everything these days, and software problems causing life and death situations are far more common than you might imagine. The computer is not for gaming and business servers only anymore folks. Shit, go look up the rumors behind the software problems with Chernobyl

      --
      The only change I can believe in is what I find in my couch cushions.
  5. Incentives by gusmao · · Score: 5, Insightful

    It was aways clear to me that full disclosure is a better option simply because people react to incentives, and bad publicity creates a strong incentive for vendors to fix and patch their systems.
    Nothing like fear of losing sales and yearly bonus to motivate higher management.

    1. Re:Incentives by Anonymous Coward · · Score: 1, Insightful

      Well not exactly. Publicly reporting a security bug simply changes an engineering group's priorities. Other bugs don't get fixed, new features won't get added. We can debate whether or not that's a bad thing, but that's all it is - the publicly disclosed bug will just get fixed first.

  6. The Government by Sunrise2600 · · Score: 2, Insightful

    It works in software, it works in government too. Only slimy bastards hide behind their veil of secrecy to their customers/public. Maybe one day we will have open source voting machines.

    --
    Half the lies they say about me aren't true
    Cute Rush
  7. no, this is responsible disclosure by Lord+Ender · · Score: 4, Insightful

    This is not about full disclosure. This is responsible disclosure. Full disclosure would be if he went to bugtraq before contacting the vendor. Responsible disclosure is where a responsible security research goes to the vendor FIRST, and only goes to the public after the vendor has had a reasonable amount of time to fix the problem.

    Responsible disclosure allows responsible companies to get a fix before a flaw is used maliciously, but the researchers still get credit. With responsible disclosure everyone wins except black hats.

    Full disclosure benefits black hats more than it does anyone else.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:no, this is responsible disclosure by xappax · · Score: 3, Insightful

      With responsible disclosure everyone wins except black hats.

      Black hats win too. You ask 4cId_K1LL3R whether he'd like you to "fully" or "responsibly" disclose the 0day buffer overflow that he discovered a week ago and has been using to break into systems. I'm sure he'd far prefer that you keep the public in the dark about the issue for a month or so while the company leisurely gets around to patching it.

      Black hats win, but software companies win most of all - which, after all is why software companies invented and promoted "responsible disclosure" in the first place. "Responsible" disclosure allows a company to improve their reputation and their software at little to no cost, thanks to volunteers who fix their security problems without telling the public. This, in turn, enables them to continue using the same irresponsible software engineering practices as they always have, with no impact on their bottom line.

  8. Re:Two basic problems by garett_spencley · · Score: 4, Insightful

    This is a very odd point of view.

    First of all, if the users of the software aren't paying attention, who's fault is that ?

    Secondly, you would think and hope that the software manufacturers would be paying attention and that they would inform their users, who may or may not be paying attention.

    Full disclosure doesn't just imply disclosure to a small, specific group of people. It involves making information PUBLICLY available to EVERYONE. If someone isn't paying attention then that's their own fault. But if you don't feel like end users who are too worried with other things to be paying attention to Bugtraq are getting a fair break then point the finger at the software manufacturer instead. After all, they're the ones who sold faulty software and they're often the ones who continue to sell faulty software when bugs are not disclosed to the public, because they take the mind set of "what they don't know can't hurt them".

    Unfortunately, what "they" don't know CAN hurt them. Because those same people you were talking about who are "interested in doing harm" are usually the ones to find the bugs to begin with. So they already know and those end users that you are so adamant about protecting are already at risk.

    So IMO it's the responsibility of the software manufacturers to pay attention, fix bugs, release patches and inform their users that they need to apply said patches ASAP.

    I mean, are you really advocating keeping information from people ? What if you had cancer, would you prefer that your doctor not inform you ? As I already stated, full disclosure is all about making information publicly available to absolutely everyone, so that absolutely everyone can make whatever choices they feel like with that information. Your argument is that full disclosure is selective about who it makes the information available to. I have to disagree. At the very least it makes the information available to the developers who made the buggy software to begin with, and competent admins who follow those lists so they know what kind of bugs are running on their servers (I used to be one of those).

  9. Is it just me or by Anonymous Coward · · Score: 1, Insightful

    have Slashdot stories become more openly biased. I wouldn't even call this a story, it's an opinion.

  10. Software failing isn't necessarily harmless by Hemogoblin · · Score: 4, Insightful

    I was thinking of moderating, but I'll reply instead:

    Its possible to be injured in ways other than just physically. What about fraud and identity theft? It could be very damaging to thousands of people if one of the software applications that your company is using has flaws that allow fraud or identity theft to occur on massive scale.

    To quote "Going Postal" by Terry Pratchett: "You have stolen, embezzled, defrauded, and swindled without discrimination. You have ruined businesses and destroyed jobs. When banks fail, it is seldom bankers who starve. In a myriad small ways you have hastened the deaths of many. You do not know them, but you snatched bread from their mouths and tore clothes from their backs."

    Theres a reason why fraud and theft can have as harsh a punishment as assault. (In Canada at least.)

    Maybe EZPhoto Editor isn't going to put anyone at great risk if it fails, but I'm sure you could think of some software that might.

  11. Several days later a patch appears. by Trillan · · Score: 3, Insightful

    "Coincidence? Probably not considering..."

    Yeah, everyone knows that patching security holes is an instant process. What other explanation could there possibly be? The public found out about the bugs, and the vendor waved a magic wand, and presto-changeo, they were fixed.

    Okay, now let's be real here.

    That the patch appeared almost immediately after is the surest sign that the vendor was already working on them. It probably also indicates the vendor wasn't confident that they were finished, and rushed them to get them out after only a couple days of public disclosure.

    So enjoy your half-baked patch.

  12. Re:False assumptions? by Minwee · · Score: 2, Insightful

    If the company was indeed looking at the problem, then they lied about it. Their response to being notified of the problems, as described in the article, was to say "Gee, we're not going to bother fixing that. Instead we're going to work on a new product and just sell it as an upgrade to everybody."

    When someone tells you flat out that they aren't going to do anything, why is assuming that they aren't doing anything false?

  13. Re:I agree with you for the most part, but... by Bloodoflethe · · Score: 2, Insightful

    Someone mod the parent up!

    --
    "Little is much when little you need."
  14. Product liability by Anonymous Coward · · Score: 1, Insightful

    Since if you have FOSS with all needed to build and install the product yourself, there's no *need* to have product liability on it. With CSS you must wait until the autor company makes the changes since there is no way you can do it. In that case, there *is* a need for product liability.

    You can then decide to pay for keeping your source closed in liability for the code you closed or absolve liability by freeing your customers to fix yuor prohlems.

    NOTE: this DOES NOT mean GPLing your code. You can keep it protected fully just allow the owner of the code to work out how to fix the problem and tell others to (e.g. make a patch diff) which, since it is personal use and not an action removing potential customers, is not (or should not) be copyright controlled in any case.