Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full-Disclosure Wins Again

Posted by CmdrTaco on from the mommy-where-do-patches-come-from dept.

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

4 of 122 comments (clear)

  1. Adopt the cryptographer threat model by Ckwop · · Score: 5, Insightful

    In the threat-models used by cryptographers, the attacker is assumed to know everything except cryptographic keys and other pre-defined secrets. These secrets are small in number and small in size. Their size and their limited distribution means we can trust protocols based on these secrets.

    Software that is used by millions of people is the very antonym of a secret. Compiled source is routinely reverse engineered by black hats. Web-sites are routinely attached using vectors such as SQL injection. In short, you can't assume that any of the source code is secret. Taken to its logical conclusion, you must therefore assume the worst; that the black-hats know of far more bugs than you do. In fact, strictly speaking you assume they know every bug that exists in your software.

    In light of adopting such a severe threat-model, the argument over full disclosure is a non-debate. Black-hats with sufficient resources probably already know of the bug. The only people aided by disclosing it wide and publically are the people who run the software who can take evasive action. In contrast, you only told black-hats what they already know.

    Simon

  2. Incentives by gusmao · · Score: 5, Insightful

    It was aways clear to me that full disclosure is a better option simply because people react to incentives, and bad publicity creates a strong incentive for vendors to fix and patch their systems.
    Nothing like fear of losing sales and yearly bonus to motivate higher management.

  3. How Software Works by mfh · · Score: 5, Funny

    1. Bug is reported.
    2. Secretly, a team of crack programmers (or programmers on crack) develop the patch.
    3. The patch sits in a repository until public outcry.
    4. Public outcry.
    5. Patch released... LOOK HOW FAST WE ARE!

    --
    The dangers of knowledge trigger emotional distress in human beings.
  4. Re:A bug only exists... by Thuktun · · Score: 5, Funny

    Sadly, we live in a world where most people in power actually believe that anyone who points out problems is just as bad as someone who causes and exploits problems. NARRATOR: Fortunately, our handsomest politicians came up with a cheap, last-minute way to combat global warming. Ever since 2063 we simply drop a giant ice cube into the ocean every now and then. Of course, since the greenhouse gases are still building up, it takes more and more ice each time. Thus solving the problem once and for all.

    GIRL: But--

    NARRATOR: Once and for all!