Slashdot Mirror
Full Disclosure and Why Vendors Hate It
An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."
It's pretty obvious since vendors have to do more work and package another release to fix bugs. It's easier to keep this information secret and just bundle all the bug fixes into a bulk package when it suits the vendor (I expect money comes into this equation somewhere).
Why UNIX?
This guy really thinks highly of himself. He claims the iPhone's "secrecy" or Apple's inattention to the "privacy flaws" have hurt the product.
Ridiculous.
The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.
I've never seen someone anywhere complain that its insecure and vulnerable to hackers.
Mac OS X and Windows XP working side by side to fight back the night.
welcome to the internet
Vendor first disclosure at least makes it LESS probable that the bad guys exploit it before a fix is available. So-called security experts disagree with this because their ego gets less press attention, but that's the main drawback.
The author seems to imply that vendor first means that a fix will take longer time. That's not obvious as all. In fact, working under the pressure of a deadline for a future disclosure is a much better motivation than to fix a problem that has already created PR damage.
I work for a vendor and so I get to see the view from the inside out on this.
Most times, when a vulnerability is discovered by a professional security group or an upstream vendor, they both tell us what it is, and propose an "embargo" date for when they plan to make it public.
This gives vendors time to react properly but still serves the public with disclosure.
This signature intentionally left unblank.
Women's disinterest in IT is as plain and simple as your disinterest for knitting, facials, basket weaving, romance novels and shopping. Genetic differences exist between races and sexes. Stop attempting to impose equality across things which obviously aren't. If 2000 years of history are not enough to prove that women simply have very little interest in technical fields and IT, then you are blind fool. Mind you, this is not to say that women are less competent than men in general, but rather that their competencies have been honed on different subject matters.
I read the article but I didn't get why he was concerned about a vendor "over-fixing" a vulnerability.
Maybe it's my cynicism about security outfits, but the only thing I could think of is that it makes it harder for them to promote themselves since it'll make it harder to find another vulnerability.
Almost no one is comfortable with full disclosure, and the ultimate arrogance and hypocrisy is demanding it in other, while fabricating excuses why your yourself cannot comply. We see this in the current US presidential campaign, where it is typical to release tax returns, but some people feel too above everyone else to so do. This includes other cases where persons who are, like the police, are paid by the american taxpayer, but refuse to fully account for their work hours to the american tax payer. the examples, private and public, are endless.
So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. It sounds trite, and everyone always complains about the philosophy, but it works. MS is a target for viruses, even if it not inherently less secure, so I don't use it on a regular basis. SUVs are less secure as they are not inherently stuck to the ground through the tire patches, and require computer intervention to keep them for tipping over, so I don't buy them. I don't shop at stores with affinity cards. If an iPhone is an attack against security, buy something else.
Back to the issue of security, there is one serious misconception that I believe many people make. Just because one does not publish ones security details on the internet does not mean that one is practicing security by obscurity. Just because I do not publish my path to work on the net, and my schedule, and the times and places that my stuff is most venerable to theft, does not mean I practice security by obscurity or have a ideological hate of full disclosure. And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. If the vendor does nothing about it in a fairly short time frame, then the equation shifts.
Which is why the most secure system may be open source. If something is discovered, then an slightly above average user may be able to fix it, and no one has to wait on the vendor. But open source solutions do not seem to have traction in the marketplace, so we are where we are.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Mods: you done got trolled, idiots. That line does not exist in the article.
Tip: If the fucktarded anonymous coward CAN'T SPELL, that's generally a good indication.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
What the heck is this article about? It starts out on this tantalizing about how much personal information your iPhone retains, and then goes off into this mushy soliloquy about full disclosure. Full disclosure of what? Give us some details? Is it just that the iPhone keeps old data floating around in its flash, like every other phone? Is it doing something nasty? Please tell us!
Admitting that it's a generalization, and there are many exceptions, he's right. Women in IT are every bit as good as the guys. But when you get into the world most of us inhabit, where all you know is what you've picked up on your own or from a couple of buddies in the field, men rule.
I challenge anybody to find among their non-geek friends and relatives an equal number of women who are willing to swap a video card or install an extra drive, or do minor OS mods. Perfect example: A friend of mine's father (in his 80's) is quite able to make a computer do what he wants and if you drop off a DVD writer at his house, he'll have it properly installed in 10 minutes. His wife loves what you can do with a computer (chatting with relatives "back home", etc.), but was totally stuck when their machine hung on shutdown.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Someone please mod parent insightful.
Now I don't disagree that the excerpt mentioned by the grandparent post sounds somewhat inappropriate, but if he deserves insightful points, more so does the parent - prejudice should never be fought with reverse prejudice.
This article "full disclosure and why vendors hate it" is spot on! I was going to post a bit about how full disclosure is good but just RTFM.
There've been so many examples listed on slashdot alone of vendors "working with" a company only to find they either 1) Start claiming the problem is fixed when it's not 2) After a week or two, just tell the vulnerability discoverer "What problem?" and hope they go away 3) Drag out fixing it for months or years. 4) The worst.. threaten the discoverer to keep things under wraps. In an ideal world, working with the vendor is great but companies just are not ideal.
Frankly, using Apple as an example is great. They really are one of the worst companies about vulnerabilities. Not in terms of having a lot, but in how they handle them. You have them keeping flaws in wireless drivers under wraps, even threatening the author into using third party wireless hardware to demonstrate the flaw (then getting fanbois to be "Oh, it wasn't even Apple's hardware!!" when it had the same driver flaws). They've fixed security vulnerabilities secretly (people look at an upgrade to some software, and find it fixes a bunch of security flaws without the "What's new" file saying this.. fixing flaws is good, but people might not upgrade if they don't know it's important too.) They claim security flaws are not a big deal (Safari). And so on. They've been doing this for quite a long time.
Something the author doesn't mention either, but is important... the people exploiting security holes are professionals. They are paid for exploits in cold hard cash, and quite a few are looking full time. The white hats have from time to time "discovered" new vulnerabilities by finding spyware, rootkits, etc., THAT HAVE BEEN IN THE WILD FOR MONTHS, using these "new" vulnerabilities. This argues strongly that getting the vendor in a panic and fixing holes fast outweighs any keeping the hole under wraps so it's maybe not exploited so much.
You need to give responsible vendors a reasonable period of time to get a fix out. Defining "reasonable" isn't always easy but if the vulnerability truly is known only by the discoverer, a good time window will be a few hours to a few weeks, depending on the complexity of the fix, the damage that can be caused, and the risk of independent discovery.
For vendors who have proven themselves irresponsible by not delivering fixes in a timely manner, there's no point in waiting, just publish it and let market forces do their thing.
Unfortuntely, like "reasonable," defining "responsible" or "timely manner" is also not always easy.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Is it Wednesday? I have it on good authority that Wednesday is Rob's turn to enact trollan gaemz.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
I totally agree. Since EEE PCs and iPhones are now small enough to fit in the kitchen, we may be seeing a change in this trend.
Just because s/he's an idiot doesn't mean s/he doesn't have a point.
Or perhaps I'm just trying to rationalize being a complete tool...
And why can't I answer "Yes" to the question I got while trying to post this answer as myself.
Full Disclosure is great - but inform the vendor first.. if they don't take any action in, say, 3 days (I've used that number before - I'm sticking with it) to alleviate it, then hit the internets with it.
But too often these types are calling for Full Disclosure - immediately! Don't even bother to inform the vendor! RAR! Cry havoc, and let loose the scriptkiddies!
"The bad guy is already going to test and exploit these vulnerabilities long before the public even discovers them - the good guys ought to have a crack at verifying it too."
That is an assumption. The assumption that bad guys know about the vulnerability -before- the 'public discoverer' went with full disclosure. Plus the assumption that the bad guys' work would be as bad, or worse than, what script kiddies would do in the time between your discovery and your disclosure. I don't think those are assumption that can be made, based on - admittedly anecdotal - evidence (crashing mIRC 6.something users' IRC application on large IRC networks using a malformed DCC command only became a problem once it was disclosed and everybody and their dog started doing it, while the developer was already in the process of fixing.)
There's a middle ground - I put it at 3 days. Where do you put it, Jonathan Zdziarski? Your article seems to indicate "0 day", but I can't imagine you being that irresponsible.
Say a week elapses between the reporting a vulnerability and the passing of the embargo. That's another week that software I use is vulnerable without my knowledge thereof. If I would know that there is a problem, I would be able to take appropriate precautions while waiting for a fix, but if I don't know what's going on I'm the proverbial sitting duck. As a consumer, I demand full disclosure, and not only that, I demand to get it as soon as possible.
The issue that he raises is a flaw in capitalism, not specific to this case. Capitalism assumes that consumers have accurate information about their purchases. Making this information readily available is not encouraging capitalism, but rather trying to deny that the flaw exists.
If anything, this has the trappings of libertarian or democratic socialism. The idea of democracy taking a role in putting moral standards on powerful economic institutions, is not traditionally capitalist.
Systemd: the PulseAudio of init systems
When it comes to vulnerabilities, the vendors only care in so far as it causes a PR problem for them. However, I don't believe that these "Security Experts" are crusading for consumers either. They tell the company that there is a problem, but if the company doesn't decided that the flaw "They" found is the most important thing then the "Security Expert" throws a hissy fit and tells everyone about it in revenge. The "Security Expert" appears to me to be hoping someone will develop some malware that utilizes the flaw and gives the vendor a PR problem. Either way it's the consumer that looses because in the case of unfixed flaws there exists the possibility of a Malware author discovering the flaw, and in the event of full disclosure the consumers are the ones at risk if the malware authors act faster than the vendor. IMHO, It's a pissing contest between the vendors that write the software and the "Security Experts" that want bragging rights.
Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
I will embrace and celebrate the death of this device.
From Wikipedia (emphasis again, mine):I, for some reason, don't think that IT and computers have been around for 2000 years. Also nevermind the fact that it's only in the last few hundred years that we even have women holding jobs regularly. Or that the modern definition of "job" even existed for most of the human population. I can't help but think you're a "concern troll", and that you and the GP are one and the same.
Verizon's open platform is going to have more full disclosure.
He argues that if there is not full disclosure and you just notify the vendors that the bad guys will "probably" know about it too. If that was wide spread then you wouldn't have people reverse engineering the monthly Windows patches to figure out what was patched. There are many crackers doing this every time Microsoft comes out with new updates and then they use that information to exploit people who haven't patched.
If the exploits were fully disclosed instead then most likely there would be even more exploits in the wild.
Wow, and all this time I thought it was because male techs tend to have limited interests and are difficult to work with when you're female. In my experience, the techies are either a) very unfriendly, or b) much too friendly. It's really not the subject matter that turns women off. It's the atmosphere. It's also repeatedly hearing what roles people expect them to go into. For example... do you think comments like yours are going to inspire any woman to go into IT? Good job. //female computer scientist
This is not in the article This is flame bait.
love the taste, hate the texture
male techs tend to have limited interests and are difficult to work with
the techies are either a) very unfriendly, or b) much too friendly
If that's what you think about them, then it's no wonder they don't treat you that well. I sure wouldn't want to work with someone who is constantly trying to determine whether I am a small minded asshole or a pervert.
repeatedly hearing what roles people expect them to go into
Yeah, people don't tend to like that kind of thing.
spelling seems to be an afterthought here...
Vendor first doesn't mean "vendor only", and nobody says you need to sit on a flaw forever if the vendor doesn't fix it. You're giving them advance notice, not carte blanche.
Yes, I am.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
While I agree with you about everything after and including the words "Also nevermind" and before and not including the words "I can't help...", you fail at reading comprehension. Your selective quoting so cunningly removed the very important words "technical fields", which have been around for at least 2000 years, and of which IT is a subset.
Remember, open source is free as in speech, not free as in bear.
I understand completely what he meant to say, but that's not what he said.
It in no way implies that IT has been around for 2000 years. You are correct in that, grammatically speaking, removing "and" and one of the joined clauses should be correct. I repeat, grammatically speaking. It doesn't have to retain its meaning or truth value, however. The sentence "The human race is composed entirely of men and women" is true (okay, there are a few percent, but ignore that for sake of a simple example). However, neither "The human race is composed entirely of men" nor "The human race is composed entirely of women" is true.
The sentence's meaning can change when you remove "and" and one of the joined clauses. This happened in the post you were criticizing. By having "technical fields and IT" instead of just "IT", it's saying that technical fields in general have been around for at least 2000 years and that women's disinterest in that implies disinterest in IT, a subset of technical fields.
Remember, open source is free as in speech, not free as in bear.
What makes you say that genetic differences exist between races? Although I'll agree that there are differences between sexes, there's little agreement on what even defines a race, never mind whether there's a difference. There is massively more genetic variation in people whose ancestry is African than the differences between all the other 'races' combined.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
In that case, "men and women" is a single article. If we use that interpretation, it still makes no sense, as "IT" and "technical fields" are one article, and them, together, have not been around for 2000 years.
This is why women stay away from IT... because the alpha nerds are always getting into pissing contents about grammar and punctuation and such.
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
Guess who is sleeping on the couch tonight.
What makes you say that genetic differences exist between races? Although I'll agree that there are differences between sexes, there's little agreement on what even defines a race, ...
One of my favorite explanations of the bogosity of the concept of race is that here in the US, lists of races usually include "Hispanic". You don't need to know much (if anything) about genetics to understand that there can't be any genetic basis to any such "race".
The other main counterexample in the US is that most "African-American" folks have more European than African ancestry. This is in great part due to the widespread rape of slaves by their owners, though some of it was voluntary. But any valid classification of such people would be as hybrids, not as members of one race. And then you get into the fun of what's called "hybrid vigor", though that phrase isn't usually applied to humans for fairly obvious reasons.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The Hispanic thing irritates me - I design and analyze goverment surveys, and we have to ask first, if people are Hispanic/Latino, or not, and then we ask their race: White, Black, Asian, Pacific Islander, Native American, etc. I kind of feel we should let them say that they aren't white, they are Hispanic, if they want to. Even if it's wrong.
The people who are Hispanic always tick 'other' under race, because they don't consider themselves white. Then when we write the report we have to talk about White-Non-Hispanic and White-Hispanics.
My mother called us mongrels when we were young, and said that we therefore had hybrid vigor (she was Canadian, with some Asian-Indian ancestry, but mostly British/Irish, my father was British, with some French ancestry, but that didn't really make us especially mongrelish, I realize now. Except maybe in the small town where we lived (in England). There was once a rumor that there was a Chinese kid in our school, but I never saw them. That was the limit of our ethnic/racial diversity. Quite a change from where my kids now go to school, in Los Angeles.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Or there could be some degree of general bias that is statristically significant across the population.
Example, at the college I attended, the engineering school had a male:female ratio of something like 8:1, whereas the nursing school was closer to 1:5. I can say from watching the school very, very closely after hearing the whole "women are driven away from tech" speech that the female students we did get were far more likely to actually graduate, and seemed to be generally treated like one of the guys (unless someone was asking them out, or they were flirting themselves [I think jumping on someone's back and hanging from around their neck is pretty clearly flirting and not a misinterpreted signal, given that both parties were sober at the time]). Generally, the nursing students complained more of that kind of thing.
Nail on the head. Women in male-dominated fields are every bit as good as the guys (excepting affirmative action cases where requirements are made more lax for them, but that is a particular stab against affirmative action rather than women or any minority in any field). What you see as a trend is tendency to go into those fields in the first place.
It's not a matter of whether or not group A or B is better at field C, but rather whether more people of equal value come from group A or B into field C.
-Stereotype party! Apparently now, it's OK to fight stereotypes with stereotypes. Cool!
"because male techs tend to have limited interests and are difficult to work with when you're female"
In MY experience, women in IT WANT to be treated differently. They think ovaries make them special. I guess personal experience can vary, huh? Let's not even get into the abuses of playing the "sexual harrassment" card...
"It's the atmosphere."
In MY experience, it really IS the atmosphere. If some of the women I've worked with weren't able to "play" in the gossipy, catty, back-biting, in-fighting environments they enjoy, then they don't want to play at all.
Goody! Goody! That was fun. Now let's do stereotypes about blacks and jews. You go first...