Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disclosure and Why Vendors Hate It

Posted by CowboyNeal on from the into-the-light dept.

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

6 of 91 comments (clear)

  1. That's why we have embargo dates by unixan · · Score: 4, Informative

    I work for a vendor and so I get to see the view from the inside out on this.

    Most times, when a vulnerability is discovered by a professional security group or an upstream vendor, they both tell us what it is, and propose an "embargo" date for when they plan to make it public.

    This gives vendors time to react properly but still serves the public with disclosure.

    --
    This signature intentionally left unblank.
  2. Re:From the article: by FishWithAHammer · · Score: 3, Informative

    Mods: you done got trolled, idiots. That line does not exist in the article.

    Tip: If the fucktarded anonymous coward CAN'T SPELL, that's generally a good indication.

    --
    "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
  3. Re:Incredibly Inflated Sense of Self Worth by JustNilt · · Score: 3, Informative

    The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.

    This is somewhat true. The average consumer simply isn't aware of the security issues with most things they use. It doesn't matter whether it's their phone, their computer or their front door locks. This is actually kind of the guy's point. Companies are able to keep people in the dark at will, generally.

    I've never seen someone anywhere complain that its insecure and vulnerable to hackers.

    That's funny. Here's a link to a Forbes article from last summer regarding a lack of security.
    http://tinyurl.com/2huxru

    Here's another link regarding an actual exploit vector, reported by the New York Times: http://tinyurl.com/2uk6vy
    Here's the link to the discussion of this exploit by the very guys who discovered it:
    http://securityevaluators.com/iphone/ (A short URL ... woot!)

    This is with a very cursory search via Google. I've certainly read of these, and other, exploits and issues on the iPhone since its release. What's interesting is most people that actually own an iPhone don't seem to give a rat's ass about security on it.

    --
    You know the thing about UDP jokes? I don't care if you get it or not.
  4. Full Disclosure - but responsibly by Animaether · · Score: 3, Informative

    Full Disclosure is great - but inform the vendor first.. if they don't take any action in, say, 3 days (I've used that number before - I'm sticking with it) to alleviate it, then hit the internets with it.

    But too often these types are calling for Full Disclosure - immediately! Don't even bother to inform the vendor! RAR! Cry havoc, and let loose the scriptkiddies!

    "The bad guy is already going to test and exploit these vulnerabilities long before the public even discovers them - the good guys ought to have a crack at verifying it too."
    That is an assumption. The assumption that bad guys know about the vulnerability -before- the 'public discoverer' went with full disclosure. Plus the assumption that the bad guys' work would be as bad, or worse than, what script kiddies would do in the time between your discovery and your disclosure. I don't think those are assumption that can be made, based on - admittedly anecdotal - evidence (crashing mIRC 6.something users' IRC application on large IRC networks using a malformed DCC command only became a problem once it was disclosed and everybody and their dog started doing it, while the developer was already in the process of fixing.)

    There's a middle ground - I put it at 3 days. Where do you put it, Jonathan Zdziarski? Your article seems to indicate "0 day", but I can't imagine you being that irresponsible.

  5. Re:Spot on! by Anonymous Coward · · Score: 1, Informative
    WTF. How is this (+1, Interesting). It's a blatant lie. The example cited is this incident. Read the refutation by Daring Fireball. It's been proven that Apple did not pressure researchers into using a third party hardware, but rather, those "researchers" used a third party hardware in a MacBook in order to make inaccurate, sensational claims. There was a bug, but the bug was in the third party driver. Even SecureWorks admitted in the end that the attack exploited the third party deriver.

    In response to SecureWorksâ(TM)s admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. If Daring Football is not credible enough, do a Google on the subject to get the whole story. To this day, George Ou, Brian Kerb and David Maynor haven't been able to prove their accusation, but they've backtracked and obscured many points in order to save their reputation.

    Apple may not be 100% innocent when it comes to security. No company is. Moreover, Apple from time to time exhibits stubbornness on an issue. However, basing the whole accusation on an already refuted incident is asinine and doesn't deserve to be modded "Interesting". "Flamebait" is more likely.
  6. Re:From the article: by jc42 · · Score: 2, Informative

    What makes you say that genetic differences exist between races? Although I'll agree that there are differences between sexes, there's little agreement on what even defines a race, ...

    One of my favorite explanations of the bogosity of the concept of race is that here in the US, lists of races usually include "Hispanic". You don't need to know much (if anything) about genetics to understand that there can't be any genetic basis to any such "race".

    The other main counterexample in the US is that most "African-American" folks have more European than African ancestry. This is in great part due to the widespread rape of slaves by their owners, though some of it was voluntary. But any valid classification of such people would be as hybrids, not as members of one race. And then you get into the fun of what's called "hybrid vigor", though that phrase isn't usually applied to humans for fairly obvious reasons.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.