Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disclosure and Why Vendors Hate It

Posted by CowboyNeal on from the into-the-light dept.

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

15 of 91 comments (clear)

  1. Well of course by eneville · · Score: 4, Insightful

    It's pretty obvious since vendors have to do more work and package another release to fix bugs. It's easier to keep this information secret and just bundle all the bug fixes into a bulk package when it suits the vendor (I expect money comes into this equation somewhere).

    --
    Why UNIX?
    1. Re:Well of course by manwal · · Score: 5, Insightful

      It's only about money. With few or no public security flaws/fixes, your company, product and brand look safe. With many, they look dangerous. It doesn't matter that security often works the other way around.

  2. Incredibly Inflated Sense of Self Worth by NDPTAL85 · · Score: 4, Insightful

    This guy really thinks highly of himself. He claims the iPhone's "secrecy" or Apple's inattention to the "privacy flaws" have hurt the product.

    Ridiculous.

    The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.

    I've never seen someone anywhere complain that its insecure and vulnerable to hackers.

    --
    Mac OS X and Windows XP working side by side to fight back the night.
    1. Re:Incredibly Inflated Sense of Self Worth by RAMMS+EIN · · Score: 5, Insightful

      ``Which proves this article's premise completely wrong. The only people who ARE interested are the malicious folks, which will be almost your entire "full disclosure" audience. Full disclosure is a great way to give the malicious folks a head start, and won't do one tiny little thing towards linking a product's popularity to its security.''

      I am offended by your comment. I am in favor of full disclosure, and I am not a black hat. I know there are many people like me.

      Also, your analysis is wrong on both counts. Full disclosure doesn't give anyone a head start. On the contrary, it informs everybody of the flaw at the same time. That does indeed include the black hats, but also the vendor and the users. This allows the black hats to develop exploits, but it also allows the vendor to work on a fix, and the users to implement temporary stopgaps. The alternative is, pretty much, not informing the users of the flaw - thereby leaving them unaware that a vulnerability has been discovered. As for the black hats: they work hard to find security flaws and avoid full disclosure - after all, as long as only they know the flaw exists, they can exploit it for fun and profit.

      With regard to linking a product's popularity to its security: I know of two things that will do that. The first is users feeling victimized by the bad security of the product they have. The other is making actual and potential users aware of the security risks of a product. Full discloruse brings the insecurity of a product out in the open, which is a step towards the latter and can also help with the former. Of course, the effect is going to be rather limited as long as users don't care very much, but I can tell you that the effect is there.

      --
      Please correct me if I got my facts wrong.
    2. Re:Incredibly Inflated Sense of Self Worth by Kjella · · Score: 2, Insightful

      This allows the black hats to develop exploits, but it also allows the vendor to work on a fix, and the users to implement temporary stopgaps. The alternative is, pretty much, not informing the users of the flaw - thereby leaving them unaware that a vulnerability has been discovered. As for the black hats: they work hard to find security flaws and avoid full disclosure - after all, as long as only they know the flaw exists, they can exploit it for fun and profit. To take the last sentence first, I don't see your point as obiviously black hats would not disclose anything to anybody, the question would be if black hats prefer white hats to do vendor disclosure or full disclosure then do the opposite. The question is, how often can users do any meaningful stopgaps? Let's say for example there's a spoofing bug in Firefox (or IE) and a parsing bug in OpenOffice (or MS Office), and there's no meaningful fix except "don't use the product". Well, people aren't going to stop surfing the web or sending documents just because there's a bug out there somewhere, that might in theory be exploited if they visit a malicious site/open a malicious document so what does informing the users really do except to give black hats a weakness they might not know about?

      I'm in favor of full disclosure after the fact or after a deadline. If the deadline passes either it's not serious or the vendor isn't taking it serious, in either case a full disclosure is good. The chance that a) the black hats already know about it and b) that there is a temporary stopgap and c) the majority of users would perform the stopgap is a very unlikely scenario and the only one I see an immidiate and full disclosure doing any good, plus it would give black hats an early warning that their exploit is about to expire and that they should strike now against unpatched hosts while it still works. Remember, they are conservative in using them too because doing so risks exposing them so they get fixed. If one could surprise the black hats with 2security fix out, patch NOW" it might actually reduce the damage the black hats are able to do.

      What I don't approve of though, is trying to push a security update as a non-security update. It confuses everyone downstream and doesn't lead to the immidiate user adoption it should. The distro security teams need to know, though I don't think they need to know everything early. Notifying them that there is a critical security bug and that they can expect a patch from upstream shortly but not the actual details so they know it's coming and then disclose all the details when the patch is released. If you want to keep it undisclosed, keep the people in the know to a minimum so it's not infiltrated by black hats. This is the process how it should work IMO. The trouble is vendors that don't disclose what they're fixing at all, not even after it's fixed.
      --
      Live today, because you never know what tomorrow brings
    3. Re:Incredibly Inflated Sense of Self Worth by Graymalkin · · Score: 2, Insightful

      A black hat hacker doesn't need to do any QA testing of their exploit. If it doesn't work 50% of the time it is still considered a successful exploit. If a vendor's patch breaks something on customer machines even 10% of the time they'll get as much if not more flack than if they had waited to patch an exploit. This is worse if their fix is only half-ass in order to get it out in the wild and it only works against one particular exploit and doesn't fix that class of exploit. Embargo dates on exploits found by security researchers gives a vendor time to develop a fix and run it through their QA process. They can't simply release a patch and hope for the best like the black hats can. Thus disclosing vulnerabilities to everyone always puts the vendor and the customer at a disadvantage.

      --
      I'm a loner Dottie, a Rebel.
  3. Re:From the article: by Anonymous Coward · · Score: 0, Insightful

    welcome to the internet

  4. Re:From the article: by Anonymous Coward · · Score: 4, Insightful

    Women's disinterest in IT is as plain and simple as your disinterest for knitting, facials, basket weaving, romance novels and shopping. Genetic differences exist between races and sexes. Stop attempting to impose equality across things which obviously aren't. If 2000 years of history are not enough to prove that women simply have very little interest in technical fields and IT, then you are blind fool. Mind you, this is not to say that women are less competent than men in general, but rather that their competencies have been honed on different subject matters.

  5. everyone hates full disclosure by fermion · · Score: 4, Insightful
    Cyptogram has a discussion of this issue in relation to the oft used argument that only people who have are committing crimes should be afraid of full disclosure. The issue in the note, iirc, related to data mining and video surveillance. The counter example to the statement was the police apparent unwillingness to give tapes of traffic stops, for example, to those private parties involved. It seems that the tapes are there to protect the cops, which is good, but no one is willing to protect the citizen. We see this even in the taping of the very occasional police overreaction.

    Almost no one is comfortable with full disclosure, and the ultimate arrogance and hypocrisy is demanding it in other, while fabricating excuses why your yourself cannot comply. We see this in the current US presidential campaign, where it is typical to release tax returns, but some people feel too above everyone else to so do. This includes other cases where persons who are, like the police, are paid by the american taxpayer, but refuse to fully account for their work hours to the american tax payer. the examples, private and public, are endless.

    So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. It sounds trite, and everyone always complains about the philosophy, but it works. MS is a target for viruses, even if it not inherently less secure, so I don't use it on a regular basis. SUVs are less secure as they are not inherently stuck to the ground through the tire patches, and require computer intervention to keep them for tipping over, so I don't buy them. I don't shop at stores with affinity cards. If an iPhone is an attack against security, buy something else.

    Back to the issue of security, there is one serious misconception that I believe many people make. Just because one does not publish ones security details on the internet does not mean that one is practicing security by obscurity. Just because I do not publish my path to work on the net, and my schedule, and the times and places that my stuff is most venerable to theft, does not mean I practice security by obscurity or have a ideological hate of full disclosure. And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. If the vendor does nothing about it in a fairly short time frame, then the equation shifts.

    Which is why the most secure system may be open source. If something is discovered, then an slightly above average user may be able to fix it, and no one has to wait on the vendor. But open source solutions do not seem to have traction in the marketplace, so we are where we are.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    1. Re:everyone hates full disclosure by risinganger · · Score: 2, Insightful

      So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. Without disclosure how will you know if there are significant security issues? The author wants disclosure so consumers can say "hey, your product is insecure I'm taking my money elsewhere".

      And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. If the vendor does nothing about it in a fairly short time frame, then the equation shifts. Why shouldn't the consumer be allowed the choice of continuing to use (or not) an insecure product while waiting for a patch? Take the recent Flash vulnerability. I'd much rather know straight away to not leave myself at risk while they work on a patch than to discover it after my machine has been compromised. Without disclosure how do we know this was a previously unknown vulnerability and not one they've been sitting on.
  6. Re:From the article: by Anonymous Coward · · Score: 1, Insightful

    Someone please mod parent insightful.

    Now I don't disagree that the excerpt mentioned by the grandparent post sounds somewhat inappropriate, but if he deserves insightful points, more so does the parent - prejudice should never be fought with reverse prejudice.

  7. Re:From the article: by Anonymous Coward · · Score: 0, Insightful
    Yes, but still. The AC is still insightful. Women in IT are being mistreated.
    Just because s/he's an idiot doesn't mean s/he doesn't have a point.

    Or perhaps I'm just trying to rationalize being a complete tool...

    .haeger

    And why can't I answer "Yes" to the question I got while trying to post this answer as myself.

  8. As a consumer, I want to know earlier by Anonymous Coward · · Score: 1, Insightful

    Say a week elapses between the reporting a vulnerability and the passing of the embargo. That's another week that software I use is vulnerable without my knowledge thereof. If I would know that there is a problem, I would be able to take appropriate precautions while waiting for a fix, but if I don't know what's going on I'm the proverbial sitting duck. As a consumer, I demand full disclosure, and not only that, I demand to get it as soon as possible.

  9. Flaw in capitalism, not industry by plasticsquirrel · · Score: 2, Insightful

    The issue that he raises is a flaw in capitalism, not specific to this case. Capitalism assumes that consumers have accurate information about their purchases. Making this information readily available is not encouraging capitalism, but rather trying to deny that the flaw exists.

    If anything, this has the trappings of libertarian or democratic socialism. The idea of democracy taking a role in putting moral standards on powerful economic institutions, is not traditionally capitalist.

    --
    Systemd: the PulseAudio of init systems
  10. Re:From the article: by Schadrach · · Score: 2, Insightful

    Nail on the head. Women in male-dominated fields are every bit as good as the guys (excepting affirmative action cases where requirements are made more lax for them, but that is a particular stab against affirmative action rather than women or any minority in any field). What you see as a trend is tendency to go into those fields in the first place.

    It's not a matter of whether or not group A or B is better at field C, but rather whether more people of equal value come from group A or B into field C.