Slashdot Mirror
Full Disclosure and Why Vendors Hate It
An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."
Of course companies hate the concept of full disclosure. That would not allow them to make patch timetables based on business needs as opposed to customer needs. But then, I'll never understand why consumers accept the concept that businesses need to keep such secrecy in the name of security through obfuscation, and then smile and nod when things fall apart that "yep dealing with computers for you".
Why in the hell has this become one of the few fields where its considered normal to have a broken product? Granted its nigh impossible to have a 100% bug-free product, but the standards seem to keep falling and falling.
Ice Cream has no bones.
It's not just about security. It's also about features. Things like the broadcast flag. Like the analog bit that accidentally got set by NBC that Microsoft implemented support for to disable recording some shows. Hell, both MS and NBC said it was a mistake that the flag was turned on. But even though there is no legal basis for even noticing that flag, Microsoft did NOT say "we'll update our software to ignore that flag".
You don't know what agreements have been made between Microsoft, Tivo, other DVR manufacturers, the Cable companies and big media such as Universal and the other movie makers. But 5 years from now, when they happen to decide to use these secret broadcast flags, the consumer can't buy a DVR that doesn't implement these flags. There's no legal basis for say, not permitting the end-user to record a movie, except you can't buy a device that will do it.
And who do consumers complain to? Microsoft? Based on what Bill Gates said about music DRM, they'll just say "We just wanted to enable our software to play movies, and we just let the content provider decide what permissions/features they will license to the consumer." Same with the Cable companies. Movie companies would just say that's how Movie X was licensed from the production company [and don't mention that they own the production company].
Do you think the new CableCard 'standard' is any different? The FCC keeps harping that things like this should be worked out in the private sector. Except, when working things out, one particular group tends to be completely left out of the discussion, namely the consumer.
Sleep your way to a whiter smile...date a dentist!
As someone who manages an open source product, I get notified (despite ample ways for the "researchers" to contact me) because I have Google alerts for our product's name. I have never, not once, been contacted by the discoverer of a vulnerability or the security groups who publicize exploits.
This has left me with a very dim view of the security community, and I sincerely doubt the earnestness of the discoverers. They act more like script kiddies out to tag something with their graffiti rather than someone concerned about the consumer.
Maybe for Apple there are more concerned people out there, but I don't have Apple's resources and would appreciate a couple of weeks to get a fix in and tested before you expose my users to more black hats (as opposed to the black hats who knew about it before).
I WANT TO KNOW. I WANT TO FIX IT. But the experience I've had so far is that I care more about my users than the security companies and script kiddies masquerading as "researchers" do.