Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disclosure and Why Vendors Hate It

Posted by CowboyNeal on from the into-the-light dept.

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

1 of 91 comments (clear)

  1. Spot on! by Anonymous Coward · · Score: 0, Troll

    This article "full disclosure and why vendors hate it" is spot on! I was going to post a bit about how full disclosure is good but just RTFM.

              There've been so many examples listed on slashdot alone of vendors "working with" a company only to find they either 1) Start claiming the problem is fixed when it's not 2) After a week or two, just tell the vulnerability discoverer "What problem?" and hope they go away 3) Drag out fixing it for months or years. 4) The worst.. threaten the discoverer to keep things under wraps. In an ideal world, working with the vendor is great but companies just are not ideal.

              Frankly, using Apple as an example is great. They really are one of the worst companies about vulnerabilities. Not in terms of having a lot, but in how they handle them. You have them keeping flaws in wireless drivers under wraps, even threatening the author into using third party wireless hardware to demonstrate the flaw (then getting fanbois to be "Oh, it wasn't even Apple's hardware!!" when it had the same driver flaws). They've fixed security vulnerabilities secretly (people look at an upgrade to some software, and find it fixes a bunch of security flaws without the "What's new" file saying this.. fixing flaws is good, but people might not upgrade if they don't know it's important too.) They claim security flaws are not a big deal (Safari). And so on. They've been doing this for quite a long time.

              Something the author doesn't mention either, but is important... the people exploiting security holes are professionals. They are paid for exploits in cold hard cash, and quite a few are looking full time. The white hats have from time to time "discovered" new vulnerabilities by finding spyware, rootkits, etc., THAT HAVE BEEN IN THE WILD FOR MONTHS, using these "new" vulnerabilities. This argues strongly that getting the vendor in a panic and fixing holes fast outweighs any keeping the hole under wraps so it's maybe not exploited so much.