Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disclosure and Why Vendors Hate It

Posted by CowboyNeal on from the into-the-light dept.

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

91 comments

  1. Well of course by eneville · · Score: 4, Insightful

    It's pretty obvious since vendors have to do more work and package another release to fix bugs. It's easier to keep this information secret and just bundle all the bug fixes into a bulk package when it suits the vendor (I expect money comes into this equation somewhere).

    --
    Why UNIX?
    1. Re:Well of course by peragrin · · Score: 2, Funny

      That's only if they ever fix it to begin with. Some companies can't actually fix their software as it is broken to begin with and the security hole is what allows the software to run at all. years of software developers dealing with MSFT has set this mindset in place.

      Why fix the problem when you can gloss over it with a fresh coat of paint?

      note While MSFT is guilty of doing this, Third party developers are the real guilty party.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Well of course by manwal · · Score: 5, Insightful

      It's only about money. With few or no public security flaws/fixes, your company, product and brand look safe. With many, they look dangerous. It doesn't matter that security often works the other way around.

    3. Re:Well of course by Adambomb · · Score: 3, Interesting

      (I expect money comes into this equation somewhere) Development costs for the fixes and effectively retooling costs for the production line. I would expect that making a new master and swapping it up in pressing wouldn't be the big portion of the cost, but its there.

      Of course companies hate the concept of full disclosure. That would not allow them to make patch timetables based on business needs as opposed to customer needs. But then, I'll never understand why consumers accept the concept that businesses need to keep such secrecy in the name of security through obfuscation, and then smile and nod when things fall apart that "yep dealing with computers for you".

      Why in the hell has this become one of the few fields where its considered normal to have a broken product? Granted its nigh impossible to have a 100% bug-free product, but the standards seem to keep falling and falling.
      --
      Ice Cream has no bones.
    4. Re:Well of course by davester666 · · Score: 3, Interesting

      It's not just about security. It's also about features. Things like the broadcast flag. Like the analog bit that accidentally got set by NBC that Microsoft implemented support for to disable recording some shows. Hell, both MS and NBC said it was a mistake that the flag was turned on. But even though there is no legal basis for even noticing that flag, Microsoft did NOT say "we'll update our software to ignore that flag".

      You don't know what agreements have been made between Microsoft, Tivo, other DVR manufacturers, the Cable companies and big media such as Universal and the other movie makers. But 5 years from now, when they happen to decide to use these secret broadcast flags, the consumer can't buy a DVR that doesn't implement these flags. There's no legal basis for say, not permitting the end-user to record a movie, except you can't buy a device that will do it.

      And who do consumers complain to? Microsoft? Based on what Bill Gates said about music DRM, they'll just say "We just wanted to enable our software to play movies, and we just let the content provider decide what permissions/features they will license to the consumer." Same with the Cable companies. Movie companies would just say that's how Movie X was licensed from the production company [and don't mention that they own the production company].

      Do you think the new CableCard 'standard' is any different? The FCC keeps harping that things like this should be worked out in the private sector. Except, when working things out, one particular group tends to be completely left out of the discussion, namely the consumer.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. From the article: by Anonymous Coward · · Score: -1, Troll

    "Women, being techically less competant then men, usually are less concerned with this"

    As a man who considers himself a feminist, I find this offensive. Women in IT are always being mistreated, and we don't need that sort of thing here at slashdot.

    1. Re:From the article: by Anonymous Coward · · Score: 0, Insightful

      welcome to the internet

    2. Re:From the article: by Anonymous Coward · · Score: 4, Insightful

      Women's disinterest in IT is as plain and simple as your disinterest for knitting, facials, basket weaving, romance novels and shopping. Genetic differences exist between races and sexes. Stop attempting to impose equality across things which obviously aren't. If 2000 years of history are not enough to prove that women simply have very little interest in technical fields and IT, then you are blind fool. Mind you, this is not to say that women are less competent than men in general, but rather that their competencies have been honed on different subject matters.

    3. Re:From the article: by Anonymous Coward · · Score: -1, Troll

      Women *are* less competent.

    4. Re:From the article: by FishWithAHammer · · Score: 3, Informative

      Mods: you done got trolled, idiots. That line does not exist in the article.

      Tip: If the fucktarded anonymous coward CAN'T SPELL, that's generally a good indication.

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    5. Re:From the article: by hyades1 · · Score: 1, Offtopic

      Admitting that it's a generalization, and there are many exceptions, he's right. Women in IT are every bit as good as the guys. But when you get into the world most of us inhabit, where all you know is what you've picked up on your own or from a couple of buddies in the field, men rule.

      I challenge anybody to find among their non-geek friends and relatives an equal number of women who are willing to swap a video card or install an extra drive, or do minor OS mods. Perfect example: A friend of mine's father (in his 80's) is quite able to make a computer do what he wants and if you drop off a DVD writer at his house, he'll have it properly installed in 10 minutes. His wife loves what you can do with a computer (chatting with relatives "back home", etc.), but was totally stuck when their machine hung on shutdown.

      --
      I've calculated my velocity with such exquisite precision that I have no idea where I am.
    6. Re:From the article: by Anonymous Coward · · Score: -1, Troll

      Tip: If the fucktarded anonymous coward CAN'T SPELL, that's generally a good indication.

      Are you seriously implying that the troll is really Rob Malda?
    7. Re:From the article: by Anonymous Coward · · Score: 1, Insightful

      Someone please mod parent insightful.

      Now I don't disagree that the excerpt mentioned by the grandparent post sounds somewhat inappropriate, but if he deserves insightful points, more so does the parent - prejudice should never be fought with reverse prejudice.

    8. Re:From the article: by FishWithAHammer · · Score: 3, Funny

      Is it Wednesday? I have it on good authority that Wednesday is Rob's turn to enact trollan gaemz.

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    9. Re:From the article: by Koiu+Lpoi · · Score: 5, Funny

      I totally agree. Since EEE PCs and iPhones are now small enough to fit in the kitchen, we may be seeing a change in this trend.

    10. Re:From the article: by Anonymous Coward · · Score: 0, Insightful
      Yes, but still. The AC is still insightful. Women in IT are being mistreated.
      Just because s/he's an idiot doesn't mean s/he doesn't have a point.

      Or perhaps I'm just trying to rationalize being a complete tool...

      .haeger

      And why can't I answer "Yes" to the question I got while trying to post this answer as myself.

    11. Re:From the article: by Koiu+Lpoi · · Score: 1
      From the parent (emphasis mine):

      ...If 2000 years of history are not enough to prove that women simply have very little interest in... IT
      From Wikipedia (emphasis again, mine):

      Information Technology (IT), as defined by the Information Technology Association of America (ITAA), is "the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware."
      I, for some reason, don't think that IT and computers have been around for 2000 years. Also nevermind the fact that it's only in the last few hundred years that we even have women holding jobs regularly. Or that the modern definition of "job" even existed for most of the human population. I can't help but think you're a "concern troll", and that you and the GP are one and the same.
    12. Re:From the article: by uniquegeek · · Score: 1

      Wow, and all this time I thought it was because male techs tend to have limited interests and are difficult to work with when you're female. In my experience, the techies are either a) very unfriendly, or b) much too friendly. It's really not the subject matter that turns women off. It's the atmosphere. It's also repeatedly hearing what roles people expect them to go into. For example... do you think comments like yours are going to inspire any woman to go into IT? Good job. //female computer scientist

    13. Re:From the article: by jriding · · Score: 1

      This is not in the article This is flame bait.

      --
      love the taste, hate the texture
    14. Re:From the article: by Anonymous Coward · · Score: 0

      male techs tend to have limited interests and are difficult to work with

      the techies are either a) very unfriendly, or b) much too friendly

      If that's what you think about them, then it's no wonder they don't treat you that well. I sure wouldn't want to work with someone who is constantly trying to determine whether I am a small minded asshole or a pervert.

      repeatedly hearing what roles people expect them to go into

      Yeah, people don't tend to like that kind of thing.

    15. Re:From the article: by Anonymous Coward · · Score: 0

      Tip: If the fucktarded anonymous coward CAN'T SPELL, that's generally a good indication. So you're saying 99% of /. posts are trolls?

      spelling seems to be an afterthought here...

    16. Re:From the article: by FishWithAHammer · · Score: 1

      Yes, I am.

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    17. Re:From the article: by masterzora · · Score: 1

      While I agree with you about everything after and including the words "Also nevermind" and before and not including the words "I can't help...", you fail at reading comprehension. Your selective quoting so cunningly removed the very important words "technical fields", which have been around for at least 2000 years, and of which IT is a subset.

      --
      Remember, open source is free as in speech, not free as in bear.
    18. Re:From the article: by Koiu+Lpoi · · Score: 1
      I don't fail at reading comprehension at all, buddy. He said

      If 2000 years of history are not enough to prove that women simply have very little interest in technical fields and IT...
      Please note the word "And" in between "technical fields" and "IT". You'll note, if you understand the meaning of the word "and", that it groups the two things together, and thus implies that IT has been around for 2000 years. The way the word "and" works, you should be able to remove either part it refers to and have the sentence still make sense. I would hope they had taught you this in grade school, but the education system of the USA being what it is...

      I understand completely what he meant to say, but that's not what he said.
    19. Re:From the article: by masterzora · · Score: 1

      It in no way implies that IT has been around for 2000 years. You are correct in that, grammatically speaking, removing "and" and one of the joined clauses should be correct. I repeat, grammatically speaking. It doesn't have to retain its meaning or truth value, however. The sentence "The human race is composed entirely of men and women" is true (okay, there are a few percent, but ignore that for sake of a simple example). However, neither "The human race is composed entirely of men" nor "The human race is composed entirely of women" is true.

      The sentence's meaning can change when you remove "and" and one of the joined clauses. This happened in the post you were criticizing. By having "technical fields and IT" instead of just "IT", it's saying that technical fields in general have been around for at least 2000 years and that women's disinterest in that implies disinterest in IT, a subset of technical fields.

      --
      Remember, open source is free as in speech, not free as in bear.
    20. Re:From the article: by jeremymiles · · Score: 1

      What makes you say that genetic differences exist between races? Although I'll agree that there are differences between sexes, there's little agreement on what even defines a race, never mind whether there's a difference. There is massively more genetic variation in people whose ancestry is African than the differences between all the other 'races' combined.

      --
      GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
    21. Re:From the article: by Koiu+Lpoi · · Score: 1

      In that case, "men and women" is a single article. If we use that interpretation, it still makes no sense, as "IT" and "technical fields" are one article, and them, together, have not been around for 2000 years.

    22. Re:From the article: by slashdotwannabe · · Score: 1

      This is why women stay away from IT... because the alpha nerds are always getting into pissing contents about grammar and punctuation and such.

      --
      This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
    23. Re:From the article: by jc42 · · Score: 2, Informative

      What makes you say that genetic differences exist between races? Although I'll agree that there are differences between sexes, there's little agreement on what even defines a race, ...

      One of my favorite explanations of the bogosity of the concept of race is that here in the US, lists of races usually include "Hispanic". You don't need to know much (if anything) about genetics to understand that there can't be any genetic basis to any such "race".

      The other main counterexample in the US is that most "African-American" folks have more European than African ancestry. This is in great part due to the widespread rape of slaves by their owners, though some of it was voluntary. But any valid classification of such people would be as hybrids, not as members of one race. And then you get into the fun of what's called "hybrid vigor", though that phrase isn't usually applied to humans for fairly obvious reasons.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    24. Re:From the article: by jeremymiles · · Score: 1

      The Hispanic thing irritates me - I design and analyze goverment surveys, and we have to ask first, if people are Hispanic/Latino, or not, and then we ask their race: White, Black, Asian, Pacific Islander, Native American, etc. I kind of feel we should let them say that they aren't white, they are Hispanic, if they want to. Even if it's wrong.
      The people who are Hispanic always tick 'other' under race, because they don't consider themselves white. Then when we write the report we have to talk about White-Non-Hispanic and White-Hispanics.
      My mother called us mongrels when we were young, and said that we therefore had hybrid vigor (she was Canadian, with some Asian-Indian ancestry, but mostly British/Irish, my father was British, with some French ancestry, but that didn't really make us especially mongrelish, I realize now. Except maybe in the small town where we lived (in England). There was once a rumor that there was a Chinese kid in our school, but I never saw them. That was the limit of our ethnic/racial diversity. Quite a change from where my kids now go to school, in Los Angeles.

      --
      GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
    25. Re:From the article: by Schadrach · · Score: 1

      Or there could be some degree of general bias that is statristically significant across the population.

      Example, at the college I attended, the engineering school had a male:female ratio of something like 8:1, whereas the nursing school was closer to 1:5. I can say from watching the school very, very closely after hearing the whole "women are driven away from tech" speech that the female students we did get were far more likely to actually graduate, and seemed to be generally treated like one of the guys (unless someone was asking them out, or they were flirting themselves [I think jumping on someone's back and hanging from around their neck is pretty clearly flirting and not a misinterpreted signal, given that both parties were sober at the time]). Generally, the nursing students complained more of that kind of thing.

    26. Re:From the article: by Schadrach · · Score: 2, Insightful

      Nail on the head. Women in male-dominated fields are every bit as good as the guys (excepting affirmative action cases where requirements are made more lax for them, but that is a particular stab against affirmative action rather than women or any minority in any field). What you see as a trend is tendency to go into those fields in the first place.

      It's not a matter of whether or not group A or B is better at field C, but rather whether more people of equal value come from group A or B into field C.

  3. Incredibly Inflated Sense of Self Worth by NDPTAL85 · · Score: 4, Insightful

    This guy really thinks highly of himself. He claims the iPhone's "secrecy" or Apple's inattention to the "privacy flaws" have hurt the product.

    Ridiculous.

    The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.

    I've never seen someone anywhere complain that its insecure and vulnerable to hackers.

    --
    Mac OS X and Windows XP working side by side to fight back the night.
    1. Re:Incredibly Inflated Sense of Self Worth by Anonymous Coward · · Score: -1, Troll

      Lol. Yeah, what an ego that man must have. Why it's as bad as posting your opinions on a web forum and expecting the internet to care.

    2. Re:Incredibly Inflated Sense of Self Worth by JustNilt · · Score: 3, Informative

      The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS.

      This is somewhat true. The average consumer simply isn't aware of the security issues with most things they use. It doesn't matter whether it's their phone, their computer or their front door locks. This is actually kind of the guy's point. Companies are able to keep people in the dark at will, generally.

      I've never seen someone anywhere complain that its insecure and vulnerable to hackers.

      That's funny. Here's a link to a Forbes article from last summer regarding a lack of security.
      http://tinyurl.com/2huxru

      Here's another link regarding an actual exploit vector, reported by the New York Times: http://tinyurl.com/2uk6vy
      Here's the link to the discussion of this exploit by the very guys who discovered it:
      http://securityevaluators.com/iphone/ (A short URL ... woot!)

      This is with a very cursory search via Google. I've certainly read of these, and other, exploits and issues on the iPhone since its release. What's interesting is most people that actually own an iPhone don't seem to give a rat's ass about security on it.

      --
      You know the thing about UDP jokes? I don't care if you get it or not.
    3. Re:Incredibly Inflated Sense of Self Worth by samkass · · Score: 1

      What's interesting is most people that actually own an iPhone don't seem to give a rat's ass about security on it.

      Exactly. Which proves this article's premise completely wrong. The only people who ARE interested are the malicious folks, which will be almost your entire "full disclosure" audience. Full disclosure is a great way to give the malicious folks a head start, and won't do one tiny little thing towards linking a product's popularity to its security.

      --
      E pluribus unum
    4. Re:Incredibly Inflated Sense of Self Worth by thegnu · · Score: 1

      This guy really thinks highly of himself. He claims the iPhone's "secrecy" or Apple's inattention to the "privacy flaws" have hurt the product.

      Ridiculous.

      The biggest complaints about the iPhone are the lack of 3G, lack of GPS and no current support for cut and paste or MMS. So you're saying that since the biggest problems aren't the closed platform and security issues, that they haven't hurt the product. Good use of the argument "A is true, therefore R"

      And anyway, about cut and paste, if the platform weren't locked down (going off-topic a bit), there would've been a third party cut and paste app within a couple weeks of release for $10. Within a couple months, there would've been 20 free options.

      Not the biggest problem with the iPhone, but do we need to approach problems in sequential order?

      --
      Mac OS X and Windows XP working side by side to fight back the night. Ironically, I use Mac OS X, Linux, and the Night to fight back Windows XP.
      --
      Please stop stalking me, bro.
    5. Re:Incredibly Inflated Sense of Self Worth by NDPTAL85 · · Score: 1

      His point is wrong though. Its usually not the companies that keep people in the dark but the peoples own lack of care.

      I'm not saying iPhone exploits don't exist I'm just saying they're not a big deal. For an exploit finder every exploit is a big deal. The thing is most people don't spend their days trying to crack their phones. And every device has exploits. Blackberries, Windows Mobile, Symbian, Palm OS, Linux based phones....etc. No device is immune.

      Ease of use trumps security. Windows XP should prove this point. Despite all the exploits that existed for XP, large numbers of people didn't start switching to Macs until Microsoft released Vista which is more secure than XP but less easy to use.

      --
      Mac OS X and Windows XP working side by side to fight back the night.
    6. Re:Incredibly Inflated Sense of Self Worth by RAMMS+EIN · · Score: 5, Insightful

      ``Which proves this article's premise completely wrong. The only people who ARE interested are the malicious folks, which will be almost your entire "full disclosure" audience. Full disclosure is a great way to give the malicious folks a head start, and won't do one tiny little thing towards linking a product's popularity to its security.''

      I am offended by your comment. I am in favor of full disclosure, and I am not a black hat. I know there are many people like me.

      Also, your analysis is wrong on both counts. Full disclosure doesn't give anyone a head start. On the contrary, it informs everybody of the flaw at the same time. That does indeed include the black hats, but also the vendor and the users. This allows the black hats to develop exploits, but it also allows the vendor to work on a fix, and the users to implement temporary stopgaps. The alternative is, pretty much, not informing the users of the flaw - thereby leaving them unaware that a vulnerability has been discovered. As for the black hats: they work hard to find security flaws and avoid full disclosure - after all, as long as only they know the flaw exists, they can exploit it for fun and profit.

      With regard to linking a product's popularity to its security: I know of two things that will do that. The first is users feeling victimized by the bad security of the product they have. The other is making actual and potential users aware of the security risks of a product. Full discloruse brings the insecurity of a product out in the open, which is a step towards the latter and can also help with the former. Of course, the effect is going to be rather limited as long as users don't care very much, but I can tell you that the effect is there.

      --
      Please correct me if I got my facts wrong.
    7. Re:Incredibly Inflated Sense of Self Worth by Capitalist+Piggy · · Score: 1

      This guy really thinks highly of himself. He claims the iPhone's "secrecy" or Apple's inattention to the "privacy flaws" have hurt the product. I am with you on your opinions, my friend. According to this fellow's logic, T-mobile and RIM would have been gone long ago. So would Microsoft.

      If I took investment advice from hackers, I would be one broke Piggy.
    8. Re:Incredibly Inflated Sense of Self Worth by ibbie · · Score: 1

      On the contrary, it informs everybody of the flaw at the same time. That does indeed include the black hats, but also the vendor and the users. I have to agree, for the same reason I'd rather know if a product I buy might set my house on fire. Or, perhaps a better analogy, if the product might allow someone else to set my house on fire.

      Knowing a product has a security flaw might prevent me from purchasing it, yes, but only if there isn't a reliable way to prevent the flaw from being exploited until the vendor can release a patch.
      --
      The wise follow a damned path, for to know is to be forsaken.
    9. Re:Incredibly Inflated Sense of Self Worth by Kjella · · Score: 2, Insightful

      This allows the black hats to develop exploits, but it also allows the vendor to work on a fix, and the users to implement temporary stopgaps. The alternative is, pretty much, not informing the users of the flaw - thereby leaving them unaware that a vulnerability has been discovered. As for the black hats: they work hard to find security flaws and avoid full disclosure - after all, as long as only they know the flaw exists, they can exploit it for fun and profit. To take the last sentence first, I don't see your point as obiviously black hats would not disclose anything to anybody, the question would be if black hats prefer white hats to do vendor disclosure or full disclosure then do the opposite. The question is, how often can users do any meaningful stopgaps? Let's say for example there's a spoofing bug in Firefox (or IE) and a parsing bug in OpenOffice (or MS Office), and there's no meaningful fix except "don't use the product". Well, people aren't going to stop surfing the web or sending documents just because there's a bug out there somewhere, that might in theory be exploited if they visit a malicious site/open a malicious document so what does informing the users really do except to give black hats a weakness they might not know about?

      I'm in favor of full disclosure after the fact or after a deadline. If the deadline passes either it's not serious or the vendor isn't taking it serious, in either case a full disclosure is good. The chance that a) the black hats already know about it and b) that there is a temporary stopgap and c) the majority of users would perform the stopgap is a very unlikely scenario and the only one I see an immidiate and full disclosure doing any good, plus it would give black hats an early warning that their exploit is about to expire and that they should strike now against unpatched hosts while it still works. Remember, they are conservative in using them too because doing so risks exposing them so they get fixed. If one could surprise the black hats with 2security fix out, patch NOW" it might actually reduce the damage the black hats are able to do.

      What I don't approve of though, is trying to push a security update as a non-security update. It confuses everyone downstream and doesn't lead to the immidiate user adoption it should. The distro security teams need to know, though I don't think they need to know everything early. Notifying them that there is a critical security bug and that they can expect a patch from upstream shortly but not the actual details so they know it's coming and then disclose all the details when the patch is released. If you want to keep it undisclosed, keep the people in the know to a minimum so it's not infiltrated by black hats. This is the process how it should work IMO. The trouble is vendors that don't disclose what they're fixing at all, not even after it's fixed.
      --
      Live today, because you never know what tomorrow brings
    10. Re:Incredibly Inflated Sense of Self Worth by Anonymous Coward · · Score: 0

      Full disclosure places the user at greater risk of being attacked because of one simple fact:

      The black hats and script kiddies can always move faster than the vendors.

      There are always vulnerabilities, there always will be vulnerabilities - the disruption caused by script kiddies is far greater than a handful of black hats.

      So the only practical solution is to bundle up the fixes, push them out on a regular schedule, so that the IT folks can deal with them in a timely fashion and not be distracted from their real jobs of servicing the needs of their customers every time some two bit black hat trying to make a name for himself fully discloses the next problem.

      The root problem is that you assume that the true black hats with their secret exploits are a bigger problem than the disruption caused by a widely known exploit. The evidence to date shows this to be false.

    11. Re:Incredibly Inflated Sense of Self Worth by Anonymous Coward · · Score: 0

      The black hats and script kiddies can always move faster than the vendors.


      By disclosing, you give the possibility to vulnerable endusers to move just as fast as the bad guys by taking precautionary countermeasures.

      The majority of victims who suffer from malware exploiting known vulns are people who never patch, or only very irregularly. Disclosing or not a vuln before a patch is available would not degrade their overall security. Also, by definition black hats are much more technically savvy than endusers. Therefore they are most likely already discovering/exploiting zero-days by themselves with inpunity -- this is what full-disclosure attempts to prevent. 80+% of vulns that Microsoft fixes every patch Tuesday are not discovered by MS, but by external security researchers. Does that give you an idea how technically skilled they (white and black hats) are ?

    12. Re:Incredibly Inflated Sense of Self Worth by Graymalkin · · Score: 2, Insightful

      A black hat hacker doesn't need to do any QA testing of their exploit. If it doesn't work 50% of the time it is still considered a successful exploit. If a vendor's patch breaks something on customer machines even 10% of the time they'll get as much if not more flack than if they had waited to patch an exploit. This is worse if their fix is only half-ass in order to get it out in the wild and it only works against one particular exploit and doesn't fix that class of exploit. Embargo dates on exploits found by security researchers gives a vendor time to develop a fix and run it through their QA process. They can't simply release a patch and hope for the best like the black hats can. Thus disclosing vulnerabilities to everyone always puts the vendor and the customer at a disadvantage.

      --
      I'm a loner Dottie, a Rebel.
    13. Re:Incredibly Inflated Sense of Self Worth by TheRaven64 · · Score: 1

      I very much doubt anyone on Slashdot is stupid enough to click on tinyurl links. Perhaps you should consider learning how to make links.

      --
      I am TheRaven on Soylent News
    14. Re:Incredibly Inflated Sense of Self Worth by quanticle · · Score: 1

      The black hats and script kiddies can always move faster than the vendors.

      Nonsense. For closed source products, there's no reason that the manufacturer shouldn't be able to move faster than the black-hat. After all, doesn't the manufacturer have access to the source code, while the black hat has to work at reverse engineering?

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
    15. Re:Incredibly Inflated Sense of Self Worth by samkass · · Score: 1

      I am offended by your comment. I am in favor of full disclosure, and I am not a black hat. I know there are many people like me.

      You need to grow a thicker skin. I'm sorry you're offended but any reasonable person should realize my comment was not a personal attack, but an observation about the tendencies of the market. Unless you consider yourself as an individual an entire "market segment", my point that full disclosure will do nothing to tie product popularity to security stands. As does the assertion that "full disclosure" puts black hats in a much better position than they'd otherwise be in, giving them a head start compared to where they'd be with a "responsible disclosure" policy.

      --
      E pluribus unum
    16. Re:Incredibly Inflated Sense of Self Worth by Anonymous Coward · · Score: 0

      To take the last sentence first, I don't see your point as obiviously black hats would not disclose anything to anybody, the question would be if black hats prefer white hats to do vendor disclosure or full disclosure then do the opposite. At the level of a single vulnerability, a black hat who already knows about that particular vulnerability would prefer vendor disclosure (to keep his own advantage as long as possible), while a black hat who doesn't already know about that particular vulnerability would prefer full disclosure (so that he can start exploiting it).
  4. Not that simple by Anonymous Coward · · Score: 0

    Vendor first disclosure at least makes it LESS probable that the bad guys exploit it before a fix is available. So-called security experts disagree with this because their ego gets less press attention, but that's the main drawback.

    The author seems to imply that vendor first means that a fix will take longer time. That's not obvious as all. In fact, working under the pressure of a deadline for a future disclosure is a much better motivation than to fix a problem that has already created PR damage.

  5. Peaks by Gracenotes · · Score: 5, Funny

    One of Apple's greatest marketing strengths is this ability to add hype around their products by peaking the curiosity of the common geek.
    As an aforementioned common geek, the misspelling in this sentence is enough to put me in a peak!
    1. Re:Peaks by Mordok-DestroyerOfWo · · Score: 1

      That's the funniest post I've read in a week, as I write this on my desk made of teak

      --
      "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
    2. Re:Peaks by Dun+Malg · · Score: 2, Funny

      That's the funniest post I've read in a week, as I write this on my desk made of teak Isn't that spelled "tique"?

      yeah, I think the joke is probably dead...
      --
      If a job's not worth doing, it's not worth doing right.
    3. Re:Peaks by Anonymous Coward · · Score: 0

      I think it's still twitching, but the outlook may be blique

    4. Re:Peaks by thegnu · · Score: 1

      That's the funniest post I've read in a week, as I write this on my desk made of teak Isn't that spelled "tique"?

      yeah, I think the joke is probably dead... It's only dead in your hea...no, no...you're right.
      --
      Please stop stalking me, bro.
  6. That's why we have embargo dates by unixan · · Score: 4, Informative

    I work for a vendor and so I get to see the view from the inside out on this.

    Most times, when a vulnerability is discovered by a professional security group or an upstream vendor, they both tell us what it is, and propose an "embargo" date for when they plan to make it public.

    This gives vendors time to react properly but still serves the public with disclosure.

    --
    This signature intentionally left unblank.
    1. Re:That's why we have embargo dates by Zoop · · Score: 4, Interesting

      As someone who manages an open source product, I get notified (despite ample ways for the "researchers" to contact me) because I have Google alerts for our product's name. I have never, not once, been contacted by the discoverer of a vulnerability or the security groups who publicize exploits.

      This has left me with a very dim view of the security community, and I sincerely doubt the earnestness of the discoverers. They act more like script kiddies out to tag something with their graffiti rather than someone concerned about the consumer.

      Maybe for Apple there are more concerned people out there, but I don't have Apple's resources and would appreciate a couple of weeks to get a fix in and tested before you expose my users to more black hats (as opposed to the black hats who knew about it before).

      I WANT TO KNOW. I WANT TO FIX IT. But the experience I've had so far is that I care more about my users than the security companies and script kiddies masquerading as "researchers" do.

    2. Re:That's why we have embargo dates by michield · · Score: 1

      my experience is exactly the opposite. I've been contacted several times by security researchers who warned me about issues (in my open source project) and gave me sufficient time to fix it and release a new version before making the information public.

      --
      The surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us. BW.
  7. His concern about "over-fixing." by Anonymous Coward · · Score: 0

    I read the article but I didn't get why he was concerned about a vendor "over-fixing" a vulnerability.

    Maybe it's my cynicism about security outfits, but the only thing I could think of is that it makes it harder for them to promote themselves since it'll make it harder to find another vulnerability.

  8. everyone hates full disclosure by fermion · · Score: 4, Insightful
    Cyptogram has a discussion of this issue in relation to the oft used argument that only people who have are committing crimes should be afraid of full disclosure. The issue in the note, iirc, related to data mining and video surveillance. The counter example to the statement was the police apparent unwillingness to give tapes of traffic stops, for example, to those private parties involved. It seems that the tapes are there to protect the cops, which is good, but no one is willing to protect the citizen. We see this even in the taping of the very occasional police overreaction.

    Almost no one is comfortable with full disclosure, and the ultimate arrogance and hypocrisy is demanding it in other, while fabricating excuses why your yourself cannot comply. We see this in the current US presidential campaign, where it is typical to release tax returns, but some people feel too above everyone else to so do. This includes other cases where persons who are, like the police, are paid by the american taxpayer, but refuse to fully account for their work hours to the american tax payer. the examples, private and public, are endless.

    So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. It sounds trite, and everyone always complains about the philosophy, but it works. MS is a target for viruses, even if it not inherently less secure, so I don't use it on a regular basis. SUVs are less secure as they are not inherently stuck to the ground through the tire patches, and require computer intervention to keep them for tipping over, so I don't buy them. I don't shop at stores with affinity cards. If an iPhone is an attack against security, buy something else.

    Back to the issue of security, there is one serious misconception that I believe many people make. Just because one does not publish ones security details on the internet does not mean that one is practicing security by obscurity. Just because I do not publish my path to work on the net, and my schedule, and the times and places that my stuff is most venerable to theft, does not mean I practice security by obscurity or have a ideological hate of full disclosure. And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. If the vendor does nothing about it in a fairly short time frame, then the equation shifts.

    Which is why the most secure system may be open source. If something is discovered, then an slightly above average user may be able to fix it, and no one has to wait on the vendor. But open source solutions do not seem to have traction in the marketplace, so we are where we are.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    1. Re:everyone hates full disclosure by Hope+Thelps · · Score: 2

      So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. It sounds trite, and everyone always complains about the philosophy, but it works. 1. Without full disclosure, your options for determining whether there are security risks preventing you from buying one are more limited than they would otherwise be.

      2. If you mean "don't buy one if you think lack of full disclosure is itself a problem" then that seems equivalent to demanding full disclosure.
      --
      To summarise the summary of the summary: people are a problem. ~ h2g2
    2. Re:everyone hates full disclosure by risinganger · · Score: 2, Insightful

      So why would geeks, even those that never put on a tinfoil hat, demand full disclosure, especially in a market place where we have the option to simply not spend the money. In this case, if there are significant security issues with the iphone, don't buy one. Without disclosure how will you know if there are significant security issues? The author wants disclosure so consumers can say "hey, your product is insecure I'm taking my money elsewhere".

      And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. If the vendor does nothing about it in a fairly short time frame, then the equation shifts. Why shouldn't the consumer be allowed the choice of continuing to use (or not) an insecure product while waiting for a patch? Take the recent Flash vulnerability. I'd much rather know straight away to not leave myself at risk while they work on a patch than to discover it after my machine has been compromised. Without disclosure how do we know this was a previously unknown vulnerability and not one they've been sitting on.
    3. Re:everyone hates full disclosure by Kjella · · Score: 1

      1. Without full disclosure, your options for determining whether there are security risks preventing you from buying one are more limited than they would otherwise be.

      To some degree, on the other hand disclosure notices can have their own spin. Actually exploited vunerabilities in the wild aren't such a bad metric, and they're much harder to hide... Just to throw one monkey wrench out there, say debian experimental is more like a development snapshot than anything else. Is it fair to count one exploit made, discovered and fixed there the same as one exploit in Windows? Or would it be fairer to compare debian stable to windows? In the end, it's not going to be perfect no matter how you do the math.
      --
      Live today, because you never know what tomorrow brings
    4. Re:everyone hates full disclosure by TubeSteak · · Score: 1

      And giving a vendor time to fix an issue, even if everyone except the average consumer knows about it, is not unreasonable. TFA is not saying that "giving a vendor time to fix an issue" is unreasonable, merely that it does not produce the best results for everyone.

      Which is why the most secure system may be open source. If something is discovered, then an slightly above average user may be able to fix it, and no one has to wait on the vendor. OSS is not more secure because some "above average user" can fix it, it is supposedly more secure because many people have vetted it.

      Even that has shown to be the exception and not the rule.
      Decade old bugs pop up in all kinds of 'mature' OSS software

      Security is a moving target.
      --
      [Fuck Beta]
      o0t!
    5. Re:everyone hates full disclosure by Anonymous Coward · · Score: 0

      The decade old bugs are very oftentimes nothing exploitable and extremely obscure.

      OSS is more secure because no company has backdoors for it and because it's fixed quickly once bugs have been identified. Not because it's bugfree.

    6. Re:everyone hates full disclosure by legirons · · Score: 1

      TFA is not saying that "giving a vendor time to fix an issue" is unreasonable

      The vendor had plenty of time to fix the issue when they wrote the software

      And again when they tested it.

      And again when they did their pre-release security audit of the software

      So why, after the software has been released and widely-installed for years, is it necessary to start another arbitrary clock for them to make it secure? Their patch is already overdue by time()-releasedate, and they need to explain their previous installation of insecure software to anyone whose machines they left compromised since the install date.

    7. Re:everyone hates full disclosure by Anonymous Coward · · Score: 0

      No, OSS is LESS secure because the bad guys can find exploits more easily because they have access to the source code. They can also easily create their own trojan versions of the software by recompiling the code and releasing it to the unwary.

      Closed source has neither of these problems.

      Your mistake is to assume that because the source is available, only GOOD people are looking at the code checking it for vulnerabilities.

  9. Disclosure of what!? by Anonymous Coward · · Score: 0

    What the heck is this article about? It starts out on this tantalizing about how much personal information your iPhone retains, and then goes off into this mushy soliloquy about full disclosure. Full disclosure of what? Give us some details? Is it just that the iPhone keeps old data floating around in its flash, like every other phone? Is it doing something nasty? Please tell us!

    1. Re:Disclosure of what!? by E+IS+mC(Square) · · Score: 1

      You read the article but not the summary? WTF???

  10. Re:(NOT) From the article: by Anonymous Coward · · Score: -1, Redundant

    I can't find this phrase anywhere in the article.

  11. Spot on! by Anonymous Coward · · Score: 0, Troll

    This article "full disclosure and why vendors hate it" is spot on! I was going to post a bit about how full disclosure is good but just RTFM.

              There've been so many examples listed on slashdot alone of vendors "working with" a company only to find they either 1) Start claiming the problem is fixed when it's not 2) After a week or two, just tell the vulnerability discoverer "What problem?" and hope they go away 3) Drag out fixing it for months or years. 4) The worst.. threaten the discoverer to keep things under wraps. In an ideal world, working with the vendor is great but companies just are not ideal.

              Frankly, using Apple as an example is great. They really are one of the worst companies about vulnerabilities. Not in terms of having a lot, but in how they handle them. You have them keeping flaws in wireless drivers under wraps, even threatening the author into using third party wireless hardware to demonstrate the flaw (then getting fanbois to be "Oh, it wasn't even Apple's hardware!!" when it had the same driver flaws). They've fixed security vulnerabilities secretly (people look at an upgrade to some software, and find it fixes a bunch of security flaws without the "What's new" file saying this.. fixing flaws is good, but people might not upgrade if they don't know it's important too.) They claim security flaws are not a big deal (Safari). And so on. They've been doing this for quite a long time.

              Something the author doesn't mention either, but is important... the people exploiting security holes are professionals. They are paid for exploits in cold hard cash, and quite a few are looking full time. The white hats have from time to time "discovered" new vulnerabilities by finding spyware, rootkits, etc., THAT HAVE BEEN IN THE WILD FOR MONTHS, using these "new" vulnerabilities. This argues strongly that getting the vendor in a panic and fixing holes fast outweighs any keeping the hole under wraps so it's maybe not exploited so much.

    1. Re:Spot on! by Anonymous Coward · · Score: 1, Informative
      WTF. How is this (+1, Interesting). It's a blatant lie. The example cited is this incident. Read the refutation by Daring Fireball. It's been proven that Apple did not pressure researchers into using a third party hardware, but rather, those "researchers" used a third party hardware in a MacBook in order to make inaccurate, sensational claims. There was a bug, but the bug was in the third party driver. Even SecureWorks admitted in the end that the attack exploited the third party deriver.

      In response to SecureWorksâ(TM)s admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. If Daring Football is not credible enough, do a Google on the subject to get the whole story. To this day, George Ou, Brian Kerb and David Maynor haven't been able to prove their accusation, but they've backtracked and obscured many points in order to save their reputation.

      Apple may not be 100% innocent when it comes to security. No company is. Moreover, Apple from time to time exhibits stubbornness on an issue. However, basing the whole accusation on an already refuted incident is asinine and doesn't deserve to be modded "Interesting". "Flamebait" is more likely.
    2. Re:Spot on! by Stan92057 · · Score: 0

      Just what is a reasonable time to fix a problem? Security company's are just as bad by being unreasonable about how much time a exploit is to be fixed. If a company is lieing to gain more time to fix a problem that means they have had experience with the person or security company before being unreasonable. It goes both ways,and in the end its the consumer who's going to be hurt in the end,no one else. The only fix to this is going to have to be laws and no one wants that. But how many times have company's proven that they cant do the right thing "That goes for the basement exploit finder too"

      --
      Jack of all trades,master of none
  12. You need both by davidwr · · Score: 1

    You need to give responsible vendors a reasonable period of time to get a fix out. Defining "reasonable" isn't always easy but if the vulnerability truly is known only by the discoverer, a good time window will be a few hours to a few weeks, depending on the complexity of the fix, the damage that can be caused, and the risk of independent discovery.

    For vendors who have proven themselves irresponsible by not delivering fixes in a timely manner, there's no point in waiting, just publish it and let market forces do their thing.

    Unfortuntely, like "reasonable," defining "responsible" or "timely manner" is also not always easy.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Full Disclosure - but responsibly by Animaether · · Score: 3, Informative

    Full Disclosure is great - but inform the vendor first.. if they don't take any action in, say, 3 days (I've used that number before - I'm sticking with it) to alleviate it, then hit the internets with it.

    But too often these types are calling for Full Disclosure - immediately! Don't even bother to inform the vendor! RAR! Cry havoc, and let loose the scriptkiddies!

    "The bad guy is already going to test and exploit these vulnerabilities long before the public even discovers them - the good guys ought to have a crack at verifying it too."
    That is an assumption. The assumption that bad guys know about the vulnerability -before- the 'public discoverer' went with full disclosure. Plus the assumption that the bad guys' work would be as bad, or worse than, what script kiddies would do in the time between your discovery and your disclosure. I don't think those are assumption that can be made, based on - admittedly anecdotal - evidence (crashing mIRC 6.something users' IRC application on large IRC networks using a malformed DCC command only became a problem once it was disclosed and everybody and their dog started doing it, while the developer was already in the process of fixing.)

    There's a middle ground - I put it at 3 days. Where do you put it, Jonathan Zdziarski? Your article seems to indicate "0 day", but I can't imagine you being that irresponsible.

    1. Re:Full Disclosure - but responsibly by Cal+Paterson · · Score: 1

      This is a pointless line-in-the-sand to draw.

      When a malicious party finds out about a hole, there is no 3 day grace. Vendors want to treat security in a casual manner, and that is truly irresponsible.

      There is no good reason to put anyone above the public.

    2. Re:Full Disclosure - but responsibly by SoupIsGoodFood_42 · · Score: 1

      I'd rather they took their time over 3 days and fix it properly than break functionality or introduce another security issue because of a mad rush. I'm just trying to be realistic.

  14. As a consumer, I want to know earlier by Anonymous Coward · · Score: 1, Insightful

    Say a week elapses between the reporting a vulnerability and the passing of the embargo. That's another week that software I use is vulnerable without my knowledge thereof. If I would know that there is a problem, I would be able to take appropriate precautions while waiting for a fix, but if I don't know what's going on I'm the proverbial sitting duck. As a consumer, I demand full disclosure, and not only that, I demand to get it as soon as possible.

    1. Re:As a consumer, I want to know earlier by TheRaven64 · · Score: 1

      You don't actually need full disclosure for this. You can simply publicly disclose that you have found one arbitrary code execution vulnerability in product X. Either the vendor confirms it and specifies a date when they will release a fix, or you disclose the nature of the vulnerability publicly.

      --
      I am TheRaven on Soylent News
  15. Flaw in capitalism, not industry by plasticsquirrel · · Score: 2, Insightful

    The issue that he raises is a flaw in capitalism, not specific to this case. Capitalism assumes that consumers have accurate information about their purchases. Making this information readily available is not encouraging capitalism, but rather trying to deny that the flaw exists.

    If anything, this has the trappings of libertarian or democratic socialism. The idea of democracy taking a role in putting moral standards on powerful economic institutions, is not traditionally capitalist.

    --
    Systemd: the PulseAudio of init systems
    1. Re:Flaw in capitalism, not industry by risinganger · · Score: 1

      The idea of democracy taking a role in putting moral standards on powerful economic institutions, is not traditionally capitalist. What are you talking about?

      We have all sorts of laws in place for consumer protection which place restrictions and obligations on companies. Surely by your definition there are no capitalist countries.

      Forcing companies into full disclosure would merely be another level of consumer protection/empowerment regardless of if you agree with it or not.

    2. Re:Flaw in capitalism, not industry by Anonymous Coward · · Score: 0

      Capitalism assumes nothing. Capitalism is a system which works best when consumers have accurate information about their purchases.

      The flaw is in the implementation, not in the theoretical framework.

    3. Re:Flaw in capitalism, not industry by Cal+Paterson · · Score: 1

      Capitalism doesn't assume anything. It's the one economic system that does the right thing no matter how many people fuck up.

    4. Re:Flaw in capitalism, not industry by Anonymous Coward · · Score: 0
      Capitalism assumes that consumers have accurate information about their purchases.

      Economic researchers studying a market-based economy theorize that the free-flow of information is beneficial and a key reason for the success of market-based economies. However, I am not aware of assumptions that this information needs to be perfect, present (in all cases), or even accurate. There is enough slack in the model that crappy information can often suffice. There are also proportionalities to consider. As a bubble-gum maker investing one billion in a new product line, I need the best damn information possible! As a consumer with a spare $0.79 in my pocket, I can afford to act with reckless abandon in my bubble-gum investment decisions.

  16. Neither is really concerned with consumers by crmarvin42 · · Score: 1

    When it comes to vulnerabilities, the vendors only care in so far as it causes a PR problem for them. However, I don't believe that these "Security Experts" are crusading for consumers either. They tell the company that there is a problem, but if the company doesn't decided that the flaw "They" found is the most important thing then the "Security Expert" throws a hissy fit and tells everyone about it in revenge. The "Security Expert" appears to me to be hoping someone will develop some malware that utilizes the flaw and gives the vendor a PR problem. Either way it's the consumer that looses because in the case of unfixed flaws there exists the possibility of a Malware author discovering the flaw, and in the event of full disclosure the consumers are the ones at risk if the malware authors act faster than the vendor. IMHO, It's a pissing contest between the vendors that write the software and the "Security Experts" that want bragging rights.

    --
    Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
  17. Death of the iPhone. by Anonymous Coward · · Score: 0

    I will embrace and celebrate the death of this device.

  18. They'd better get used to it because by ftide · · Score: 1

    Verizon's open platform is going to have more full disclosure.

  19. Fallacy in argument by yabos · · Score: 0

    He argues that if there is not full disclosure and you just notify the vendors that the bad guys will "probably" know about it too. If that was wide spread then you wouldn't have people reverse engineering the monthly Windows patches to figure out what was patched. There are many crackers doing this every time Microsoft comes out with new updates and then they use that information to exploit people who haven't patched.

    If the exploits were fully disclosed instead then most likely there would be even more exploits in the wild.

  20. False dichotomy. by argent · · Score: 1

    Vendor first doesn't mean "vendor only", and nobody says you need to sit on a flaw forever if the vendor doesn't fix it. You're giving them advance notice, not carte blanche.

  21. Down Boy! by Anonymous Coward · · Score: 0

    Guess who is sleeping on the couch tonight.

  22. Stereotypes are FUN! by toiletsalmon · · Score: 1

    -Stereotype party! Apparently now, it's OK to fight stereotypes with stereotypes. Cool!

    "because male techs tend to have limited interests and are difficult to work with when you're female"
    In MY experience, women in IT WANT to be treated differently. They think ovaries make them special. I guess personal experience can vary, huh? Let's not even get into the abuses of playing the "sexual harrassment" card...

    "It's the atmosphere."
    In MY experience, it really IS the atmosphere. If some of the women I've worked with weren't able to "play" in the gossipy, catty, back-biting, in-fighting environments they enjoy, then they don't want to play at all.

    Goody! Goody! That was fun. Now let's do stereotypes about blacks and jews. You go first...