Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disclosure and Why Vendors Hate It

Posted by CowboyNeal on from the into-the-light dept.

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

4 of 91 comments (clear)

  1. Peaks by Gracenotes · · Score: 5, Funny

    One of Apple's greatest marketing strengths is this ability to add hype around their products by peaking the curiosity of the common geek.
    As an aforementioned common geek, the misspelling in this sentence is enough to put me in a peak!
  2. Re:Well of course by manwal · · Score: 5, Insightful

    It's only about money. With few or no public security flaws/fixes, your company, product and brand look safe. With many, they look dangerous. It doesn't matter that security often works the other way around.

  3. Re:From the article: by Koiu+Lpoi · · Score: 5, Funny

    I totally agree. Since EEE PCs and iPhones are now small enough to fit in the kitchen, we may be seeing a change in this trend.

  4. Re:Incredibly Inflated Sense of Self Worth by RAMMS+EIN · · Score: 5, Insightful

    ``Which proves this article's premise completely wrong. The only people who ARE interested are the malicious folks, which will be almost your entire "full disclosure" audience. Full disclosure is a great way to give the malicious folks a head start, and won't do one tiny little thing towards linking a product's popularity to its security.''

    I am offended by your comment. I am in favor of full disclosure, and I am not a black hat. I know there are many people like me.

    Also, your analysis is wrong on both counts. Full disclosure doesn't give anyone a head start. On the contrary, it informs everybody of the flaw at the same time. That does indeed include the black hats, but also the vendor and the users. This allows the black hats to develop exploits, but it also allows the vendor to work on a fix, and the users to implement temporary stopgaps. The alternative is, pretty much, not informing the users of the flaw - thereby leaving them unaware that a vulnerability has been discovered. As for the black hats: they work hard to find security flaws and avoid full disclosure - after all, as long as only they know the flaw exists, they can exploit it for fun and profit.

    With regard to linking a product's popularity to its security: I know of two things that will do that. The first is users feeling victimized by the bad security of the product they have. The other is making actual and potential users aware of the security risks of a product. Full discloruse brings the insecurity of a product out in the open, which is a step towards the latter and can also help with the former. Of course, the effect is going to be rather limited as long as users don't care very much, but I can tell you that the effect is there.

    --
    Please correct me if I got my facts wrong.