Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firm To Release Database, Web Server 0-Days

Posted by CmdrTaco on from the ready-for-impact dept.

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

9 of 220 comments (clear)

  1. What's up with the confusing article title? by Qubit · · Score: 5, Insightful

    Firm To Drop Database, Web Server 0-Days

    The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

    Fed-up security firm to release Database & Web Server vulnerabilities publicly

    Look at how much more information is conveyed in that second title. A work of beauty, it is.

    --

    coding is life /* the rest is */
  2. Re:Responsible Disclosure by MachDelta · · Score: 5, Insightful

    The alternative to irresponsible disclosure is for the vulnerability to be used maliciously for an unknown period of time. Which of those is preferable?

  3. Re:Responsible Disclosure by Anonymous Coward · · Score: 5, Insightful

    Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.

    The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.

  4. Re:Responsible Disclosure by csartanis · · Score: 5, Insightful

    Yes, because "responsible" goes both ways. They're being responsible by notifying the vendor before going public. If the vendor is not fixing the issue, it's time to go public.

    As far as I'm concerned a public release is still a responsible one. At least in that case everyone knows about it.

    Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain. The vendor's customer's get screwed and the vendor has no idea that it's even happening.

  5. Nice short term marketing gimic by Megaweapon · · Score: 5, Insightful

    "Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."

    --
    I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
  6. Re:Irresponsible by GameMaster · · Score: 5, Insightful

    What he seems to be saying, is that he's already told the companies and they've done nothing. A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.

    --

    Rules of Conduct:
    #1 - The DM is always right.
    #2 - If the DM is wrong, see rule #1
  7. Re:Responsible Disclosure by mcrbids · · Score: 5, Insightful

    I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

    It's most likely a case of resource management and insufficient resources available. Businesses exist to make money. Features make money, bugs cost money. So, given NNN amount of money, do you:

    A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or

    B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

    Now, the clueful would note that the set of B includes the set of A, but for those who are living close to the edge, A is where the attention goes, and that's why you see announcements like this one.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  8. Re:Is it just me? by Arancaytar · · Score: 5, Funny

    You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

  9. Re:Responsible Disclosure by bws111 · · Score: 5, Insightful

    This doesn't sound like either responsible or irresponsible disclosure. It sounds like plain old extortion. Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor. Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion. Given that he must now resort to a blanket 'from now on I'll just release it' threat he must be getting pretty desperate. Frankly, I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt, but I find it hard to believe they would not fix an actual vulnerability if it was reported as such.