Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed Sparks 'Responsible' Disclosure Debate

Posted by Soulskill on from the arguing-about-ethics dept.

bennyboy64 writes: "IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.' A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. 'This would have minimized the exposure to the vulnerability for end users,' Mr. Eronen said, adding that 'many websites would already have patched' by the time it was made public if this procedure was followed."

9 of 188 comments (clear)

  1. No Good Solution. by jythie · · Score: 5, Insightful

    This really strikes me as the type of problem that will never have a good solution. There will always be competing interests and some of them will be mutually exclusive while still being valid concerns.

  2. WTF? by gweihir · · Score: 5, Insightful

    The only possible way is to disclose to the responsible manufacturer (OpenSSL) and nobody else first, then, after a delay given to the manufacturer to fix the issue, disclose to everybody. Nothing else works. All disclosures to others have a high risk of leaking. (The one to the manufacturer also has a risk of leaking, but that cannot be avoided.)

    The other thing is that as soon as a patch is out, the problem needs to be disclosed immediately by the manufacturer to everybody (just saying "fixed critical security bug" is fine), as the black-hats watch patches and will start exploiting very soon after.

    All this is well known. Why is this even being discussed? Are people so terminally stupid that they need to tell some "buddies"? Nobody giving out advance warnings to anybody besides the manufacturer deserves to be in the security industry in the first place as they do not get it at all or do not care about security in the first place.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:WTF? by Tom · · Score: 4, Interesting

      The only possible way is to disclose to the responsible manufacturer (OpenSSL) and nobody else first, then, after a delay given to the manufacturer to fix the issue, disclose to everybody. Nothing else works. All disclosures to others have a high risk of leaking. (The one to the manufacturer also has a risk of leaking, but that cannot be avoided.)

      It's not about leaking. The reason I'm not alone in the security community to rage against this "responsible disclosure" bullshit is not that we fear leaks, but that we know most of the exploits are already in the wild by the time someone on the whitehat side discovers it.

      Every day you delay the public announcements is another day that servers are being broken into.

      --
      Assorted stuff I do sometimes: Lemuria.org
    2. Re:WTF? by Anonymous Coward · · Score: 4, Insightful

      If no fix is available yet, they're still being broken into - but you've just added the thousands of hackers who *didn't* know about it to the list of those exploiting it.

    3. Re:WTF? by medv4380 · · Score: 4, Interesting

      Not to sound like too much of a conspiracy nut, but Heartbleed did look like a deliberate exploit to some people, and still does to others. If it had been, and had been put there by someone at OpenSSL they are the last ones you actually want to inform until you have already patched it yourself. From the timeline that's what Google did, and then tapped the shoulders of their closes friends so they could ether patch it or disable the heartbeat feature as CloudFlare did. I agree that OpenSSL should have been informed first, but what do you do when you suspect the proper channels are the ones who put it there in the first place.

  3. Issue? by silanea · · Score: 5, Insightful

    What exactly is the issue here? Maybe I misread TFS and the linked articles, but as I understand the chief complaint - apart from Google's delay in reporting to OpenSSL - is that some large commercial entities did not receive a notification before public disclosure. I did not dig all too deep into the whole issue, but as far as I can tell OpenSSL issued their advisory in lieu with a patched version. What more do they expect? And why should "Cisco[,] Juniper[,] Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy" get a heads-up on the public disclosure? I did not get a heads-up either. Neither did the dozens or so websites not named above that I use. Neither did the governmental agency I serve with. Nor the bank whose online-banking portal I use. Are we all second-class citizens? Does our security matter less simply because we provide services to fewer people, or bring lower or no value to the exchange?

    A bug was reported, a fix was issued, recommendations for threat mitigation were published. There will need to be consequences for the FLOSS development model to reduce the risk for future issues of the sort, but beyond that I do not quite understand the fuss. Can someone enlighten me please?

    --
    Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
  4. Re:are we seriously blaming google by xxxJonBoyxxx · · Score: 4, Insightful

    >> are we seriously blaming google and not NSA who found the bug 4 years ago when the bug was first introduced?

    Yes. The NSA is the US gov's lead black hat. Google's an advertising company that depends on people trusting the Internet for information and commerce. I'd expect the NSA to hoard information to assist their black-hatting, and I'd expect Google to quickly share anything they know so security vulnerabilities can be patched and people don't lose faith in the Internet*.

    * = (Seriously, when people have asked me what to do about Heartbleed, I've said "don't buy anything you don't need, and try to avoid paying any bills online or doing any online checking for a week or two - then change your password as soon as you sign on.")

  5. Blame Game. by jellomizer · · Score: 4, Insightful

    That is the biggest problem. Other then rewarding the people who fix the problem, we try to figure out who is to blame for every freaking thing.

    Oh look a flood hit the city unexpected, well lets blame the mayor for not thinking about this unexpected incident.

    Or a random guy blew up something, why didn't the CIA/NSA/FBI know that he was doing this...

    We are trying to point blame on too many things, and less time trying to solve the problem.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Actual Experience Against "Responsible Disclosure" by DERoss · · Score: 4, Interesting

    Historically, so-called "responsible disclosure" has resulted in delayed fixes. As long as the flaw is not public and causing a drum-beat of demands for a fix and a possible loss of customers, the developer organization too often treats security vulnerabilities the same as any other bug.

    Worse, those who report security vulnerabilities responsibly and later go public because the fixes are excessively delayed often find themselves branded as villains instead of heroes. Consider the case of Michael Lynn and Cisco in 2005. Lynn informed Cisco of a vulnerability in Cisco's routers. When Cisco failed to fully inform its customers of the significance of the security patch, Lynn decided to go public at the 2005 Black Hat conference in Las Vegas. Cisco pressured Lynn's employer to fire him and also filed a lawsuit against Lynn.

    Then there was the 2011 case of Patrick Webster, who notified the Pillar Administration (major administrator of retirement plans in Australia) of a security vulnerability in their server. When the Pillar Administration ignored Webster, he used the vulnerability to extract personal data from about 500 accounts from his own pension plan (a client of the Pillar Administration). Webster made no use of the extracted personal data, did not disseminate the data, and did not go public. He merely sent the data to the Pillar Administration to prove the existence of the vulnerability. As a result, the Pillar Administration notified Webster's own pension plan, which in turn filed a criminal complaint against Webster. Further, his pension plan then demanded that Webster reimburse them for the cost of fixing the vulnerability and sent letters to other account holders, implying that Webster caused the security vulnerability.

    For more details, see my "Shoot the Messenger or Why Internet Security Eludes Us" at http://www.rossde.com/editoria....