Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing

itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.

SMB File Shares?

Are people still using those? LAN Manager had the only system I know where a 14 character password was better than a 30 character password.

Re:SMB File Shares?

[omnichad]

SMB==CIFS

It's the only decent option for WindowsLinux file sharing. My home server runs Samba as well as Netatalk, because NFS doesn't work as well as it should with OS X either.

Re:SMB File Shares?

[Aaden42]

Out of curiousity, what troubles have you had with an OSX NFS client to a Linux server? I use the automountd approach (access /net/SERVERNAME/SHARENAME), and it’s pretty good. It does get stupid if the NFS server goes away for any reason. Usually have to restart the Mac before things are normal again if the server reboots or any of the NFS/sunrpc daemons crash. And of course I still need Netatalk for TimeMachine.

Other than that, I find NFS is faster than Netatalk by a goodly bit. I have been meaning to try a good benchmark of CIFS, NFS, and Netatalk with 10.11 as the special sauce for CIFS is supposedly even more special now...

Re:SMB File Shares?

[Junta]

Besides, I thought they were shying back toward SMB terminology, since 'CIFS' didn't really catch on. I prefer SMB because CIFS doesn't really describe it as well (it's not really the best strategy for 'internet', it's 'common' by virtue of everyone else having to cave because MS wouldn't do it like anyone else, etc).

But yes, the description of the *potential* security is out of date (Though NTLM still in practice plays a huge role for most folks).

Re:SMB File Shares?

Yeah, that guy's crazy. OSX NFS has been rock solid for me, which makes sense since it's probably based on the FreeBSD NFS which I might just trust my life with.

Re:SMB File Shares?

[omnichad]

I wish I could remember. I do use some OSX-specific things that require that resource fork. Color labels for files is one. But also, I don't think some files got proper icons when on an NFS share. And some Mac software needs the resource fork for important file data (FCP is a likely one), but I don't know for sure that I store any files there that need it.

I also like being able to reconnect within the GUI when the server is rebooted.

Re:SMB File Shares?

[aaarrrgggh]

Samba sucks with OSX. Stupid UNIX rights-carryover issues, dotfiles, broken connections, sleep issue... it is horrible.

--"Proud" Samba, Linux, and OSX user for well over a decade, stuck switching to Windows servers.

Re:SMB File Shares?

[aaarrrgggh]

The resource forks are transparent to UNIX users, but Windows users complain about the garbage dotfiles. Dropping connections though, predominantly on sleep but also other random cases, is the killer. Logging out to reconnect makes me love my Mac...

Fortunately, only have to log out and/or reboot about 10% of the time.

Glad I have shell access and can SFTP when using the VPN though.

Re:SMB File Shares?

[omnichad]

This is why I use Netatalk too. AFP is fairly smooth compared to SMB.

Re:SMB File Shares?

[omnichad]

I have Samba set to portray dot files as hidden, so I don't have any trouble there.

My server rarely reboots, but the server "goes away" when I have to reboot my cable modem (and then reboot my router or it won't work because it's a cheap modem).

Re:SMB File Shares?

[omnichad]

I prefer to have it show up as a Volume in Finder. Don't ask me why, because you won't get a good answer. I have NFS shares set up on that server too, which is how MythTV accesses my movie library.

Re:SMB File Shares?

[aaarrrgggh]

How do you make the dotfiles hidden on Samba, but still accessible for the resource fork? I love the reliability of our Samba server at work; 400 days of uptime (between power outages) is normal. Really looking forward to rebooting a Windows server every month...

Re:SMB File Shares?

[omnichad]

How do you make the dotfiles hidden on Samba, but still accessible for the resource fork?

One, hidden files are not inaccessible.

Two, I don't use Samba with OS X - I access the same folder over AFP with Netatalk.

Re:SMB File Shares?

[RatherBeAnonymous]

If you are hiding the dot files, what happens when a PC user moves a Mac generated file? Won't it loose the resource fork?

I'm not running any Linux file servers, but when a Mac access a Windows server over SMB, or even AFP, it will encode the resource fork into the file as an alternate datastream. It makes my Mac users' live a whole lot easier when their Adobe CS files are not broken.

Re:SMB File Shares?

[omnichad]

It's my home server. So any "user" is going to be me (I'm the one using Mac files). Most file types don't use resource forks anymore (Adobe Suite being the one main exception), but I think the only thing in the resource fork on AI or PSD files is just a preview thumbnail - which I don't want to lose. I can still open the file from Windows and it works just fine. Very few file types still have a separate mac-only variation, so all the important data is in the data fork anyway.

Re:SMB File Shares?

[aaarrrgggh]

Thanks; I was thinking you used veto_files. Wasn't aware of hide_files until you sparked my curiosity.

Does Netatalk have issues with file locking when "sharing" with Samba?

Re:SMB File Shares?

[omnichad]

Haven't any idea. I just simply don't have a use case where the same file will be open for editing on two systems at once. But I would assume both Samba and Netatalk pass file locks down to the underlying system, considering local access should be restricted the same way.

Let's make some educated guesses.

Let's make some educated guesses about this problem.

1. It is a protocol-related bug, since it affects two different implementations.

2. It involves file locking, hence the name.

3. There might very well be some ruthless self-promotion going on here.

Re:Let's make some educated guesses.

[phayes]

Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.

Re:Let's make some educated guesses.

> 1. It is a protocol-related bug, since it affects two different implementations.

Ha. As if there was any separation of protocol and implementation at Microsoft.

Re:Let's make some educated guesses.

[hey!]

For years I had a company whose clients were public health agencies. One time one of my customers said this to me, "You guys can do all kinds of great stuff, but the problem with you is that you want money for everything."

I was nonplussed. I just couldn't get my brain around the fact that he saw the fact that we charged for our services as somehow venal; after all this wasn't a field I went into to get rich, because that sure would have been a bust. The reason we could do things that people had only dreamed about doing as that we did something that nobody in the public sector could: hired a team of talented and qualified engineers to work on these problems. The downside of that was that those engineers don't come cheap; any time money wasn't coming in we'd be bleeding it at eye-popping rates. So we did indeed bring in a lot of money, but it all went straight out to feed the payroll dragon.

I'm glad I did my little bit for humanity, I think everyone should at some point in their career. But I probably wouldn't do it again.

Re:Let's make some educated guesses.

[ole_timer]

but public health (education, drinking water, you name your liberal cause) should be free!

Re:Let's make some educated guesses.

[smooth+wombat]

And according to "conservatives", businesses should be free from taxes.

Because. . . trickle down.

Re:Let's make some educated guesses.

[mwvdlee]

Trickle down economics:
Small government, because otherwise a lot of money is wasted on people who are not me.
Big corporate, because otherwise a lot of money is wasted on people who are not me.

Re:Let's make some educated guesses.

Good that you put that in quotes. The heavily-propagandized, totally delusional, right-wing extremists are anything but "conservative." They'd tear down civilization if they could, because being expected to treat people decently is too much for them. They say it conflicts with their superstitions, so in addition to being dangerous extremists, they're also idiots.

Re:Let's make some educated guesses.

[swb]

No different at private, for-profit businesses. The same skinflints are in charge, with a mindset that IT products are just like normal durable goods that don't wear out until their moving parts actually break and have no software obsolescence that renders them unusable in spite of their age.

I've found that they will almost paradoxically spend high amounts on labor to maintain old hardware and software environments versus replacing them with cheaper to operate products, but they will still complain.

"The food is terrible, and the portions were too small."

Re:Let's make some educated guesses.

[Archangel+Michael]

Better than the Trickle up Poverty we're seeing now, don't you think?

You cannot make more people successful by attacking success.

You cannot make more people richer, by taking from the rich.

But socialists somehow think this works.

Re: Let's make some educated guesses.

Once corporations became people, it all went to shit.

Re:Let's make some educated guesses.

[KGIII]

any time money wasn't coming in we'd be bleeding it at eye-popping rates

This is very, very astute and true. It's one of the things to note if you're going to hang out your shingle and expect to employ people. They expect to be paid - even if there's no money coming in and making payroll is important. Which, if you're curious, is how I ended up having to learn to do all the various tasks that needed doing. There was a point in time where I even helped to keep the place clean - emptying trash, sweeping and mopping, and even coming in on weekends to clean everything from workstations to windows. (At the time, only a few of the workstations had Windows! They were mostly SunStations as I recall.) Of course, that's not really the type of windows I meant.

There were a lot of 16 hour days because hiring more people wasn't in the cards at the time. Yes, I could have afforded them for the time being. But could I have kept them both employed and stimulated during a lull? I could have pretended and just hired and laid off but I'm sure the reputation would have gotten around and I'm just not that kind of person.

Re:Let's make some educated guesses.

[TangoMargarine]

By definition, taking from the rich and giving to the poor makes more people richer.

100 50 20 20 20 10 10
50 50 30 30 30 20 20

One less rich; five more rich. So 4 net more rich.

Re:Let's make some educated guesses.

[smooth+wombat]

Trickle down hasn't worked in over 30 years. Just ask Kansas how well it's working for them. Yet somehow "conservatives" think this works.

You cannot make people more people successful if you attack the people who make them successful.

You cannot make more people richer by only giving them crumbs.

I'm not a socialist. I'm one of the dying breed of real conservatives. However, when I hear multi-billion dollar companies whine they can't pay their people more yet have no problem giving out multi-million dollar bonuses to people already making a million or more a year AND have billions socked away overseas AND go to the taxpayer for either bailouts or tax breaks or have them build something, it's disingenuous at best and arrogant at worst for them to claim how horrible things are.

We always hear why certain people are paid huge salaries, because the companies want the best, yet by their actions these same companies are showing they don't want the best people working for them in other capacities because they're not willing to pay them.

If trickle down had ever worked the salaries of people wouldn't still be the same, adjusted for inflation, as they were 20+ years ago.

Re:Let's make some educated guesses.

[Darinbob]

Because Reagan pushed his voodoo economic, and Reagan is a deity, this makes trickle down economics a matter of doctrine.

Re:Let's make some educated guesses.

[Archangel+Michael]

You're under a delusion. I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut, the government destroys wealth with their schemes and the rich just get better at hiding their wealth from people who like to take things simply because "We voted on it, that makes it legal".

In the end, while your simplistic rational seems reasonable, it doesn't actually ever work out that way in practice.

The reality is, the ONLY way people gain wealth is by enterprise, something that is demonized as "unfair" by the left, as it is a function of ability, and life isn't fair that way

I'll let you know what creates wealth, it is $15 shoes and not $200 Nike Sneakers. But when you don't work for your money, you don't know which is which.

Re:Let's make some educated guesses.

[Archangel+Michael]

Yeah, Reagan sucked, that's why we followed up the crappy years of Carter with unprecedented growth, which suddenly failed right after Clinton. And after eight years of Obama, things suck about as bad as ever.

Re:Let's make some educated guesses.

[TangoMargarine]

It's not a delusion; it's 3rd-grade math.

I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut,

I guess I just don't understand how in your world it's not true that 30 > 20.

If you mean to say we shouldn't take from the rich and give to the poor (because the rich will utilize the money more efficiently? is that what you're saying?), that's a different argument. But you shouldn't make trivially falsifiable absolute statements :)

Re:Let's make some educated guesses.

[Darinbob]

Of course it is all due to those individuals and nothing to do with corporations, oil producers, foreign economies, high tech booms, etc.

So tiring

No matter how you look at it, it's a waste of attention for most onlookers. It's much ado about something that ought to be very small indeed, but to these chaps clearly isn't. The fact that this works is just more proof that the computer security emperor is still nekkid.

Bad for everyone

[jofas]

Vulnerabilities aren't profitable. The cockroaches who make money from their fallout might see it that way because that how racketeers think, but vulns hurt business overall. And that's setting aside potentially ruined lives because of identity theft etc. The heartbleed marketing fiasco brought out of the woodwork low-lives who made fake "test your system for heartbleed" pages. This is not a good thing.

Re:Bad for everyone

[MeNeXT]

I somewhat agree with you but when you try to do it right and your competition just slaps it together a good vulnerability shows your clients that it was all worth the extra time and money. Which leads to profit.

Win Win For The Attention Whores

It's a win win for the attention whores that are advertising it. But, it's bad disclosure procedure.

Vulnerability disclosure is important and should be done, especially when it is educational or is used to prod an unmotivated vendor to fix the issue. But, this is neither of those things. The vendor is fixing it and releasing a fix at the same time as the Samba team. There is almost certainly nothing of any real value to be learned form this vulnerability.

There is almost no reason at all for the public disclosure of this vulnerability. For those that would argue that the advertising campaign will get people to patch, they could easily advertise the need to patch without disclosing the vulnerability. Sure, anyone can browse the Samba code and figure it out for themselves, but that's not the same thing as running a self promoting media blitz.

Whoever setup this campaign is an attention whore, not a security conscious developer.

Re:Win Win For The Attention Whores

[omnichad]

There are a lot of embedded implementations of Samba, meaning a lot of firmware patches going out right after this. That includes hundreds of models of routers and NAS units.

Re:Win Win For The Attention Whores

Probably much more. In Microsoft land, bug == undocumented feature. It could be quite possible that many "enterprise" software "solutions" depend on the bug for functioning at all. Fixing the bug will pull the rug under them and make them stop working.

Re:Win Win For The Attention Whores

[The-Ixian]

This is a long standing issue with MS in particular but is not exclusive to them in any way.

Developers find undocumented features or have some inside track to learn about them but, since they are undocumented, they are subject to change without notice.

So, if you are relying on undocumented features for your software to work... you are living precariously.

Pot meet kettle

So isn't promoting your website on slashdot every time you post a story. Well, depending on who you ask it might be considered poor marketing as well. Slashdot doesn't give me a way to just not show anything you submit so I just blacklist csoonline.

Re:Good for everyone

[ole_timer]

Vulns are most assuredly profitable or there wouldn't be anyone looking for them.

Quoted line about lead time is stupid

"But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart."

Now, Microsoft and Samba have been notified and are working to patch. The lead time gives them time to produce a patch before public disclosure. I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista), however, and Windows being closed source, this means that _nobody_ can do anything to rectify the matter. In the case of old free software OSs running an old version of Samba, people can still get the source and fix it according to information provided in the disclosure (or by Samba with regards to how it has been patched).

Re:Quoted line about lead time is stupid

The lead time will give criminals ample time to reverse-engineer the vulnerability from the patches, and exploit the countless boxes that don't get updated.

Re: Quoted line about lead time is stupid

[jofas]

TFA mentions (if you read it) that a samba dev is the one releasing the bug.

Re:Quoted line about lead time is stupid

[omnichad]

I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)

XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).

But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.

Heartbleed got a patch for XP despite it being out of support entirely.

Re:Quoted line about lead time is stupid

Wtf? You should give 20-days lead time *privately* to the responsibles to fix it (Microsoft in this case).

You should *not* *publicly* announce it until the day before or the day the patch goes live, because that gives time for other people (including people not even in the business that wouldn't care otherwise) to re-discover the vulnerability on their own (any detail about the product, versions affected, etc. is a hint; and some of that people *may* actually have a way to buy/fetch more info about the bug in many ways, e.g. social engineering, someone of the team selling the info, etc.).

Is that so hard to understand?

Re:Quoted line about lead time is stupid

[The-Ixian]

MS has already backtracked once and released an out-of-cycle patch for IE on XP.

If this is severe enough, they may do it again.

Re:Quoted line about lead time is stupid

It's not unheard of that Microsoft doesn't patch protocol-level vulnerability on currently supported product. Like MS15-011 was not patched in Windows Server 2003 when it was still supported.

Re:Quoted line about lead time is stupid

[barbariccow]

Actually this whole this is really dumb. They didn't give any information other than a name and a website and that they told microsoft.

Watch, I can do it too!

I have just discovered a bug "LinkLock" in the SMB protocol! I've informed microsoft and they will patch it on April 16th.

See? Now can I have my 500,000 hits please?

Re: Good for everyone

[jofas]

Let's see how long ppl put up with vuln marketing campaigns like this one. Then we'll know! Seriously, though, you're not correct. Vulns exist, and people make money patching them, but in the big picture they slow down industry. It's the difference between a garage that repairs cars and a manufacturer of car security systems that makes money fixing its own product. Cars are expected to break down, but if a car door lock has an exploitable vuln, you can imagine the backlash against trying a stunt like this. Having worked in IT security for years, I can attest that vendors try putting spin on vulns in their product all the time... And it blows up in their face every time.

Re: Good for everyone

[ole_timer]

you're confusing marketing with the underlying vulns. a used car salesperson is a used car salesperson. the underlying vulns make a lot of money. marketing depends on the skill of the salesperson. ever been to speakers corner in Hyde Park in London? Don't confuse Hyde Park'ism with people's natural inclination to believe what they hear.

Re:Good marketing for the company

[omnichad]

Marketing aside, the main goal appears to have mass-patching occur all at once. The company's name is only mentioned in the background info and in tiny print at the bottom. Something tells me that it is a deep enough bug that unpatched systems will no longer be fully compatible with patched systems.

"ressources availbale"

Yeah, that's marketing that really makes me want to give them business since they mind their p's and q's on such a big announcement; nice work Steve-o.

Is 20 days wrong?

[Wootery]

If not this, what is the best way to do responsible disclosure?

a 20-day lead time gives criminals plenty of time to tear Samba apart

Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.

Re:Is 20 days wrong?

[Athanasius]

This *appears* to be all about hitting the next Microsoft Patch Tuesday. I'm somewhat peeved that all the users of Samba are being made to wait on a fix until that day. I almost want someone else to figure out the vulnerability and publish it so as to get the patches released sooner.

Re:Is 20 days wrong?

[tlhIngan]

If not this, what is the best way to do responsible disclosure?

a 20-day lead time gives criminals plenty of time to tear Samba apart

Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.

Well, you first give both Microsoft and Samba the vulnerability a heads up privately so they can try to fix the bug on their own, not announce to the world that there's a super major bug that won't be fixed or announced for 20 more days.

And 20 days might not be enough - the bug can easily lie deep within the code in multiple modules, requiring a good redesign in order to fix it properly rather than a bunch of half-fixes (see shellshock), enough so that discovering the location of all the code might take 20 days. The fix itself might take longer since the integration of various modules means one has to be careful of fixing one bug and introducing 10 more variants. And then there's all the QA to ensure that the module wasn't broken in some way.

Google tried it with a fixed 120 day delay. Microsoft requested a few more days so Patch Tuesday would pass first, but Google refused.

Here, 20 days might be a good heads up and if you don't hear anything then release it. But if there's a fix, especially a deep one, it may require a lot longer to fix. Or you get things like Shellshock, where there were a bunch of quick fixes released daily because they wanted the fix now, rather than a properly designed, well tested fix.

And by doing what this guy did, he basically announced the bug - now every bad guy is looking to exploit it - they've been given a 20 day head start. We're not even talking 0-day here...

Re:Is 20 days wrong?

Or you get things like Shellshock, where there were a bunch of quick fixes released daily because they wanted the fix now, rather than a properly designed, well tested fix.

You do know that there were multiple fixes released because there were multiple bugs, right? Once the original "shellshock" bug was announced people looked more closely at bash and found more problems, but the bugs themselves were only superficially related (in that they could be triggered by feeding malicious code to the parser, even if it would never be executed under normal circumstances). Do you think the developers should have held off releasing any patches until they were 100% sure there were no more bugs left?

Re:Is 20 days wrong?

[barbariccow]

Just wait for anybody to discover a vulnerability before that date. Given that they provide no information whatsoever, I bet you that will be it!

Re: Good for everyone

[Junta]

Vulnerabilities in *other* products are the prize. Then these companies come knocking on the doors of the other companies to offer their services for private auditing, the ability to point to security papers in the wild being very valuable as a proof point.

Profitability is relative. Just like a broken window isn't good for the economy at large, it is however good if you are specifically a glass maker. It's more cost than profit overall, but if you are a company offering auditing services, you don't incur the costs.

If, say, Ford had a car door lock is vulnerable to something, and some *other* company finds it and gets all over the news, sure bad for Ford, but good for the company that finds it. That company will then contact GM, Toyota, Dodge, Honda, and so on and so forth with the cautionary tale of 'look what happened to Ford, we are so clever, we can help you... for a cost'.

Could be important, might not be...

[Junta]

We shall see when the details are released, but in the wake of Heartbleed, I've grown desensitized to marketing treatment for vulnerabilities. Security people jump up and down and are frequently justified, but sometimes are just stating the obvious and/or something of low practical risk. The problem being in general security folks tend not to weight their 'discoveries', so it's hard to know if this time the sky really is falling (sometimes it really is) or they just didn't like some subtle design decision that actually isn't really invalid, just not how they would have done something.

Re:Could be important, might not be...

Heartbleed was a massive problem, it basically rendered most HTTPS traffic exposed, and without PFS, that means all past traffic too. That's a major security issue that deserved big hype.

This, on the other hand, I'm not sure it'll be nearly as significant. We already don't run SMB/CIFS over the internet, it's only on local networks, which are usually trusted. Even if the vulnerability itself is major, the impact will be notably less than that of heartbleed simply because of that.

Re:Could be important, might not be...

[Junta]

I meant to be saying that after Heartbleed *everything* got hype. Heartbleed deserved it, but after people say marketing for one security issue, suddenly it became a thing that all security issues get some ridiculous marketing-style bump.

Re:Good for everyone

Jofas is looking at a larger picture than you are. Some individuals profit from vulnerabilities, but overall we lose.

If they really wanted to be useful

[jlv]

They'd release the details on the bug 20 days *after* the patches had been released. Saying that they'll release the details on April 12 on the same day patches will be available is bogus. The fact that they made not just a catchy name but also a logo leads me to agree they are attention whores.

Re:If they really wanted to be useful

Actually, that would be nonsensical. With open source patches available the details will be known already, and not releasing them in a more general, detailed form would slow the response from developers. As far as exploiting it, some hackers have probably figured it out already.

Re:If they really wanted to be useful

My guess is that they want to make people move to current Samba releases to ease the transition to the upcoming release.

Re:Good for everyone

[ole_timer]

jofas said there was no profit. there is. as to who loses it's not home depot or target or tjx to name a few. furnace filters and dresses cost $.03 more, so we ultimately lose. all things designed and built by humans have bugs in them. that's a fact of life. the bugs lead to profits. so to risk repeating myself, jofas said there was no profit, there is. whether the company that advertised makes a profit remains, but someone does. recognizing who profits is important, saying there is none is wrong. to coin a phrase, those that don't know history are doomed to repeat it.

First. Please.

First. Please. The router and NAS devices aren't going to get a firmware update, possibly ever and no amount of advertising or powning is going to change that. New stuff would have the fix anyway so, it doesn't help there either.

There is literally no valid excuse for someone to build a website and launch a marketing campaign regarding this bug, other than to draw attention to themselves.

If Tridge steps in a says he supports the campaign, I'll gladly eat my words. Until then, this campaign is just grandstanding.

Re: Good for everyone

[jofas]

Yes. Vulns in "*other*" products. Not vulns in your OWN product, which you are expected to fix as part of the common social understanding of vendor-customer relationships. Using your example, imagine how pissed off people would be if Ford launched a campaign to announce they are recalling their vulnerable door lock... but only in 30 days, not before.

If someone can see your shares outside your lan

[DCFusor]

You're doing it wrong anyway.

Re:If someone can see your shares outside your lan

[Yenya]

Why would we? There are plenty of usable protocols for service discovery, file sharing, instant messaging, etc., but because of NATs and firewalls, everybody is doomed to use HTTP[s] to some public cloud service instead. The fact that I cannot easily copy photos between my laptop and a cell phone of my friend laying on the same desk and connected to the same WLAN without coming through the remote cloud service is pretty disappointing.

Re:If someone can see your shares outside your lan

The fact that I cannot easily copy photos between my laptop and a cell phone of my friend laying on the same desk and connected to the same WLAN without coming through the remote cloud service is pretty disappointing.

If you're on the same WLAN, any NAT'ing by the mobile carrier or your home ISP is moot, as the connection never goes that far.

Maybe you're just clueless about networking and how to shuffle files between your devices wirelessly. Here's a hint: one of the devices is the client, one the server, you're both on the same subnet; the internet isn't involved.

Re:If someone can see your shares outside your lan

[Yenya]

I was not talking about not being able to reach the other device on the third layer (IP). My point was that even though we have perfectly good _application_-layer protocols for file sharing (CIFS, which GP thinks should be blocked), we are still doomed to share data between our devices using a third-party public cloud over HTTP[s].