Slashdot Mirror
Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing (csoonline.com)
itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.
Let's make some educated guesses about this problem.
1. It is a protocol-related bug, since it affects two different implementations.
2. It involves file locking, hence the name.
3. There might very well be some ruthless self-promotion going on here.
Vulnerabilities aren't profitable. The cockroaches who make money from their fallout might see it that way because that how racketeers think, but vulns hurt business overall. And that's setting aside potentially ruined lives because of identity theft etc. The heartbleed marketing fiasco brought out of the woodwork low-lives who made fake "test your system for heartbleed" pages. This is not a good thing.
Vulns are most assuredly profitable or there wouldn't be anyone looking for them.
nothing to see here - move along
SMB==CIFS
It's the only decent option for WindowsLinux file sharing. My home server runs Samba as well as Netatalk, because NFS doesn't work as well as it should with OS X either.
TFA mentions (if you read it) that a samba dev is the one releasing the bug.
you're confusing marketing with the underlying vulns. a used car salesperson is a used car salesperson. the underlying vulns make a lot of money. marketing depends on the skill of the salesperson. ever been to speakers corner in Hyde Park in London? Don't confuse Hyde Park'ism with people's natural inclination to believe what they hear.
nothing to see here - move along
Marketing aside, the main goal appears to have mass-patching occur all at once. The company's name is only mentioned in the background info and in tiny print at the bottom. Something tells me that it is a deep enough bug that unpatched systems will no longer be fully compatible with patched systems.
There are a lot of embedded implementations of Samba, meaning a lot of firmware patches going out right after this. That includes hundreds of models of routers and NAS units.
I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)
XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).
But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.
Heartbleed got a patch for XP despite it being out of support entirely.
Probably much more. In Microsoft land, bug == undocumented feature. It could be quite possible that many "enterprise" software "solutions" depend on the bug for functioning at all. Fixing the bug will pull the rug under them and make them stop working.
If not this, what is the best way to do responsible disclosure?
a 20-day lead time gives criminals plenty of time to tear Samba apart
Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.
Out of curiousity, what troubles have you had with an OSX NFS client to a Linux server? I use the automountd approach (access /net/SERVERNAME/SHARENAME), and it’s pretty good. It does get stupid if the NFS server goes away for any reason. Usually have to restart the Mac before things are normal again if the server reboots or any of the NFS/sunrpc daemons crash. And of course I still need Netatalk for TimeMachine.
Other than that, I find NFS is faster than Netatalk by a goodly bit. I have been meaning to try a good benchmark of CIFS, NFS, and Netatalk with 10.11 as the special sauce for CIFS is supposedly even more special now...
Besides, I thought they were shying back toward SMB terminology, since 'CIFS' didn't really catch on. I prefer SMB because CIFS doesn't really describe it as well (it's not really the best strategy for 'internet', it's 'common' by virtue of everyone else having to cave because MS wouldn't do it like anyone else, etc).
But yes, the description of the *potential* security is out of date (Though NTLM still in practice plays a huge role for most folks).
XML is like violence. If it doesn't solve the problem, use more.
Wtf? You should give 20-days lead time *privately* to the responsibles to fix it (Microsoft in this case).
You should *not* *publicly* announce it until the day before or the day the patch goes live, because that gives time for other people (including people not even in the business that wouldn't care otherwise) to re-discover the vulnerability on their own (any detail about the product, versions affected, etc. is a hint; and some of that people *may* actually have a way to buy/fetch more info about the bug in many ways, e.g. social engineering, someone of the team selling the info, etc.).
Is that so hard to understand?
Vulnerabilities in *other* products are the prize. Then these companies come knocking on the doors of the other companies to offer their services for private auditing, the ability to point to security papers in the wild being very valuable as a proof point.
Profitability is relative. Just like a broken window isn't good for the economy at large, it is however good if you are specifically a glass maker. It's more cost than profit overall, but if you are a company offering auditing services, you don't incur the costs.
If, say, Ford had a car door lock is vulnerable to something, and some *other* company finds it and gets all over the news, sure bad for Ford, but good for the company that finds it. That company will then contact GM, Toyota, Dodge, Honda, and so on and so forth with the cautionary tale of 'look what happened to Ford, we are so clever, we can help you... for a cost'.
XML is like violence. If it doesn't solve the problem, use more.
We shall see when the details are released, but in the wake of Heartbleed, I've grown desensitized to marketing treatment for vulnerabilities. Security people jump up and down and are frequently justified, but sometimes are just stating the obvious and/or something of low practical risk. The problem being in general security folks tend not to weight their 'discoveries', so it's hard to know if this time the sky really is falling (sometimes it really is) or they just didn't like some subtle design decision that actually isn't really invalid, just not how they would have done something.
XML is like violence. If it doesn't solve the problem, use more.
I wish I could remember. I do use some OSX-specific things that require that resource fork. Color labels for files is one. But also, I don't think some files got proper icons when on an NFS share. And some Mac software needs the resource fork for important file data (FCP is a likely one), but I don't know for sure that I store any files there that need it.
I also like being able to reconnect within the GUI when the server is rebooted.
Samba sucks with OSX. Stupid UNIX rights-carryover issues, dotfiles, broken connections, sleep issue... it is horrible.
--"Proud" Samba, Linux, and OSX user for well over a decade, stuck switching to Windows servers.
The resource forks are transparent to UNIX users, but Windows users complain about the garbage dotfiles. Dropping connections though, predominantly on sleep but also other random cases, is the killer. Logging out to reconnect makes me love my Mac...
Fortunately, only have to log out and/or reboot about 10% of the time.
Glad I have shell access and can SFTP when using the VPN though.
This is why I use Netatalk too. AFP is fairly smooth compared to SMB.
They'd release the details on the bug 20 days *after* the patches had been released. Saying that they'll release the details on April 12 on the same day patches will be available is bogus. The fact that they made not just a catchy name but also a logo leads me to agree they are attention whores.
I have Samba set to portray dot files as hidden, so I don't have any trouble there.
My server rarely reboots, but the server "goes away" when I have to reboot my cable modem (and then reboot my router or it won't work because it's a cheap modem).
jofas said there was no profit. there is. as to who loses it's not home depot or target or tjx to name a few. furnace filters and dresses cost $.03 more, so we ultimately lose. all things designed and built by humans have bugs in them. that's a fact of life. the bugs lead to profits. so to risk repeating myself, jofas said there was no profit, there is. whether the company that advertised makes a profit remains, but someone does. recognizing who profits is important, saying there is none is wrong. to coin a phrase, those that don't know history are doomed to repeat it.
nothing to see here - move along
This is a long standing issue with MS in particular but is not exclusive to them in any way.
Developers find undocumented features or have some inside track to learn about them but, since they are undocumented, they are subject to change without notice.
So, if you are relying on undocumented features for your software to work... you are living precariously.
My eyes reflect the stars and a smile lights up my face.
MS has already backtracked once and released an out-of-cycle patch for IE on XP.
If this is severe enough, they may do it again.
My eyes reflect the stars and a smile lights up my face.
I prefer to have it show up as a Volume in Finder. Don't ask me why, because you won't get a good answer. I have NFS shares set up on that server too, which is how MythTV accesses my movie library.
How do you make the dotfiles hidden on Samba, but still accessible for the resource fork? I love the reliability of our Samba server at work; 400 days of uptime (between power outages) is normal. Really looking forward to rebooting a Windows server every month...
How do you make the dotfiles hidden on Samba, but still accessible for the resource fork?
One, hidden files are not inaccessible.
Two, I don't use Samba with OS X - I access the same folder over AFP with Netatalk.
Yes. Vulns in "*other*" products. Not vulns in your OWN product, which you are expected to fix as part of the common social understanding of vendor-customer relationships. Using your example, imagine how pissed off people would be if Ford launched a campaign to announce they are recalling their vulnerable door lock... but only in 30 days, not before.
If you are hiding the dot files, what happens when a PC user moves a Mac generated file? Won't it loose the resource fork?
I'm not running any Linux file servers, but when a Mac access a Windows server over SMB, or even AFP, it will encode the resource fork into the file as an alternate datastream. It makes my Mac users' live a whole lot easier when their Adobe CS files are not broken.
It's my home server. So any "user" is going to be me (I'm the one using Mac files). Most file types don't use resource forks anymore (Adobe Suite being the one main exception), but I think the only thing in the resource fork on AI or PSD files is just a preview thumbnail - which I don't want to lose. I can still open the file from Windows and it works just fine. Very few file types still have a separate mac-only variation, so all the important data is in the data fork anyway.
You're doing it wrong anyway.
Why guess when you can know? Measure!
Thanks; I was thinking you used veto_files. Wasn't aware of hide_files until you sparked my curiosity.
Does Netatalk have issues with file locking when "sharing" with Samba?
Haven't any idea. I just simply don't have a use case where the same file will be open for editing on two systems at once. But I would assume both Samba and Netatalk pass file locks down to the underlying system, considering local access should be restricted the same way.
Actually this whole this is really dumb. They didn't give any information other than a name and a website and that they told microsoft.
Watch, I can do it too!
I have just discovered a bug "LinkLock" in the SMB protocol! I've informed microsoft and they will patch it on April 16th.
See? Now can I have my 500,000 hits please?