Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing (csoonline.com)

Posted by timothy on from the good-for-some-people dept.

itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.

16 of 79 comments (clear)

  1. Let's make some educated guesses. by Anonymous Coward · · Score: 5, Insightful

    Let's make some educated guesses about this problem.

    1. It is a protocol-related bug, since it affects two different implementations.

    2. It involves file locking, hence the name.

    3. There might very well be some ruthless self-promotion going on here.

    1. Re:Let's make some educated guesses. by phayes · · Score: 5, Informative

      Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    2. Re:Let's make some educated guesses. by Anonymous Coward · · Score: 3, Insightful

      > 1. It is a protocol-related bug, since it affects two different implementations.

      Ha. As if there was any separation of protocol and implementation at Microsoft.

    3. Re:Let's make some educated guesses. by hey! · · Score: 2, Interesting

      For years I had a company whose clients were public health agencies. One time one of my customers said this to me, "You guys can do all kinds of great stuff, but the problem with you is that you want money for everything."

      I was nonplussed. I just couldn't get my brain around the fact that he saw the fact that we charged for our services as somehow venal; after all this wasn't a field I went into to get rich, because that sure would have been a bust. The reason we could do things that people had only dreamed about doing as that we did something that nobody in the public sector could: hired a team of talented and qualified engineers to work on these problems. The downside of that was that those engineers don't come cheap; any time money wasn't coming in we'd be bleeding it at eye-popping rates. So we did indeed bring in a lot of money, but it all went straight out to feed the payroll dragon.

      I'm glad I did my little bit for humanity, I think everyone should at some point in their career. But I probably wouldn't do it again.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    4. Re:Let's make some educated guesses. by mwvdlee · · Score: 2

      Trickle down economics:
      Small government, because otherwise a lot of money is wasted on people who are not me.
      Big corporate, because otherwise a lot of money is wasted on people who are not me.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:Let's make some educated guesses. by KGIII · · Score: 2

      any time money wasn't coming in we'd be bleeding it at eye-popping rates

      This is very, very astute and true. It's one of the things to note if you're going to hang out your shingle and expect to employ people. They expect to be paid - even if there's no money coming in and making payroll is important. Which, if you're curious, is how I ended up having to learn to do all the various tasks that needed doing. There was a point in time where I even helped to keep the place clean - emptying trash, sweeping and mopping, and even coming in on weekends to clean everything from workstations to windows. (At the time, only a few of the workstations had Windows! They were mostly SunStations as I recall.) Of course, that's not really the type of windows I meant.

      There were a lot of 16 hour days because hiring more people wasn't in the cards at the time. Yes, I could have afforded them for the time being. But could I have kept them both employed and stimulated during a lull? I could have pretended and just hired and laid off but I'm sure the reputation would have gotten around and I'm just not that kind of person.

      --
      "So long and thanks for all the fish."
    6. Re:Let's make some educated guesses. by smooth+wombat · · Score: 3, Insightful

      Trickle down hasn't worked in over 30 years. Just ask Kansas how well it's working for them. Yet somehow "conservatives" think this works.

      You cannot make people more people successful if you attack the people who make them successful.

      You cannot make more people richer by only giving them crumbs.

      I'm not a socialist. I'm one of the dying breed of real conservatives. However, when I hear multi-billion dollar companies whine they can't pay their people more yet have no problem giving out multi-million dollar bonuses to people already making a million or more a year AND have billions socked away overseas AND go to the taxpayer for either bailouts or tax breaks or have them build something, it's disingenuous at best and arrogant at worst for them to claim how horrible things are.

      We always hear why certain people are paid huge salaries, because the companies want the best, yet by their actions these same companies are showing they don't want the best people working for them in other capacities because they're not willing to pay them.

      If trickle down had ever worked the salaries of people wouldn't still be the same, adjusted for inflation, as they were 20+ years ago.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  2. Bad for everyone by jofas · · Score: 2

    Vulnerabilities aren't profitable. The cockroaches who make money from their fallout might see it that way because that how racketeers think, but vulns hurt business overall. And that's setting aside potentially ruined lives because of identity theft etc. The heartbleed marketing fiasco brought out of the woodwork low-lives who made fake "test your system for heartbleed" pages. This is not a good thing.

  3. Re:Good for everyone by ole_timer · · Score: 3, Insightful

    Vulns are most assuredly profitable or there wouldn't be anyone looking for them.

    --
    nothing to see here - move along
  4. Re:SMB File Shares? by omnichad · · Score: 3, Insightful

    SMB==CIFS

    It's the only decent option for WindowsLinux file sharing. My home server runs Samba as well as Netatalk, because NFS doesn't work as well as it should with OS X either.

  5. Re: Quoted line about lead time is stupid by jofas · · Score: 2

    TFA mentions (if you read it) that a samba dev is the one releasing the bug.

  6. Re:Win Win For The Attention Whores by omnichad · · Score: 2

    There are a lot of embedded implementations of Samba, meaning a lot of firmware patches going out right after this. That includes hundreds of models of routers and NAS units.

  7. Re:Quoted line about lead time is stupid by omnichad · · Score: 4, Insightful

    I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)

    XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).

    But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.

    Heartbleed got a patch for XP despite it being out of support entirely.

  8. Re:SMB File Shares? by Aaden42 · · Score: 2

    Out of curiousity, what troubles have you had with an OSX NFS client to a Linux server? I use the automountd approach (access /net/SERVERNAME/SHARENAME), and it’s pretty good. It does get stupid if the NFS server goes away for any reason. Usually have to restart the Mac before things are normal again if the server reboots or any of the NFS/sunrpc daemons crash. And of course I still need Netatalk for TimeMachine.

    Other than that, I find NFS is faster than Netatalk by a goodly bit. I have been meaning to try a good benchmark of CIFS, NFS, and Netatalk with 10.11 as the special sauce for CIFS is supposedly even more special now...

  9. Could be important, might not be... by Junta · · Score: 2

    We shall see when the details are released, but in the wake of Heartbleed, I've grown desensitized to marketing treatment for vulnerabilities. Security people jump up and down and are frequently justified, but sometimes are just stating the obvious and/or something of low practical risk. The problem being in general security folks tend not to weight their 'discoveries', so it's hard to know if this time the sky really is falling (sometimes it really is) or they just didn't like some subtle design decision that actually isn't really invalid, just not how they would have done something.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  10. If they really wanted to be useful by jlv · · Score: 2

    They'd release the details on the bug 20 days *after* the patches had been released. Saying that they'll release the details on April 12 on the same day patches will be available is bogus. The fact that they made not just a catchy name but also a logo leads me to agree they are attention whores.