Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing

itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.

Let's make some educated guesses.

Let's make some educated guesses about this problem.

1. It is a protocol-related bug, since it affects two different implementations.

2. It involves file locking, hence the name.

3. There might very well be some ruthless self-promotion going on here.

Re:Let's make some educated guesses.

[phayes]

Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.

Re:Let's make some educated guesses.

> 1. It is a protocol-related bug, since it affects two different implementations.

Ha. As if there was any separation of protocol and implementation at Microsoft.

Re:Let's make some educated guesses.

[smooth+wombat]

Trickle down hasn't worked in over 30 years. Just ask Kansas how well it's working for them. Yet somehow "conservatives" think this works.

You cannot make people more people successful if you attack the people who make them successful.

You cannot make more people richer by only giving them crumbs.

I'm not a socialist. I'm one of the dying breed of real conservatives. However, when I hear multi-billion dollar companies whine they can't pay their people more yet have no problem giving out multi-million dollar bonuses to people already making a million or more a year AND have billions socked away overseas AND go to the taxpayer for either bailouts or tax breaks or have them build something, it's disingenuous at best and arrogant at worst for them to claim how horrible things are.

We always hear why certain people are paid huge salaries, because the companies want the best, yet by their actions these same companies are showing they don't want the best people working for them in other capacities because they're not willing to pay them.

If trickle down had ever worked the salaries of people wouldn't still be the same, adjusted for inflation, as they were 20+ years ago.

Re:Good for everyone

[ole_timer]

Vulns are most assuredly profitable or there wouldn't be anyone looking for them.

Re:SMB File Shares?

[omnichad]

SMB==CIFS

It's the only decent option for WindowsLinux file sharing. My home server runs Samba as well as Netatalk, because NFS doesn't work as well as it should with OS X either.

Re:Quoted line about lead time is stupid

[omnichad]

I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)

XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).

But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.

Heartbleed got a patch for XP despite it being out of support entirely.