Oh, look, the biased overview, that glosses over core optimization features like reference frames, again. The whole thing is basically one big "I optimize H.264 this way, it won't work with VP8, therefore it's crap".
Actually, he just pointed out that just because a law protects someones economic interests, it is not necessary good for society at large. You don't address the underlaying point, preferring to attack the presentation. He didn't in fact compare the two at all, just described the economic interests protected by fugitive slave laws, any further comparison came from you...
Hence SMS can be better then a call. A call is instantaneous, an SMS can be prioritized and processed in a manner the receiver finds it optimal (barring impatient senders, but email is no better in that regard).
Lately it has become fashionable to share useless crap about yourself all the time using texting, myspace, facebook, and twitter.
This has nothing to do with the technology, it's a social trend that can work with any number of communication methods. SMS is pocket email (or IM, depending on usage). A delayed, mobile, communication method with many legitimate uses.
Little reminders that don't warrant a phone call/email, like "Remember the milk" are a great personal or even professional use case (think "Next call: network problems at [address]" for a mobile tech). Basically anything that is not doesn't require instant attention or feedback, is not overly big and is useful to know away from the computer is a candidate for SMS. Automated information pushing is another great use case, from real-time bank account monitoring to server meltdown notifications, calling someone just to read a short message via voice synthesis would be pointless.
If your beef with SMS is the limited length then you literally misunderstand the technology itself, it's a byproduct of GSM design that short messages can be sent without additional network usage, full-blown email requires data transfer with the associated network load issues, SMS is essentially free for the carrier.
I think in many ways this is the sort of mis-understanding of technology (including uses and misuses) that started this thread, however it is by no means exclusive (or even necessarily more prevalent) to older people. Many of us are prone to equate any given advance of technology with the most visible use, particularly when we dislike that use. In IT, however, it is important to see how you can use it to achieve your goals, not just adopt the popular case.
The why is easy, it's an email/IM crossover in your pocket. You use one or both of those, right? Or do you just call everyone, for everything, no matter how time insensitive. Since you understand the how I don't have to go into the limitations.
What do you consider as necessary and sufficient conditions for a researcher to release exploit code within 5 days notice to a vendor?
I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met. However I do think that responsible disclosure is a good policy.
There certainly isn't any agreement on what the proper waiting period should be. First of all, what do you consider a reasonable time limit, and why?
In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.
an exploit absolutely does exist in the wild because Ormandy made sure it does
An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS. Blackhats do not need help to write exploits, script kidies are far less dangerous. We can actively protect ourselves against it because we have been informed.
and at least one site has been compromised, and visitors to that site are vulnerable.
So? Unless you can look into the future and have perfect information of the past, you can't prove that public disclosure hasn't averted more harm then it has "caused" (as said, this only exists because of MS, their bug, period) any more then I can prove that it has.
Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.
So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?
That is what he is claiming, and until the other party tells their side, or there is proof otherwise, an involved party is about the best way to get information on things.
The nature of this vulnerability is such that you cannot use it for a targeted attack. You can put the exploit on as many sites as you can, and try to lure traffic there, and accept whatever percentage of machines get compromised -- but you cannot use it for a targeted attack.
Have you completely missed the whole family of "phishing" attacks, spearphishing in particular? Pure social engineering specifically targeted at sysadmins has been successful. An actual exploit targeting less security aware users is likely to succeed.
In the real world, fixing everything instantly (or in the time between Saturday and Wednesday) is *slightly impractical*.
Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*.
I am not making an assumption here. I am going on what was reported. How does this constitute ignoring the point? Please be specific.
It's the assumption that if there are no exploits reported, there are none. I don't have any sources on hand, but I've read reports on black market trading of undisclosed/unknown vulnerabilities. Obviously we don't know about the vulnerability at hand, but it's good to keep in mind that skilled, less then ethical, hackers are going over Microsoft products with a fine toothed comb, possibly more obsessively then whitehats.
Back to the point, you concede the language used, not the conclusions based on the assumption, I'm not saying you are not considering it, but I don't think you are considering it enough.
The existence of exploits in the wild is the only thing that justifies Ormandy's action.
A repeatedly stating an opinion doesn't strengthen it. Even your initial post allowed for circumstances that apply here, such as ease of mitigation. It's actually a strong point in favor of disclosing "prematurely" (responsible disclosure as such is actively debated within security circles, it's not generally considered a no-brainer) if decisive action from the vendor is indeed absent. Shut down one auxiliary service and you are safe -- can't do if you don't know you should...
Proof of an exploit for the vuln Ormandy discovered, that existed before he made his exploit public -- what did you think I was asking for?
I hoped you weren't demanding proof for things I didn't claim existed, burden of proof is not on my, the rest is opinion.
Either way -- I don't see how this supports Ormandy's action.
Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.
As I said before: if he had followed responsible disclosure policy, and then got fed up of waiting, he would have a point. Saturday through Wednesday?
Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable. Combine with the fact that administrators don't need an actual patch to keep their systems safe from this particular exploit... Not to mention sudden prompt action, can't beat that one.
You chose to defend Ormandy's action, and this is what you need, to defend him successfully. Logic led us down this road.
Based on your axioms, yes. I reject the axioms as they are subject to debate.
And you still have no data proving that there were indeed exploits in the wild.
I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own.
You need that data to prove that the disclosure was not damanging.
Well, I didn't make the claim.
The only justification for Ormandy's actions is proof-positive that there are exploits in the wild.
Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.
You need to provide that proof, or concede that your stance is incorrect.
Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.
I ask you again -- are you done playing word games?
Are you done unduly placing the burden of proof onto everyone who disagrees with you?
Besides URLs being a poor indicator of amount/accessibility of content, they didn't even draw any conclusions.
URLs are horrible indication. Dynamically generating endless amounts of slightly different (or hell, the same) porn spam pages has been very easy ever since CGI was intorduced.
That is a positive statement, burden of proof is on you, no matter if you can prove it or not. The correct is "no known exploits", but that casts an entirely different light and isn't what you said.
No, 0-day is the when the vulnerability is known to be actively exploited before it's publicly disclosed. If exploits pop up the day of disclosure that is still a 1-day. Patches don't even enter the picture.
You kind of skipped over the fact that Ormandy only gave MS 5 days to fix the problem before alerting the world and providing exploit code.
It is Microsoft's obligation to fix their shoddy work, third parties are not responsible for making them look good. Besides you kind of skipped over the fact that he gave them 60 days, if they would commit to that within the five days you claim he gave them. They didn't, I can't blame him one bit for keeping everyone vulnerable for an indefinite amount of time.
Microsoft is a huge corporation and has to both check his work and then get a fix written and scheduled for release.
Funny, they test hundreds upon hundreds of patches to some arbitrary high standard that doesn't allow them to commit to a 60 day fix, yet they can't test their OS worth shit?
Not giving MS time to create a patch and distribute it is being an asshole and Ormandy is responsible for any infections because he couldn't wait a week.
Microsoft introduced a vulnerability in a Microsoft developed OS that Microsoft sells (EULA disclaimers notwithstanding) as a generally useful, internet worthy software. They, and only they, are responsible for any infections that occur as a result of their negligence. Blaming third parties for informing us of problems MS would prefer to sweep under the carpet to be dealt with (or not, as the case with EOL may be) is beyond ridiculous.
Extorting? Release a fix, or people will be vulnerable? That much was true ever since the bug was introduced. Fix it within 60 days or I'll inform people that there is a problem with the system you sold them? What kind of extortion are you talking about?
Another "feel sorry for Microsoft's security people, they are overloaded" post. If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside). Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.
60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.
Slashdot Mirror
Oh, look, the biased overview, that glosses over core optimization features like reference frames, again. The whole thing is basically one big "I optimize H.264 this way, it won't work with VP8, therefore it's crap".
That doesn't really need a walled garden then...
Actually, he just pointed out that just because a law protects someones economic interests, it is not necessary good for society at large. You don't address the underlaying point, preferring to attack the presentation. He didn't in fact compare the two at all, just described the economic interests protected by fugitive slave laws, any further comparison came from you...
Hence SMS can be better then a call. A call is instantaneous, an SMS can be prioritized and processed in a manner the receiver finds it optimal (barring impatient senders, but email is no better in that regard).
That's one. You can find just about any opinion in that quantity. I'm wondering where you see a whole trend.
This has nothing to do with the technology, it's a social trend that can work with any number of communication methods. SMS is pocket email (or IM, depending on usage). A delayed, mobile, communication method with many legitimate uses.
Little reminders that don't warrant a phone call/email, like "Remember the milk" are a great personal or even professional use case (think "Next call: network problems at [address]" for a mobile tech). Basically anything that is not doesn't require instant attention or feedback, is not overly big and is useful to know away from the computer is a candidate for SMS. Automated information pushing is another great use case, from real-time bank account monitoring to server meltdown notifications, calling someone just to read a short message via voice synthesis would be pointless.
If your beef with SMS is the limited length then you literally misunderstand the technology itself, it's a byproduct of GSM design that short messages can be sent without additional network usage, full-blown email requires data transfer with the associated network load issues, SMS is essentially free for the carrier.
I think in many ways this is the sort of mis-understanding of technology (including uses and misuses) that started this thread, however it is by no means exclusive (or even necessarily more prevalent) to older people. Many of us are prone to equate any given advance of technology with the most visible use, particularly when we dislike that use. In IT, however, it is important to see how you can use it to achieve your goals, not just adopt the popular case.
The why is easy, it's an email/IM crossover in your pocket. You use one or both of those, right? Or do you just call everyone, for everything, no matter how time insensitive. Since you understand the how I don't have to go into the limitations.
It was stupid then and it's stupid now. I haven't seen many excuses yet.
Am I the only one who thinks that "rent" was a placeholder for "pirate" for PR purposes?
I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met. However I do think that responsible disclosure is a good policy.
There certainly isn't any agreement on what the proper waiting period should be. First of all, what do you consider a reasonable time limit, and why?
In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.
An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS. Blackhats do not need help to write exploits, script kidies are far less dangerous. We can actively protect ourselves against it because we have been informed.
So? Unless you can look into the future and have perfect information of the past, you can't prove that public disclosure hasn't averted more harm then it has "caused" (as said, this only exists because of MS, their bug, period) any more then I can prove that it has.
Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.
So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?
That is what he is claiming, and until the other party tells their side, or there is proof otherwise, an involved party is about the best way to get information on things.
Do you have proof that contradicts his account?/p
Have you completely missed the whole family of "phishing" attacks, spearphishing in particular? Pure social engineering specifically targeted at sysadmins has been successful. An actual exploit targeting less security aware users is likely to succeed.
Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*.
It's the assumption that if there are no exploits reported, there are none. I don't have any sources on hand, but I've read reports on black market trading of undisclosed/unknown vulnerabilities. Obviously we don't know about the vulnerability at hand, but it's good to keep in mind that skilled, less then ethical, hackers are going over Microsoft products with a fine toothed comb, possibly more obsessively then whitehats.
Back to the point, you concede the language used, not the conclusions based on the assumption, I'm not saying you are not considering it, but I don't think you are considering it enough.
A repeatedly stating an opinion doesn't strengthen it. Even your initial post allowed for circumstances that apply here, such as ease of mitigation. It's actually a strong point in favor of disclosing "prematurely" (responsible disclosure as such is actively debated within security circles, it's not generally considered a no-brainer) if decisive action from the vendor is indeed absent. Shut down one auxiliary service and you are safe -- can't do if you don't know you should...
I hoped you weren't demanding proof for things I didn't claim existed, burden of proof is not on my, the rest is opinion.
Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.
Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable. Combine with the fact that administrators don't need an actual patch to keep their systems safe from this particular exploit... Not to mention sudden prompt action, can't beat that one.
Based on your axioms, yes. I reject the axioms as they are subject to debate.
No, you continue to ignore it.
I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own.
Well, I didn't make the claim.
Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.
Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.
Are you done unduly placing the burden of proof onto everyone who disagrees with you?
URLs are horrible indication. Dynamically generating endless amounts of slightly different (or hell, the same) porn spam pages has been very easy ever since CGI was intorduced.
It's not a word game. Your assumption that there were no exploits undermines your conclusion that disclosure was counterproductive.
That is a positive statement, burden of proof is on you, no matter if you can prove it or not. The correct is "no known exploits", but that casts an entirely different light and isn't what you said.
No, 0-day is the when the vulnerability is known to be actively exploited before it's publicly disclosed. If exploits pop up the day of disclosure that is still a 1-day. Patches don't even enter the picture.
No matter how you spin it. Not being cooperative is not being cooperative.
Prove it.
So... We should only fix vulnerabilities when they are widely exploited?
You tell me, I'm not raving about extortion.
It is Microsoft's obligation to fix their shoddy work, third parties are not responsible for making them look good. Besides you kind of skipped over the fact that he gave them 60 days, if they would commit to that within the five days you claim he gave them. They didn't, I can't blame him one bit for keeping everyone vulnerable for an indefinite amount of time.
Funny, they test hundreds upon hundreds of patches to some arbitrary high standard that doesn't allow them to commit to a 60 day fix, yet they can't test their OS worth shit?
Microsoft introduced a vulnerability in a Microsoft developed OS that Microsoft sells (EULA disclaimers notwithstanding) as a generally useful, internet worthy software. They, and only they, are responsible for any infections that occur as a result of their negligence. Blaming third parties for informing us of problems MS would prefer to sweep under the carpet to be dealt with (or not, as the case with EOL may be) is beyond ridiculous.
Extorting? Release a fix, or people will be vulnerable? That much was true ever since the bug was introduced. Fix it within 60 days or I'll inform people that there is a problem with the system you sold them? What kind of extortion are you talking about?
Another "feel sorry for Microsoft's security people, they are overloaded" post. If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside). Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.
60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.