Comments on: Mozilla: Hackers control bug disclosure
Software industry is still at the mercy of bug hunters when it comes to releasing security bugs, Mozilla executive says.
Most Popular
Latest tech news headlines
- Inside the Apple, er, Microsoft Store
December 1, 2009 4:00 AM PST
- Man loses job after searching too hard for aliens
November 30, 2009 7:42 PM PST
- Google hosts energy experts amid climate talks
November 30, 2009 6:01 PM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
responsible disclosure only comes if behind the scenes there has been polite conversation between both parties.
if the vendor decides a vulnerability isn't as important as the hacker thinks it is, then you have a problem.
not only should the hacker be in control but the hacker should be able to have his bug prioritized by his judgement and not that of the vendor.
as soon as the vendor starts rearranging the importance of when a bug should be fixed then you have a problem.
the hacker is going to go onto mailing lists and up the ante on the vendor to upgrade the importance of a bug.
if you want responsible disclosure then the vendor needs to think carefully how to treat hackers when an e-mail arrives.
should we say nothing to the hacker because we're a big bold multi billion dollar corporation and fix the bug when we feel like it? or should we have back and forward dialog to make sure the hacker is happy?
and then (if you do decide to have back and forward dialog) for that reason the hacker will be more than happy to follow that corporations responsible disclosure policy and not risk the nightmare of full disclosure before a patch has been rolled out internationally.
The biggest problem is hacker hubris, the belief dictated by their egos that the security holes they find in OSes are critical and should be acknowledged as such by the software vendor and if the vendor doesn?t release a patch almost instantly, the hacker believes he has the right, even the duty, to go public ? thereby alerting every other hacker to have a go at attacking the software. That is totally irresponsible, particularly when the exploit is of the kind wherein the user must be inveigled somehow to go to a malicious web site expressly created to contain the exploit. That kind of exploit is not of critical concern to the software vendor and merits low priority in putting together a patch. Naturally the hacker thinks otherwise, his ego is offended and he goes public.
The situation is made even worse by some security outfits that pay hackers for every bug they can find, thus encouraging hackers to look for vulnerabilities in software. The hackers and some in the security business have a rather nice thing going for themselves insofar as they interact with each other, each encouraging the other.
The obvious solution to this ongoing idiocy is to put hackers out of business. Not an easy thing to do, but mandating prison time might be a starter. There are other solutions, difficult and expensive, that the vendors could implement. Unfortunately it would be at considerable cost to themselves necessitating a major rewrite of their software to detect and prevent any action that the software does not explicitly authorize. This would eliminate simply writing software to accomplish a certain task and leaving it to third parties to try to find out if it can be hacked. I won?t hold my breath waiting for that to happen however.
> important as the hacker thinks it is, then you
> have a problem.
Just who do these lowly hackers think they are, arguing the importance of the bugs? If the vendor ignores the bug, then there is obviously no danger to it being released. Right?
This is just a sad reality of modern business-behavior. In fact, this is actually a very-basic element of human-nature. There are other terms for this problem; "denial", "self-interest", "laziness", "arrogance", and "greed". But, as long as any form of externally-imposed "secrecy" is allowed... and as long as it provides any benefit to those that can exploit such "ignorance"... any form of restriction of such "free expression" -will- inevitably cause HARM to the "consumer".
This basic philosophy; -a little knowledge can be dangerous... but imposed ignorance is far, far, worse-... is, in fact, the very foundation of the American ideal of "Freedom of Speech". Our "Founding Fathers" were, very painfully, forced to acknowledge that controlling information, IS the single greatest power that the corrupt can possess... and that, "self-interest" is one of the most corrupting influences within the sphere of human-experience.
So-called, "responsible disclosure" (and "penalties" that could be used to enforce it), appears to me to be little more than another attempt to forcibly control the vital-information which consumers absolutely MUST have access to, in order to protect themselves and make sound decisions... regarding both "the bad-guys", AND the business-entities that would benefit from such FORCIBLY-IMPOSED ignorance.
This is especially driven home by recognizing, just who are the biggest proponents (and, potentially, beneficiaries) of this, self-styled, "responsible disclosure".
In short, it would be nice if such "vulnerabilities" were only disseminated in a "responsible manner"... But, the FACT is that "the bad-guys" WILL have access to such information, whether "the public" is informed, or not. And, overall, giving companies that produce FLAWED-PRODUCTS, the power to "silence" those that find such flaws, ...is, frankly, a far more worrisome prospect, to me.
However, that makes little difference in that because both browser?s security holes can allow bugs into the system both can cause considerable damage ? and that is the important point.
That Mozilla releases the bug fixes more often that Microsoft does is partly because Firefox has more vulnerabilities that IE does and also because Microsoft has been under considerable pressure from the business IT sector to release patches on a set schedule so that IT departments are not bombarded with frequent patches that have to be loaded into hundreds, thousands, of computers. With so small a market share, particularly in large enterprises, Mozilla doesn't face that pressure. It can and does release fixes whenever it suits their schedule. Microsoft used to do the same.
No their money is better spent making PR contributions and lobbying efforts, for their inteliigence resources looking after how to try and market-out more market share, and focus of ignoring and hoping it will go away.
Responsible disclosure!! HAH! ! If you are stupid enough to offer up your halfbaked product to the public, you can not possibly dismiss yourself from the problems and responsibilities of its inadequacies.
- Could means what?
- by wbenton March 27, 2007 7:59 AM PDT
- >>>early release "COULD" help criminals to launch cyberattacks and damage a vendor's reputation.<<<
- Like this Reply to this comment
-
(15 Comments)Maybe, perhaps, possibly, might.
And now what about the other part of the MORE important question.
Cannot the creation of vulnerable software damage a vendor's reputation?
Don't shoot the messenger... they're just bringing the message. It's the developer of the flawed software who "SHOULD" be held responsible.
Notice I capitalized the word "SHOULD" because that matches with "COULD" and means about the same.
Microsoft should be held responsible for every flaw found in their software.
The hackers DID NOT write the code... Microsoft Engineers DID!
If Microsoft's code were solid in the way it was written, the chances of so many flaws occuring would be drastically reduced.
Now back to the story...
The hackers (note there are good and bad ones) are usually aware of the bug before the manufacturer.
Good ones report their findings to the manufacturer in hopes the manufacturer will come out with a timely patch.
But corporations like Microsoft have time and again, slept on those notifications to such a length of time (6 months to several years) that the good guys are getting fed up with reporting them only to find Microsoft is so reluctant to patch.
On top of that, Microsoft, even after notified of a specific flaw, still takes their time and has their own people probe to see whether the flaw the hackers found is in fact a hack or not.
Finally, once Microsoft's engineers have confirmed in fact that the hackers were correct all along... the hackers already knew it thought... Microsoft just postponed until their engineers could confirm it... Microsoft still postpones the fix until the next month's regularly scheduled update even for critical flaws unless the industry presses them beyond the point which they can postpone further.
So as far as the >>>early release could help criminals to launch cyberattacks and damage a vendor's reputation.<<<
I think the manufacturer's code, the manufacturer's actions taken after notification of the flaw, and the speed at which the manufacturer patches that flaw MUCH MORE important to a vendor's reputation than any early disclosure by a good hacker.
However, none of these seem to have any affect on Microsoft what so ever... but that SHOULDN'T BE the case!
We MUST NOT LET Microsoft continue to get away with their lax security policy after they've been claiming for years that they're working on strengthening their security!!!
Until they do as they say... I think the world should continue to breath down their throats and hold them responsible for their own sloppy security-weak spaghetti code!!!
FWIW