AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 4th January, 2007, 06:11 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Are they offering help or ratting us out to the hackers?

Are they offering help or ratting us out to the hackers?
Written by Daniel
Thursday, 04 January 2007
Rift Widens Over Bug Disclosure
DarkReading

JANUARY 3, 2007 | There's a growing rift among the research community over whether the Month-of-Bugs initiatives are helping security or hurting it. (See Buggin' Out? and Apple Bug Bites OS X, Windows.)

There's even now a little pushback from one researcher to the current Month of Apple Bugs (MOAB): Landon Fuller, a former engineer for Apple and currently with Three Rings, an online gaming developer, is answering each MOAB bug with a fix of his own...

Front Page
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 4th January, 2007, 06:49 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Speaking as a software developer myself, it seems to me like there should be some balance here. If there is a bug in my software that results in a security vulnerability, I definitely want to know about it. However, I don't want to be blind-sided if I can avoid it.

48 hours notification from the discoverer so that I can get my act together should be sufficient, I would think. That way, there can be a joint announcement where the vulnerability is disclosed and I can tell my users, "Yes, I know about it and I'm looking into it; here's what I know so far...".

At that point, the researcher has done their part and it is all on me to keep my users notified about what is happening with regard to addressing the issue.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 4th January, 2007, 07:25 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

No doubt some of them need a kick in the ass from time to time... but it seems to me that the researchers have to make a clear decision as to whose side they are on. You hurt my software developer and you hurt me.
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 4th January, 2007, 07:42 PM
Favu's Avatar
AOA's resident barman
 
Join Date: October 2005
Location: /Wales/Abergavenny
Posts: 4,004
Send a message via ICQ to Favu Send a message via AIM to Favu Send a message via MSN to Favu

I reckon that, if they got the devs involved with the MOAB, and told them right off about a vulnerability so that they could immediately start working on a fix then it makes sense. This way the problem would be solved before hackers can get around to widely using the exploit.

However, if the devs ignor the MOAB (which seems to be the case currently) then a bug is published, hackers work on an exploit and get that out before the hole is patched.

Just my $0.02
__________________
AOA Team fah
 

Custom 8-bit Sharp Z80 @ 4.194304 MHz
Reflective LCD @ 160 × 144
8 kByte S-RAM






Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 5th January, 2007, 11:29 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

There are several sides to this:

If an announcement of a vulnerability is made, there will be a number of people who will then focus on finding a way of exploiting that vulnerability, even if the details are not public. Thus, the act of announcing the vulnerability can hasten someone writing malicious code for it. (There's a metric called "time to exploit", which is the timespan between an announcement/patch and exploit code being seen. In the current climate, it's less than a week.)

Vendors do need time to respond before things become public. Firstly they have to be able to reproduce the bug, assuming that it is actually a bug (Not all reported vulnerabilities are actually vulnerabilities). Once that it has been verified as a bug, then fixing can take place. However, in complex situations it may take a significant amount of time to correct the bug and then test that the fix does not break anything else.

Users do not want to be vulnerable. They would rather have a patch before any announcement of a vulnerability was made.

So, if someone announces a vulnerability a day for a month, and the vendor does not have sufficient resources to fix and test 31 new vulnerabilities in a month, what happens?

However, some vendors are not so good at responding in a timely fashion. I am aware of some vendors who have fixed a problem within a day, and I'm aware of some vendors who have taken a year and a half to fix a problem.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 5th January, 2007, 04:53 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

True enough, but think about this:

Are we really so naive as to believe that the security researcher is the first one to have discovered the bug? If it is a popular product, I would have to argue that the bug has probably already been discovered and exploited by the Bad Guys well before the security researcher found it, simply because there is a lot more money in it for the Bad Guys. In such a situation, if it is a serious bug it needs to be addressed as quickly as possible. While it might be embarassing and even painful for the software developer, people are trusting the developer's product. If that product is abusing their trust, the peope need to know that, and know what they can do about it, as quickly as possible. Suggesting that we are better off to keep the vulnerability secret until it can be addressed is rather like suggesting that getting stepped on by an invisible elephant is preferable to getting stepped on by one I can see.

For less popular products, then it may be true that the researcher is the first one to discover it, but if that is the case, the risk of damage from exposure is going to also be significantly smaller.

Sorry, but I really don't buy the whole "We are better off not to know about it until it can be fixed" argument. That whole line of reasoning is how we end up with products like Windows.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 5th January, 2007, 05:05 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Hey! What's wrong with Windows!? LOL LOL LOL LOL
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Google offering free internet access danrok Online Deals, and Steals 5 1st April, 2007 08:11 PM
Analogix rounds out DisplayPort offering Gizmo General Hardware Discussion 1 5th January, 2007 04:50 PM
Yahoo offering non-DRM music downloads danrok Reader's Retailer Ratings & Commentaries 1 21st July, 2006 07:33 PM
Newegg offering $0.99 shipping fantomfreq Online Deals, and Steals 0 30th March, 2005 02:38 AM
Broadband Cable To Start Offering Phone Service Southern Man Random Nonsense! 4 23rd May, 2003 09:55 AM


All times are GMT +1. The time now is 01:19 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0