Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firm To Release Database, Web Server 0-Days

CmdrTaco posted more than 4 years ago | from the ready-for-impact dept.

Security 220

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

cancel ×

220 comments

Sorry! There are no comments related to the filter you selected.

Who gives a fuck? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30727572)

I mean really.

True dat (-1)

Anonymous Coward | more than 4 years ago | (#30727798)

Ya know?

Responsible Disclosure (0)

Mud_Monster (715829) | more than 4 years ago | (#30727588)

The alternative to responsible disclosure is irresponsible disclosure. Is that really better?

Re:Responsible Disclosure (5, Insightful)

MachDelta (704883) | more than 4 years ago | (#30727664)

The alternative to irresponsible disclosure is for the vulnerability to be used maliciously for an unknown period of time. Which of those is preferable?

Re:Responsible Disclosure (0)

Anonymous Coward | more than 4 years ago | (#30728572)

The responsible disclosure. The one where only a couple people in the world (if any) know how to exploit it before the patch. Instead of the irresponsible one where every script kiddie knows how to exploit it before the patch. You'd think that would be common sense.

THOSEDIRTYRUSSIANS !! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30728736)

Waduyaexpect ?? theworldwouldbeabetterplacewithoutthem !!

Re:Responsible Disclosure (3, Interesting)

lordsid (629982) | more than 4 years ago | (#30728748)

Basically what this is about is choice. The companies in question have been notified of the security flaws in their product. They have as of yet fixed said flaws. They have instead prioritized other projects above fixing the bugs. The choice was given to the companies in question. The choice is now being removed due to their inaction.

I will take irresponsible disclosure any day over people not fixing known bugs. This is forcing their hand and that is why they don't like it.

All in all, tough shit for the companies involved.

In an ideal world security flaws would be fixed when they are discovered. I think we can all agree this is not an ideal world.

Re:Responsible Disclosure (1)

arose (644256) | more than 4 years ago | (#30729050)

The one where an unknown number of in the world know how to exploit it before the patch.

FTFY.

Re:Responsible Disclosure (1)

fearlezz (594718) | more than 4 years ago | (#30728638)

The third option: "Dear developers of [insert product name], I've found an security issue in [insert product name]. Details are attached. I give you 14 days before releasing this information publicly."

Re:Responsible Disclosure (4, Insightful)

gregarican (694358) | more than 4 years ago | (#30727668)

Here's a quote from TFA...

Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

Re:Responsible Disclosure (5, Insightful)

mcrbids (148650) | more than 4 years ago | (#30728030)

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

It's most likely a case of resource management and insufficient resources available. Businesses exist to make money. Features make money, bugs cost money. So, given NNN amount of money, do you:

A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or

B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

Now, the clueful would note that the set of B includes the set of A, but for those who are living close to the edge, A is where the attention goes, and that's why you see announcements like this one.

Re:Responsible Disclosure (2, Insightful)

mcgrew (92797) | more than 4 years ago | (#30728816)

It's most likely a case of resource management and insufficient resources available. Businesses exist to make money.

And as long as we keep putting up with shoddy software, they'll continue to sell it to us. Bugs cost money, as you said, so I would think they might put a few more resources to getting rid of the bugs before they shovel it out the door.

Re:Responsible Disclosure (1)

rcharbon (123915) | more than 4 years ago | (#30729018)

Whoa! You forgot C) Add more features to make product appear better in checklist comparisons. That trumps fixing little ol' bugs!

Re:Responsible Disclosure (1)

flimflammer (956759) | more than 4 years ago | (#30728798)

I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.

The problem I have with this is that they have grown annoyed with a few specific vendors not doing anything about the vulnerabilities, and have decided instead to widely expose many vulnerabilities from vendors they have not ever even talked to. If you're not even going to try to talk to any vendors at all, even vendors whom with you've never spoken to at any point in the past, I would consider that quite irresponsible.

Re:Responsible Disclosure (2, Insightful)

couchslug (175151) | more than 4 years ago | (#30727702)

Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.

If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.

What does not kill it makes it stronger.

Re:Responsible Disclosure (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30728272)

They were most likely allocating those resources to what they perceived as bigger bugs. These security researchers want *their* bugs to have top priority, because it allows them to make a name for themselves. They're no Robin Hoods.

Re:Responsible Disclosure (1)

Dan Ost (415913) | more than 4 years ago | (#30728842)

Features != Bugs

Just because marketing puts a higher priority on new features than it does fixing bugs doesn't mean that that is a better allocation of developer resources.

Of course, even if the bug is in the wild, if they're sure it's not exploitable, they can ignore it to continue working on new features. All they're really risking in that case is their reputation.

Re:Responsible Disclosure (1, Offtopic)

mcgrew (92797) | more than 4 years ago | (#30728534)

What does not kill it makes it stronger.

Tell "what does not kill me makes me stronger" to a brain-damaged man in a wheelchair. If there were no attacks, vulns would be little problem. As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.

Re:Responsible Disclosure (2, Informative)

vadim_t (324782) | more than 4 years ago | (#30728744)

Yes, but it's unrealistic to expect that if researchers didn't publish attacks, there wouldn't be any.

Somebody found the hole. It can't be that they're the only person on the planet who could possibly figure it out. Eventually somebody else will find it too, or maybe already has. If that person happens to have something malicious in mind, they won't publically disclose it. They'll exploit it for their own gain, or sell the information to people who will do that.

If nobody disclosed vulnerabilities for the public's benefit, they'd never get disclosed until somebody got hit with them. First somebody would perform a successful attack, and a postmortem examination would eventually result in figuring out what happened. But doing things this way means at least one victim is 100% guaranteed, and nobody can prepare for it in advance.

Re:Responsible Disclosure (1)

mcgrew (92797) | more than 4 years ago | (#30729004)

I'm in the camp that says if you find a vuln, give them X days to fix it, then disclose it to the public.

Re:Responsible Disclosure (1)

Stormcrow309 (590240) | more than 4 years ago | (#30729036)

I thought it was 'what doesn't kill me cripples me for life'...

Re:Responsible Disclosure (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30727728)

Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.

The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.

Re:Responsible Disclosure (0)

Anonymous Coward | more than 4 years ago | (#30728360)

Pro life are against choice, your analogy is flawed.

Re:Responsible Disclosure (1)

jedidiah (1196) | more than 4 years ago | (#30728446)

...usually. Sometimes pro-life can mean they want you to "choose life".
Although that's not the way it usually goes since the noisiest part of
the "pro life" crowd are fundie nutbags want to meddle in everyone's
lives.

Re:Responsible Disclosure (1)

ckaminski (82854) | more than 4 years ago | (#30728522)

Pro-life is typically used to mean "ANTI-abortion" and not "Pro-choice for you if you want it, more power to ya, but no fucking way you're aborting MY baby".

Re:Responsible Disclosure (1)

Bosonic (1648053) | more than 4 years ago | (#30728986)

But also tends to include the "Pro-choice, but please choose life!" crowd.

Re:Responsible Disclosure (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30728566)

Let's not go there. The point is that calling it "responsible disclosure" makes arguing against it much harder than, for example, calling it "delayed disclosure" would.

Re:Responsible Disclosure (1)

The End Of Days (1243248) | more than 4 years ago | (#30728682)

And pro-choice could be reasonable renamed pro-baby death. Why quibble over the semantics like a bunch of droolers? It's not like anyone changes their mind anyway, it's all masturbation.

For the record, I am in favor of mandatory abortions.

Re:Responsible Disclosure (2, Funny)

Anonymous Coward | more than 4 years ago | (#30728902)

I am in favor of mandatory masturbation (to prevent the need for abortions.)

Re:Responsible Disclosure (4, Interesting)

hawkeye_82 (845771) | more than 4 years ago | (#30727744)

This is like punishment.

The irresponsible party in this case, is the software vendor. If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.

This sounds like a good case for establishing a procedure.

1. Contact vendor about exploit, with an expiry date.
2. Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.

Is there perhaps a clearing house for such things?

Re:Responsible Disclosure (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30727898)

That is what is generally called "responsible disclosure". The point here however is that vendors allegedly twiddle thumbs as long as the exploit isn't released, so any time you give the vendor before you release the information is time wasted, unnecessarily leaving admins of vulnerable systems in the dark.

Re:Responsible Disclosure (5, Insightful)

csartanis (863147) | more than 4 years ago | (#30727774)

Yes, because "responsible" goes both ways. They're being responsible by notifying the vendor before going public. If the vendor is not fixing the issue, it's time to go public.

As far as I'm concerned a public release is still a responsible one. At least in that case everyone knows about it.

Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain. The vendor's customer's get screwed and the vendor has no idea that it's even happening.

Re:Responsible Disclosure (4, Interesting)

morgan_greywolf (835522) | more than 4 years ago | (#30727900)

The term "responsible disclosure" is newspeak for "keep your mouth shut". The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.

I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable. On the Internet, a year is a very, very long time.

Re:Responsible Disclosure (3, Insightful)

Lally Singh (3427) | more than 4 years ago | (#30727964)

God forbid vendors actually start testing their software *before* it's in the field.

Re:Responsible Disclosure (1)

MrNaz (730548) | more than 4 years ago | (#30728286)

Yea, if only software vendors could take a page out of Larry Singh's book and have an immaculate record of having never given code to anyone else that contained even the smallest bug.

Re:Responsible Disclosure (1)

TubeSteak (669689) | more than 4 years ago | (#30728224)

The alternative to responsible disclosure is irresponsible disclosure. Is that really better?

The alternative to "responsible disclosure" is "full disclosure".
"Irresponsible" is only disclosing 0-day exploits to black hats.

The world isn't black and white.
Just because someone frames the issue as "X or Y" doesn't mean that "or" isn't an option.

Re:Responsible Disclosure (1)

Hurricane78 (562437) | more than 4 years ago | (#30728712)

tl;dr: Of course I prefer the company fixing the bug, but in case they fail at that, I at least want to know of it and be on the same level as the crackers.

You got something wrong: The position of the crackers is that it’s the companies who act irresponsibly, e.g. by doing nothing when they should close the bugs, or by suing those who found some hole. Which I agree with. I’d go so far as to offer a prize to anyone who can demonstrate an exploit for my software. With that prize always being worth enough to stop interest in pursuing other ways to take advantage of them. If someone is really good, he might even get a permanent post.

The only reason I can imagine, why someone would do something else, is because he still is a “3 year old” who can not handle any critique and has to become aggressive or repressive against anything that suggests he is not god.
In other words: Typical upper-level PHB behavior.

And under those circumstances, the responsible thing to do, is to at least protect the clients, by telling them about the risks of doing business with that company and of using that software.

What's up with the confusing article title? (5, Insightful)

Qubit (100461) | more than 4 years ago | (#30727652)

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

Fed-up security firm to release Database & Web Server vulnerabilities publicly

Look at how much more information is conveyed in that second title. A work of beauty, it is.

Re:What's up with the confusing article title? (3, Funny)

gregarican (694358) | more than 4 years ago | (#30727704)

Perhaps the firm is issuing a malicious DROP DATABASE T-SQL command, escaping through some unsanitized web query...

Re:What's up with the confusing article title? (4, Funny)

Arancaytar (966377) | more than 4 years ago | (#30728016)

We're lucky Slashdot properly escapes its SQL input. Aa headline like "Firm to 'DROP DATABASE `web_server`" might otherwise result in havoc. :P

Re:What's up with the confusing article title? (3, Funny)

gregarican (694358) | more than 4 years ago | (#30728116)

So let me get this straight. Slashdot validates their SQL input. But they don't validate their HTML conformance [w3.org] ?

Re:What's up with the confusing article title? (2, Informative)

iammani (1392285) | more than 4 years ago | (#30728726)

The same with google.com [w3.org] or gmail.com [w3.org] or facebook [w3.org] or any website that needs to support a variety of browsers (even browsers that are not standards compaint).

PS: wikipedia was complaint, its should applauded for its effort.

Re:What's up with the confusing article title? (4, Funny)

tftp (111690) | more than 4 years ago | (#30729000)

PS: wikipedia was complaint, its should applauded for its effort.

What have I done to deserve this pain?

Re:What's up with the confusing article title? (0)

Anonymous Coward | more than 4 years ago | (#30729098)

Maybe someone should complain to them about this.

Re:What's up with the confusing article title? (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#30728746)

So let me get this straight. Slashdot validates their SQL input. But they don't validate their HTML conformance [w3.org] ?

What does one have to do with the other? Proper sanitization of inbound data is basic security. HTML conformance is important to, but failing to conform isn't going to result in data theft, loss, or corruption on the servers.

Re:What's up with the confusing article title? (1)

General Wesc (59919) | more than 4 years ago | (#30728782)

That's terrible! Everyone knows HTML validity is just as important as basic security.

Re:What's up with the confusing article title? (1)

gregarican (694358) | more than 4 years ago | (#30728870)

Swoosh...

Re:What's up with the confusing article title? (0)

Anonymous Coward | more than 4 years ago | (#30728808)

SQL sanitation is prob just a tad bit more important than fixing a few trivial html errors.

Re:What's up with the confusing article title? (0, Offtopic)

mchugh (627644) | more than 4 years ago | (#30728168)

We're lucky Slashdot properly escapes its SQL input. Aa headline like "Firm to 'DROP DATABASE `web_server`" might otherwise result in havoc. :P

"Oh, yes. Little Bobby Tables, we call him."

http://xkcd.com/327/ [xkcd.com]

Re:What's up with the confusing article title? (1)

MrNaz (730548) | more than 4 years ago | (#30728314)

I think you're confusing him with CmdrTbls.

What about bobby tables? (4, Funny)

0100010001010011 (652467) | more than 4 years ago | (#30728198)

This guy should rename his name to Bobby Tables [xkcd.com] at the same time. Imagine the number of newspapers that would try to do a press release, but couldn't.

Re:What's up with the confusing article title? (3, Informative)

Anonymous Coward | more than 4 years ago | (#30728098)

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

Fed-up security firm to release Database & Web Server vulnerabilities publicly

Look at how much more information is conveyed in that second title. A work of beauty, it is.

In the submit story page, your proposed headline would look like:

Fed-up security firm to release Database & Web Ser

See how it truncates?

Re:What's up with the confusing article title? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30728370)

Fed-up Firm to release 0-Day Exploits
Fed-up Firm to release DB and Web Server exploits

Or other hundreds of ways it can be phrased with-in the character limit.

Re:What's up with the confusing article title? (1)

Qubit (100461) | more than 4 years ago | (#30728896)

In the submit story page, your proposed headline would look...

Yeah, but one person looks at the headline on the Submit Story page. Then an editor pokes it with a stick. All the rest of Slashdot reads it on the front page.

I always figured that the editors ruthlessly edit the headlines, as is their Cowboy-Neal-granted right. Maybe they don't even bother to do that anymore...

Re:What's up with the confusing article title? (3, Interesting)

noidentity (188756) | more than 4 years ago | (#30728160)

Yes, I assumed this was an article about a firm dropping support for a database and webserver without any notice (perhaps a DRM-supplying company or something). Just below this headline is another misleading one, "CES Vendors Kicked Out of Hotels For Showcasing Wares in Room", which suggests they were showing pirated software.

Re:What's up with the confusing article title? (1)

DMUTPeregrine (612791) | more than 4 years ago | (#30728846)

"Wares" does not mean pirated software, "warez" does. "Wares" just means any items offered for sale.

Re:What's up with the confusing article title? (0)

Anonymous Coward | more than 4 years ago | (#30728890)

Um. No. That would be 'Warez'. Wares are things that people sell. A grocery store's wares include things like soup and dish detergent.

Re:What's up with the confusing article title? (2, Funny)

Stavr0 (35032) | more than 4 years ago | (#30728250)

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable.

Perhaps "Firm to GRANT SELECT ON database, web server 0-days TO PUBLIC"

Re:What's up with the confusing article title? (2, Funny)

tag (22464) | more than 4 years ago | (#30728316)

The verb to drop has specific meaning w.r.t. databases.

There's an xkcd [xkcd.com] for that.

Why not? (4, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#30727654)

FTFA:

At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret

Hasn't this been proven to be true - and legal?

In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.

Re:Why not? (2, Insightful)

DeadPixels (1391907) | more than 4 years ago | (#30727796)

I agree, but that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible. I believe that you should notify the vendor and then release it in a reasonable time frame (TFA suggests 60-90 days).

I don't have a problem with the disclosure of vulnerabilities once the vendor has been notified, because I think it does cause the problems to be resolved quicker. However, not telling the vendor means there's no chance for them to even start on a fix before everyone knows the exploit.

Re:Why not? (4, Insightful)

b4dc0d3r (1268512) | more than 4 years ago | (#30728526)

He's a step ahead of you. He's tried doing it the right way and gotten no results. So he's going to skip the part where he wastes his time.

If companies want responsible disclosure, they should respond in some way to the disclosure. Maybe companies will actually fix bugs instead of sitting on them, and he can go back to doing it the right way. He also warned the companies he's going to do it, so they have a chance to fix things before then.

Here's a tip for you. In the real world, sometimes you have to force the other party's hand to get them to act responsibly. He's to that point, and fortunately has leverage. By making this choice public, he shames the irresponsible software companies which allow security problems to sit around unfixed.

Hopefully they'll scramble to release some fixes, which they haven't done yet, which is a net improvement over the current situation where millions of people have unpatched vulnerabilities.

In short, I don't see a problem here. I use software, it has security problems, I expect those to be fixed. Whatever it takes to get there, I'm all for it.

Re:Why not? (1)

jc42 (318812) | more than 4 years ago | (#30728792)

... that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible.

Well, how I read it is more like "Hey, we've tried notifying these turkeys a dozen times or more, and every time, they stonewalled us. I'm fed up with them, and I'm not going to waste my time any more. I'm just going right to the public release, which their history shows is the only way to get any action."

Maybe this isn't the "responsible" thing to do, but it's certainly understandable that a frustrated customer might feel this way. And at this point, "responsible" becomes merely a weak value judgement whose effect mostly is to delay the correction of problems.

Perhaps what we should suggest is starting off with a nice long "advanced notice" period with a vendor, 2 or 3 months. Each time they fail to act within that window, you decrease it slightly for the next bug you report. With time, this might stabilize on a reliable period for that vendor. Of course, this only works if you have a long-term business relationship with that vendor. In many cases, people are likely to give up long before the asymptote is reached.

Has anyone proposed a "responsible release" heuristic like this, that adjusts the public-release time to the vendor's previous behavior? I haven't read of any, but I haven't read everything on the topic.

Re:Why not? (1)

John Hasler (414242) | more than 4 years ago | (#30728998)

I think that it would be much better to always notify the vendor (telling them when you will release) and then release as scheduled no matter what the vendor does or says. The word would soon get around and vendors would know they were working against a firm deadline.

Re:Why not? (0)

Anonymous Coward | more than 4 years ago | (#30729106)

I believe he will be notifying the vendors once he releases it through the website.

All interested parties can subscribe to the RSS feed.

socialized risk (4, Insightful)

epine (68316) | more than 4 years ago | (#30727968)

This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.

I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.

Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.

I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.

I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.

Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.

During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.

Re:socialized risk (2, Insightful)

mcgrew (92797) | more than 4 years ago | (#30728644)

This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.

Sometimes I think I've been transported to Ferengenar. 95th rule of acquisition: "Exploitation starts at home".

Re:Why not? (1)

SwashbucklingCowboy (727629) | more than 4 years ago | (#30728676)

"if they've contacted the vendor and the vendor hasn't patched it in a month or two"

A month or two is not enough time.

Re:Why not? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30729052)

Why not? Too busy? On what?

You can have bugs, you can have additional features, you can have new projects on the table, ALL of that stuff should be second fiddle to security vulnerabilities.

So where is the time consumption? The firm is already telling you WHERE the problem is. All it takes now is Finding a solution, testing it, and deploying it.

If you're telling me that it takes more than 2 months to do that - I seriously doubt the actual integrity of the product they are working on.

Irresponsible (4, Insightful)

DeadPixels (1391907) | more than 4 years ago | (#30727708)

To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all. That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.

Re:Irresponsible (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30727832)

Problem is that if you warn a vendor privately, they will either dismiss you outright, or get a court to sign a gag order against you in a matter of hours.

Re:Irresponsible (2, Insightful)

haruharaharu (443975) | more than 4 years ago | (#30728136)

Of course, these guys are in russia, so good luck with that.

Re:Irresponsible (1)

93 Escort Wagon (326346) | more than 4 years ago | (#30728414)

Of course, these guys are in russia, so good luck with that.

Of course, if the big companies that are effected felt it made business sense to do so, the fact that this group is located in Russia could make them easier to deal with. A bit of Microsoft cash slipped into the right unregistered bank account... problem solved, guys are shut up permanently.

Re:Irresponsible (1)

Xua (249955) | more than 4 years ago | (#30728918)

This may be exactly what they actually want to happen and /. is helping them with publicity here.

Re:Irresponsible (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30728148)

What court? This firm is located in Russia.

Re:Irresponsible (1)

tonyreadsnews (1134939) | more than 4 years ago | (#30728236)

they will either dismiss you outright

So, how would that change GP's process?

get a court to sign a gag order

Then share it with one (or a couple) trusted friends who can release it if you are unable to.

Re:Irresponsible (0)

Anonymous Coward | more than 4 years ago | (#30728498)

And that is the only possible options. Yep.

Re:Irresponsible (1)

shutdown -p now (807394) | more than 4 years ago | (#30729078)

Problem is that if you warn a vendor privately, they will either dismiss you outright

Then you proceed with disclosure.

or get a court to sign a gag order against you in a matter of hours.

Has there been a precedent for that?

I have reported security vulnerabilities in the past, and while the fix did take longer than I expected to be reasonable, at all points I was kept notified of the current progress, and I was never "dismissed", nor did anyone threaten me with court gag orders or anything like that. What did I do wrong?

Re:Irresponsible (2, Insightful)

Volante3192 (953645) | more than 4 years ago | (#30727878)

The devil you don't know is less dangerous than the devil you know? Fact is, the guy says he's got holes from Real from two years ago that haven't been patched. Two years isn't enough time, now you want two years and three months?

Re:Irresponsible (5, Insightful)

GameMaster (148118) | more than 4 years ago | (#30727974)

What he seems to be saying, is that he's already told the companies and they've done nothing. A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.

Re:Irresponsible (1, Informative)

JyriVirkki (1454743) | more than 4 years ago | (#30729068)

What he seems to be saying, is that he's already told the companies and they've done nothing.

As the architect for one of the products listed I can say with certainty that our product team has not been contacted with any vulnerability info. I'm all for open disclosure but I wish the authors of each software would be given a head-up slightly ahead of time.

Huh? (-1, Redundant)

EkriirkE (1075937) | more than 4 years ago | (#30727732)

If they are dropping the database, then the problem "disappears". How can they release the info if they DROP DATABASE?

So, what are they selling? (4, Insightful)

0racle (667029) | more than 4 years ago | (#30727768)

Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.

Right, what are they selling again?

Re:So, what are they selling? (3, Interesting)

paziek (1329929) | more than 4 years ago | (#30727894)

They could be providing auditing services. Advertising to whole IT world, that they found shitload of them might just say "Hey, we can check if your apps are safe, and perhaps recommend something better if they aren't."

Re:So, what are they selling? (2, Insightful)

Blakey Rat (99501) | more than 4 years ago | (#30728794)

From the blurb in the summary, it sounds like "jackassery."

Nice short term marketing gimic (5, Insightful)

Megaweapon (25185) | more than 4 years ago | (#30727790)

"Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."

Is it just me? (4, Funny)

gregarican (694358) | more than 4 years ago | (#30727818)

Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.

Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???

Re:Is it just me? (5, Funny)

Arancaytar (966377) | more than 4 years ago | (#30728104)

You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

Re:Is it just me? (1, Informative)

b4dc0d3r (1268512) | more than 4 years ago | (#30728944)

It's a high concentration of words and/or phrases having overloaded meanings. As technology develops, normal words acquire additional connotations, if not denotations. Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.

'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'. Not typical usage, but not uncommon. 0-days obviously refers to vulnerabilities, and conflated would refer to details of the vulnerabilities.

So it's valid, but potentially confusing.

Re:Is it just me? (1)

bennomatic (691188) | more than 4 years ago | (#30729034)

It's the hip-hop definition of 'drop', i.e., "Yo Dre! Drop me a funky-ass bass line!"

Responsible disclosure works (0)

gweihir (88907) | more than 4 years ago | (#30727846)

But you need to gove the vendors hard disclosuyre dates not too long in the future and you need to publish at these dates stating when you informed the vendor. If the vendor does not patch, publish the vulnerability anyways, you have done your part.

As others have already said here, this strikes me as a publicity stunt, or they wanted money from vendors and did not get any.

Re:Responsible disclosure works (3, Insightful)

jjoelc (1589361) | more than 4 years ago | (#30728154)

Agreed - inform the vendor with all the details. Same day, publicly announce that the vulnerability has been discovered, but with no details. At a specified date (60-90 days later) make full details public.

Sounds so simple, doesn't it?

secutiry theater gate crashers (3, Insightful)

Theodore (13524) | more than 4 years ago | (#30727938)

I welcome this.
In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
to "Here is how you fail... here is how to make you fail... FAIL!!!"

'responsible disclosure' is just wearing the nice guy badge...

You're the only one wearing the nice guy badge.

I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).

Better handled through a service like Wikileaks? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30728292)

It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.

RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it. If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could provide additional encouragement to address the problem.

At the expense, of course, of being a really crappy way to treat companies who ARE proactive about their security issues, especially as a security researcher doesn't always necessarily have the full picture of what's necessary to fix the problem in cases where it's intertwined with required software features. That's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions.

It's Irresponsible (1)

SwashbucklingCowboy (727629) | more than 4 years ago | (#30728614)

While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities. Give them six months and then release them, but give them time. This does as great a disservice to users as those firms do by not fixing the vulnerabilities.

Re:It's Irresponsible (1)

Hatta (162192) | more than 4 years ago | (#30729064)

So what you're saying is that we should give the black hats 6 months to freely exploit these vulnerabilities?

drop database? (1)

gringer (252588) | more than 4 years ago | (#30728664)

Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?

Re:drop database? (1)

toastar (573882) | more than 4 years ago | (#30728802)

Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?

no no no.... In soviet Russia, Database SELECT you!

Bug bounties (3, Interesting)

zullnero (833754) | more than 4 years ago | (#30728920)

If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines. There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm. One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals. And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides. If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.

Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog. The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem. Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.

Economics (1)

MikeURL (890801) | more than 4 years ago | (#30728984)

My eyes started to glaze over but the ecosystem seems to go like this. Researcher discovers vulnerability, sells it to companies that buy that kind of info, then reports it to the company that made the flawed software.

One assumes that all the big anti-virus vendors buy the info from the vulnerability clearinghouse thus giving their users some measure of 0-day protection. Eventually the flawed software should be patched and all is well.

It isn't clear in this case why the researchers care if the flaw is eventually fixed. They make their money selling the vulnerability to the clearinghouse that then resells the data to the anti-virus companies. Or I could be all wrong.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?