Microsoft has submitted a proposal aimed at quelling one of the oldest debates in security circles: retiring the use of the term “responsible disclosure”. The software maker wants to replace the term with the less pejorative phrase “coordinated vulnerability disclosure.” The hope is that software makers and researchers can put …
What I am reading is...
Waaaah Waaah Waaaahh ! We want to keep doing security through obscurity, and only disclose stuff when we have to !
Damn all this hax0rs ! They are making us throw extra resources at solving problems in 30-60 days, rather than when ever we get around to it!
I am all for security experts disclosing issues, provided they have contacted the vendor first, and given them a reasonable time frame for a fix.
Let me clarify "reasonable"
If the explore is a remote exploit, that DOESN'T require the stupid monkey user to click on an infected link, then it should be 30 days to fix.
Remote exploit stupid link clicky longer, but engineer it so it zaps the user when they click stupid links
Things like the DNS re-direct issue that forced DNSSEC to be finally rolled out..well vendors need to suck it up, fix it ASAP, and then make their customers apply patches.
That's WHY we have IT admins, and patch cycles.
Of course companies like Cisco COULD fix their firmware update process, so an IOS update doesn't brick features... or the router.
I think that sound is coming from the other direction...
It's always easy to pick out the idiots that have never had to write anything more complex than a "Hello World!" program. They think that all programs are easy to write, easy to read, easy to change, easy to debug, etc. etc.
Real programs are complicated. Ormandy obviously doesn't have a clue about software. Of course the developer can't give you a timeframe for a fix until they understand what's wrong with the code. That's like asking your mechanic for a cost estimate on your car after telling him that there's a grinding noise coming from the front left side of your engine. The mechanic/coder has to find the actual problem before it can be fixed. Not just a set of symptoms, no matter how detailed. Also, the complexity of fixing a bug--and thus the amount of time it will take to fix--are not dependant on how easy the bug is to exploit. And do remember that there are a limited number of people available to fix these bugs and they do have more bugs to fix than just yours. I'm sure most companies would be happy to fix the security issues in their products as fast as possible, but that just doesn't mean that it's going to get done immediately.
While, yes, some companies do slack off on fixing bugs as soon as reasonably possible; most of the full disclosure advocates you hear about just seem to be interested in selfaggrandizement and bashing the company whose software he just found a bug in.
"In the event the finder decides to make the vulnerability public, he would communicate those plans to the software maker ahead of time."
And suddenly sniper fees go through the roof.
"No, Mr. Grayhat, you shall not live to see the sun rise on the day you report a vulnerability in our product."
But more seriously, LAWYER fees would probably go through the roof, as the big megacorps call out the legal dogs to silence the folks who find the thorny vulnerabilities in their product. That's the whole thing about irresponsible disclosure - it's, well, irresponsible. But sometimes there's no better way to tell these big, block-headed companies to fix their shit that to tell the whole world that the company has them in the lurch until a fix comes out.
Monopoly OS & applications make, by their nature, many users vulnerable.
It is the nature of the way competition develops so live with it or change the rules.
No sympathy. Sad but true.
So we want to replace an emotionally ladened phrase that we understand with a dry, technical phrase that we don't understand. That will help protect the customers!
to change the terminology than to fix the bugs...
It's all in the way you interpret it.
"The hope is that software makers and researchers can put aside decade-old differences about the best way to handle critical defects so that end users are best protected."
The hope is that software makers and researchers can put aside decade-old differences about the best way to handle legal terminology so that software makers and researchers are best protected.
Yep, now that makes sense.
Bottom Line: They want to protect their bottom line
"We all want to protect customers and users" - what a simple statement. I wonder if it's actually the full story?
Not to read *too much* into it, I read the suit's statements as being (perhaps) more like this: "We all want to protect the Microsoft bottom line - especially when it comes to disclosing holes in the cheesecloth that is the Microsoft Windows 'security framework'," only from a perspective developed without really taking an objective look at the said cheesecloth, and certainly looking mostly towards job-security.
Mine's the one with the lockpick in the pocket.
I'm all for 'coordinated vulnerability disclosure' and giving software makers plenty of time to fix their stuff but I don't believe anyone should be forced to do so.
If someone finds a vulnerability in software they should have the right to do with it whatever they want, whether they inform the company, keep it for themselves, make it public or sell it for profit.
Motives like personal beliefs, financial gain, hate for the vuln company or simply wanting to screw over a couple of thousand people should not matter.
It was after all them who found it, not the people with full access to the code who ware supposed to prevent these things and get payed to do so.
All this 'debate' on the subject just looks like companies trying to find ways to make it illegal to point out when they have failed until the issue has been forgotten and is no longer relevant.
And lets face it... the internet without vulnerable people? Wheres the fun in that? I'd have to get my viagra spam some ware else, I just can't imagine starting my day without reading 10 emails telling me how I need larger genitalia.
Ceci n'est pas un titre
All they're doing is eliminating the oxymoron "responsible Microsoft". Business as usual.
Good for them
"So we want to replace an emotionally ladened phrase that we understand with a dry, technical phrase that we don't understand. That will help protect the customers!"
*shrug* "responsible" disclosure doesn't protect customers no matter what it's called, since companies then just sit on some flaws for years, while blackhats exploit them freely.
Anyway, good for them. Coordinated vulnerability disclosure is dry but at least accurate.. whereas "responsible disclosure" causes so many debates between people like me that say letting everyone know about flaws ASAP is good, the blackhats probably already know, and therefore letting a company sit on the flaw for potentially months or years is *irresponsible*. And them, who say they should take as long as they want to fix a flaw so it's irresponsible to tell anyone until that point. (Personally, I would not disclose immediately, but if there's no substantial response in a week or two, well, someone like the full disclosure mailing list has to know... and to add to this, MIcrosoft in particular is irresponsible for only releasing patches once a month instead of as soon as the patches are ready.)
"We're really trying to reach out..."
...with our tentacles."
Delayed disclosure isn't a responsibility, it's a courtesy. And the less courtesy Microsoft show, the less they'll receive.
Is it possible that someone with half a brain there has figured out that pissing and moaning about immediate disclosure is a sure way to encourage it?
I'm guessing not, actually, and that this is just PR flim flam to try and get vulnerability researchers enfolded in the loathesome Embrace of the Beast.
Hardly a surprise
Microsoft has been the biggest opponent of disclosure of any kind since security researchers got fed up with it not fixing reported holes after months and months and started disclosing them.
In the real world it is very simple - no disclosure or 'private' disclosure means the company has no incentive to fix the issue as no users know there is an issue. As soon as the world, and their clients, find out about the latest hole they _have_ to respond or risk hurting their bottom line.
Said bottom line is not hurt by undisclosed vulnerabilities since as far as end users are concerned there is no problem, hence the lack of incentive for a fix.
Apple, Mozilla, Google, Adobe..
it's not just MS here. Every software company potentially has security problems. Every vendor probably want's to minimise churn dealing with them and the bad PR of having some random dude yelling that the sky is falling and you must unplug the internets or your cat will get microwaved
All that's going on here is that Microsoft and Google and others want to improve the process without security researchers blackmailing them with a threat of premature disclosure... which is always going to be tempting for the security wonks because it brings them their 15 minutes of fame
Reporting a bug on a Saturday, and then putting every user at risk because the vendor hasn't committed to make unknown changes 3 business days later... is that responsible behaviour and the actions of someone who wants to keep you safe vs someone who wants their ego stroked?
I would however love to see an indepenant body with no axe to grind who collates these reports and tracks responsiveness and makes sure that bugs are fixed and researchers credited when the fix is announced and - if a vendor and researcher don't agree to a timeline - manages disclosure in a considered manner (ie describe the vector at a high level, symptomns and workarounds. If that doesn't solve the problem then a gradual escalation to make proof of concept available to anti-malware vendors to enable them to create appropriate defenses.
Public disclosure of a working attack no matter how "pure" you claim your motives to be is just putting everyone at risk
Steve's Irresponsible Pain...
I'd bet he's upset now. Responsible is probably the only term in the discussion he kind-of understands.
always look on the bright side of life
MS isn't the worst. At least they admitted there is a problem. Try GOD Steve, there is nothing wrong with anything from Apple ever.
Software for the rightous
There are no flaws in Apple software, and even if there are there are lots more in Windows and Linux especially if you press the keyboard like this <CLAMP>.
I'm always amazed at this brainlessness.
I know lots of Mac people, I am one some of the time, but I don't know anyone who believes that except for the true Mac-haters.
Now maybe some of the Mac people are a little sanctimonious sometimes, but still never as bad as you guys seem to think.
RE: always look on the bright side of life
The difference is that Apple fix the bugs, MS just introduce different ones.
...and it's not Apple who are crying about terminology when they should be throwing resources at fixing vulnerabilities...
RE: Software for the rightous
Well, you spelt righteous wrongly for starters....
There was also a problem in what you wrote, so I'll fix it for you:
"There are no flaws in Apple software, and even if there are there are lots more in Windows"
There, job done.
Microsoft to banish 'responsible' from disclosure debate
"We all want to protect customers and users"
Well why not start by designing secure software in the first place? From the "brain" virus, through Wordbasic macro viruses to the latest USB vulnerability, Microsoft have ALWAYS put "speed to market" first and security last. This latest step in the Redmond game is more "blame the messenger" posturing, and as such clearly does not represent any change from the sloppy security practices of old.
How many more messengers will get the blame before the world wakes up and stops buying inferior products at elevated prices from the Gates/Ballmer crowd?
When I first got NT 3 at work, there was some kind of notice that said parts of it were copied from an open-source unix. I can't remember which one.
Shame they didn't take any of the security stuff, just the garbage.
coordinated vulnerability disclosure?
Crappy name! Make it: "Free Externalised Delayed QA". There, fixed.
Also, >Of course the developer can't give you a timeframe for a fix until they understand what's wrong with the code.
My manager asks for random guesstimated timeframes all the time. Should I worry?
- NASA boffin: RIDDLE of odd BULGE FOUND on MOON is SOLVED
- Pic Mars rover 2020: Oxygen generation and 6 more amazing experiments
- Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
- Plug and PREY: Hackers reprogram USB drives to silently infect PCs
- Boffins spot weirder quantum capers as neutrons take the high road, spin takes the low