Firefox buffer overflow and full disclosure
Posted Sep 16, 2005 22:05 UTC (Fri) by RobSeace
In reply to: Firefox buffer overflow and full disclosure
Parent article: Firefox buffer overflow and full disclosure
> The more black hats know about the flaw, the more at risk users are.
Only if the users remain ignorant of it, as well... Using analogies for
stuff like this never works well, but: every "black hat" on the planet
knows about the flaw inherent in windows (the glass kind, not the OS):
namely, that they're easy to break, and thereby can provide unintended
access to a house/car/whatever... However, every "user" of windows also
knows about that flaw, and chooses to either live with the risk, or
invest in better protection (barred windows, security system, whatever)
if they need it... But, suppose the "users" didn't know about this, and
believed windows to be utterly impenetrable and perfectly safe... Do you
think these ignorant users are somehow safer in their ignorance than the
informed users?? Even if less "black hats" know about the flaw, the fact
is they are at risk from those few that do (and any future ones who figure
it out on their own, as "black hats" are wont to do)... And, in their
ignorance, they may be exposing highly sensitive and important stuff that
they dearly wish to protect, and think they ARE protecting via the use of
what they think are impenetrable windows... Compared to the real informed
"users", who know better than to rely on windows to protect anything
important... So, tell me again, how keeping users ignorant protects them,
or is somehow for their own good??
> In a few types of flaw, users can take action to protect themselves, but
> normally they are at the mercy of the vendor to provide a patch.
That's just not true... Users can ALWAYS take some action to protect
themselves: stop using the vulnerable product until it's fixed! Yes, that
may be a dramatic and unrealistic choice for many users in many cases, but
the fact is that it IS an option, and all users deserve to be informed of
the problem so they can exercise that option if they choose to... But,
there are usually much less drastic options users can take, as well... Such
as firewalling off ports (assuming network attack), or tweaking config
settings to disable the buggy feature (such as in this Firefox IDN case),
etc... No one is "at the mercy of" any vendor, to that extent... They
always have some choice in the matter... But, keeping them ignorant robs
them of that choice, and leaves them vulnerable...
To use another unworkable analogy: if Consumer Reports learned of a flaw
in all Ford cars, whereby someone could easily unlock the doors by tapping
them in just the right spot (or something similar), would you rather they
quietly just tell Ford about it and wait for them to take months/years to
do anything about it, or would you rather know about it yourself, so you
can replace the locks on your Ford your own damn self?? I think being
informed is ALWAYS a good thing, and being kept ignorant is NEVER a good
thing, no matter what the situation or scenario... So, I can't fathom how
people buy into this "responsible disclosure" nonsense, that basically says
"Yes, please, keep me entirely in the dark about the gaping security holes
in the software I'm using, while my software vendor takes their sweet time
to twiddle their thumbs and maybe throw together a patch, all the while
leaving me vulnerable to this now increasingly well-known exploit, which
who-knows-how-many people now know about!"... THAT, is what I call being
"at the mercy of the vendor" (and, all of the countless people they and
the original bug-reporter have informed, either directly or indirectly)...
And, it's NOT something I want to be...
> There are probably 100 holes in [pick-a-product-name] right now which are
> zero risk, because 0 people know about them - they haven't been
> discovered by anyone yet.
Yeah, sure, if literally NO ONE has discovered them, then yes there is zero
risk... But, in the scenarios we are discussing, that is NOT the case...
At least ONE person has discovered them, already... And, he's probably
told the vendor, which in turns means probably more than one developer
there has been informed of it... And, any of them may offhandedly tell a
friend or two about it... And, so on...
Not to mention the fact that you never KNOW whether or not anyone else
might have already previously discovered any given hole, and simply haven't
told anyone about it, because they'd rather keep it their own little
to post comments)