| |||||||||||||
|
| |||||||||||||
Firefox buffer overflow and full disclosureFirefox buffer overflow and full disclosurePosted Sep 16, 2005 22:29 UTC (Fri) by gerv (subscriber, #3376)In reply to: Firefox buffer overflow and full disclosure by RobSeace Parent article: Firefox buffer overflow and full disclosure
To use another unworkable analogy: if Consumer Reports learned of a flaw in all Ford cars, whereby someone could easily unlock the doors by tapping them in just the right spot (or something similar), would you rather they quietly just tell Ford about it and wait for them to take months/years to do anything about it, or would you rather know about it yourself, so you can replace the locks on your Ford your own damn self??I'd tell Ford: "You have two weeks to make sure all of your dealerships around the world have a decent stock of replacement locks. Then I'm going public." Which is the exact equivalent of responsible disclosure.
(Log in to post comments)
Firefox buffer overflow and full disclosure Posted Sep 16, 2005 22:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link] But, why is that more "responsible" than immediately going public? (Which,I believe, is what Consumer Reports usually actually does...) And, why two weeks? Who made up that number, and deemed it to be the "responsible" time-frame? What if the vendor really can't possibly get a fix out in less than 6 months? Is it "responsible" to inform the public 5.5 months early? If so, then why exactly wasn't it to do so 2 weeks earlier than that?? (It's clearly NOT "responsible" to cave to the vendor, and sit on the issue for 6 months... But, what I'm curious about is what is it that distinguishes the 2 weeks from the 6 months for you?? In this day and age, can't 2 weeks of being vulnerable to a known security hole be just as dangerous as 6 months? So, why not simply inform the users right from the start, so they can protect themselves until the vendor takes however long it needs to to fix the issue?)
Firefox buffer overflow and full disclosure Posted Sep 17, 2005 0:38 UTC (Sat) by giraffedata (subscriber, #1954) [Link] I'd be interested to know what Consumer Reports' policy on this is. I'm not sure it has ever faced the situation. I know Consumer Reports doesn't give any advance warning to manufacturers of defects and other weaknesses in their products that CR intends to publicize, but that's a statement about CR not owing the manufacturer anything. Are these ever defects where some consumers would be hurt just by the publication? Like the Ford lock analogy?I read all the time about journalists withholding information for the public good, and I suspect Consumer Reports really would withhold that Ford lock story until Ford had plenty of time to mitigate the problem.
Firefox buffer overflow and full disclosure Posted Sep 17, 2005 15:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link] > Are these ever defects where some consumers would be hurt just by the> publication?
Once again, I don't buy that the "publication" would be responsible for
Firefox buffer overflow and full disclosure Posted Sep 17, 2005 22:29 UTC (Sat) by giraffedata (subscriber, #1954) [Link] I don't buy that the "publication" would be responsible for anyone getting "hurt" I assume "responsible" is the key word here. I think it's obvious that many people would have their cars broken into if the flaw became common knowledge early who would not have their cars broken into if Ford had time to prepare before it became common knowledge. It's equally clear that there are many people in the opposite situation -- they would avoid the breakin by having the flaw become common knowledge earlier. So I assume you're just saying that spreading the word isn't responsible for any breakins, even though it is obviously a contributing cause. Like the idea that if you leave a pair of glasses on the floor and someone steps on them, the stepper is not responsible for the damage. There are plenty of people who would argue either side of the responsibility question. I still believe in the Consumer Reports analogy, CR would assume responsibility and not publish immediately. It seems to be the prevalent view in journalism, and especially among social good organizations like Consumer's Union (publisher of CR).
Firefox buffer overflow and full disclosure Posted Sep 18, 2005 15:40 UTC (Sun) by RobSeace (subscriber, #4435) [Link] > So I assume you're just saying that spreading the word isn't responsible> for any breakins, even though it is obviously a contributing cause. Like > the idea that if you leave a pair of glasses on the floor and someone steps > on them, the stepper is not responsible for the damage.
Well, more in the way that someone who informs you the building is on
> CR would assume responsibility and not publish immediately.
I'm not so sure that's correct... I don't really know for sure, but I
But, regardless of what they would really do, I certainly don't think it
Firefox buffer overflow and full disclosure Posted Oct 10, 2005 1:47 UTC (Mon) by turpie (guest, #5219) [Link] That's a very poor analogy. Such a fire hazard could result in legitimate users accidently creating a life threatening disaster. Hardly similar to a security bug in a web browser.
Most users would be unable to create their own patches to fix a security hole, and unlikely to want to go to the hassle of swapping to another program if their preferred choice of program is likely to be fixed in a couple of days. I believe developers should be notified of the bug and told that they would have no more than 14 days to fix the problem before it is made public. The developers would then have time to fix or workaround the bug, test and release an update before the blackhats were informed. If the developers didn't respond in time then that fact should be a part the security disclosure so the users may be better informed and can then change their software preferences.
|
|
||||||||||||