Theo de Raadt on OpenSSH security flaws [LWN.net]

Ethical behaviour

Posted Apr 1, 2006 2:55 UTC (Sat) by Shanep (guest, #36879) [Link]

However, unethical behavior on the part of those companies does not justify unethical behavior on the part of individual developers, as seems to be the case here. Failing to do responsible disclosure (as somehow threatening not to) is not a sensible position. And this comes from a crucial security provider for almost all of us! Gives me the creeps.

Theo is NOT failing to do responsible disclosure. He is talking about Suns OWN SunSSH. NOT OpenSSH. OpenSSH will continue to provide full disclosure and Sun, just like the rest of the World, is free to view that disclosure and scrutinize their OWN SunSSH code.

Theo should not have to audit Sun's own code when Sun gives him NOTHING.

Disclosure of vulnerabilities

Posted Apr 1, 2006 8:54 UTC (Sat) by man_ls (subscriber, #15091) [Link]

Responsible disclosure does not work that way. Suppose that A knows that B's software has a vulnerability. A notifies B in advance and, some time later, A goes public. The amount of advance time is under discussion; two weeks to a month seems reasonable. For example: you find a vulnerability in Mac OS X, you notify Microsoft and wait for a month. Apple has time to patch the system and to distribute the patch; then you can go public.

Now let us suppose you find a vulnerability in OpenSSH. You notify the OpenSSH team at security@openssh.org (or whatever) and give them a month. But you know nothing of Sun's own SunSSH; however de Raadt does, and he knows that the vulnerable code is in Sun's version too. So de Raadt knows that some software (SunSSH) has a vulnerability, and should in the interest of responsible disclosure warn them in advance. However he is mad at them for not inviting him to their sleep-overs and he does not warn Sun; when the bug goes public, Sun's software is exposed with no advance warning.

So you see that responsible disclosure is orthogonal from full disclosure. Both are not a matter of law, but of ethics; the latter says "let users know what is wrong with their software", the former says "let developers patch their software before the black hats get the information". A crucial security provider should know the difference.

Disclosure of vulnerabilities

Posted Apr 1, 2006 12:30 UTC (Sat) by Shanep (guest, #36879) [Link]

Sorry, but if want to talk about ethics, then where are Sun and IBM's ethics? Theo refusing to give them a heads up on security issues, is hardly worse than Sun and IBM, with all their money, refusing to give a cent but expecting support for free. If you get any at all, it is a damn temporary privilege.

Sun and the rest need to look at the part of the BSD licence which disclaims all warranties. Sure the code is as free as it gets. But don't expect support at all, much less for free.

I would love to see Theo charge a premium for responsible disclosure.

Disclosure of vulnerabilities

Posted Apr 1, 2006 13:40 UTC (Sat) by man_ls (subscriber, #15091) [Link]

That is precisely the point. Of course Sun is not behaving ethically. But seeing the other party is not behaving ethically is no excuse for behaving unethically yourself.