LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ethical behaviour

Ethical behaviour

Posted Apr 1, 2006 2:55 UTC (Sat) by Shanep (guest, #36879)
In reply to: Ethical behaviour by man_ls
Parent article: Interview: Theo de Raadt of OpenBSD (NewsForge)

However, unethical behavior on the part of those companies does not justify unethical behavior on the part of individual developers, as seems to be the case here. Failing to do responsible disclosure (as somehow threatening not to) is not a sensible position. And this comes from a crucial security provider for almost all of us! Gives me the creeps.

Theo is NOT failing to do responsible disclosure. He is talking about Suns OWN SunSSH. NOT OpenSSH. OpenSSH will continue to provide full disclosure and Sun, just like the rest of the World, is free to view that disclosure and scrutinize their OWN SunSSH code.

Theo should not have to audit Sun's own code when Sun gives him NOTHING.

(Log in to post comments)

Disclosure of vulnerabilities

Posted Apr 1, 2006 8:54 UTC (Sat) by man_ls (subscriber, #15091) [Link]

Responsible disclosure does not work that way. Suppose that A knows that B's software has a vulnerability. A notifies B in advance and, some time later, A goes public. The amount of advance time is under discussion; two weeks to a month seems reasonable. For example: you find a vulnerability in Mac OS X, you notify Microsoft and wait for a month. Apple has time to patch the system and to distribute the patch; then you can go public.

Now let us suppose you find a vulnerability in OpenSSH. You notify the OpenSSH team at security@openssh.org (or whatever) and give them a month. But you know nothing of Sun's own SunSSH; however de Raadt does, and he knows that the vulnerable code is in Sun's version too. So de Raadt knows that some software (SunSSH) has a vulnerability, and should in the interest of responsible disclosure warn them in advance. However he is mad at them for not inviting him to their sleep-overs and he does not warn Sun; when the bug goes public, Sun's software is exposed with no advance warning.

So you see that responsible disclosure is orthogonal from full disclosure. Both are not a matter of law, but of ethics; the latter says "let users know what is wrong with their software", the former says "let developers patch their software before the black hats get the information". A crucial security provider should know the difference.

Disclosure of vulnerabilities

Posted Apr 1, 2006 12:30 UTC (Sat) by Shanep (guest, #36879) [Link]

Sorry, but if want to talk about ethics, then where are Sun and IBM's ethics? Theo refusing to give them a heads up on security issues, is hardly worse than Sun and IBM, with all their money, refusing to give a cent but expecting support for free. If you get any at all, it is a damn temporary privilege.

Sun and the rest need to look at the part of the BSD licence which disclaims all warranties. Sure the code is as free as it gets. But don't expect support at all, much less for free.

I would love to see Theo charge a premium for responsible disclosure.

Disclosure of vulnerabilities

Posted Apr 1, 2006 13:40 UTC (Sat) by man_ls (subscriber, #15091) [Link]

That is precisely the point. Of course Sun is not behaving ethically. But seeing the other party is not behaving ethically is no excuse for behaving unethically yourself.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds