Weekly Edition
Return to the Security page
| |||||||||||||
Google: Rebooting responsible disclosure
The Google security blog is carrying a manifesto of sorts on how disclosure of security holes should be handled. "So, is the current take on responsible disclosure working to best protect end users in 2010? Not in all cases, no. The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect. Weve seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as 'responsible' is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time."
(Log in to post comments)
Google: Rebooting responsible disclosure Posted Jul 21, 2010 15:59 UTC (Wed) by malcolmt (guest, #65441) [Link]
It seems Tavis Ormandy's ham-fisted and patronising (in subsequent mailing list posts) approach to disclosure is being somewhat blessed by Google in this mail. Very disappointing to see. No acknowledgement here that their (Google's) recent disclosures didn't follow these guidelines ("here, have five whole days, including the weekend, to assess the problem") or that it's much easier for a service-providing organisation such as Google to release fixes than for a deployment-based component.
I'd like to hope that Google will follow these guidelines when working with others, but "lead by example" seems better than "do what I say, not what I do" and to have this following so closely on recent fumbles with the name of one of the culprits attached is ill-considered. They mean well; if only they could stop doing things in such a half-assed fashion. :(
Google: Rebooting responsible disclosure Posted Jul 21, 2010 21:59 UTC (Wed) by error27 (subscriber, #8346) [Link]
You obviously know that Ormandy was working on his own free time when he disclosed the Microsoft vulnerabilities. You are being dishonest to blame google for that.
This is clash of cultures... Posted Jul 21, 2010 22:33 UTC (Wed) by khim (subscriber, #9252) [Link] In US there are no such thing as "working on his own free time": everything you do belongs to the company - no matter when and how it's done (as long as you are employed by company). Company can waive it's rights (and Google often does this: see Andrew Morton, Jeremy Allison, Ian Lance Tylor and many others), but this is explicit process and this privilege must be deserved. In Europe company only owns the stuff which was created in worktime and using company-owned tools - everything else is "fair game". I always thought this is right way to think about things but Tavis Ormandy succinctly (and in in my mind convincingly) showed what's wrong with this POV. I'm still not sure I like US approach, but even if Google had no legal way to prevent it (I don't know enough about Switzerland law to say) it still was no a nice thing to do.
This is clash of cultures... Posted Jul 21, 2010 22:38 UTC (Wed) by corbet (editor, #1) [Link] In US there are no such thing as "working on his own free time": everything you do belongs to the company - no matter when and how it's done (as long as you are employed by company). That's only true if you've signed a contract with your employer that says that. Lots of employers do, indeed, take an expansive view of what is "theirs," but others are a little more enlightened.
This is a Bunch of Bull Posted Jul 23, 2010 6:05 UTC (Fri) by khim (subscriber, #9252) [Link] Suppose you are working in bank and found out that half of that banks ATMs will give you money if you type some "debug sequence". Will this qualify as trade secret? Of course! Defenition of "trade secret (as related to US law) is here. It's all forms and types of ... engineering information if If Google uses Windows XP for some kind of operations then vulnerabilities in it constitute as "trade secret". Do you really believe Google completely ditched Windows XP by now?
This is clash of cultures... Posted Jul 21, 2010 23:53 UTC (Wed) by cmccabe (guest, #60281) [Link]
> In US there are no such thing as "working on his own free time":
> everything you do belongs to the company - no matter when and how it's > done (as long as you are employed by company).
Not true.
http://stackoverflow.com/questions/401269/states-having-n...
for example in the California code,
> 2870. (a) Any provision in an employment agreement which provides that an
Companies like Amazon require you to notify management before beginning work on an open source project. (A pretty good reason not to work there, in my opinion.) But if you fail to comply, the penalty is being fired, not losing your intellectual property. At least this is true in California-- I'm not sure about other states. And of course, if they go after you with good enough lawyers, they could try to make your open source project look like it was somehow work related. Amazon and other big companies have so many projects going on that this is a possibility.
Most likely the reason why Andrew Morton, Jeremy Allison, and the others have written waivers from Google is that the Linux stuff they do is in fact for work, so 2870-a would not apply.
Please read what you wrote... Posted Jul 22, 2010 7:28 UTC (Thu) by khim (subscriber, #9252) [Link] Any provision ... shall not apply to an invention that the employee developed entirely on his or her own time without using ... trade secret information. This is very wide brush. In theory it's possible to invent something not work-related, but I'm pretty sure previously unknown vulnerability in an OS used by your employer will classify as "trade secret information" by itself.
Please read what you wrote... Posted Jul 22, 2010 12:06 UTC (Thu) by nix (subscriber, #2304) [Link]
That completely depends on where you're working. Even most software houses don't write OSes, so I can't see how that would be true at all. (Google is both huge and commercially involved in Linux development, so this may not apply to them.)
This is a Bunch of Bull Posted Jul 23, 2010 6:05 UTC (Fri) by khim (subscriber, #9252) [Link] Suppose you are working in bank and found out that half of that banks ATMs will give you money if you type some "debug sequence". Will this qualify as trade secret? Of course! Defenition of "trade secret (as related to US law) is here. It's all forms and types of ... engineering information if If Google uses Windows XP for some kind of operations then vulnerabilities in it constitute as "trade secret". Do you really believe Google completely ditched Windows XP by now?
This is a Bunch of Bull Posted Jul 25, 2010 6:42 UTC (Sun) by cmccabe (guest, #60281) [Link]
Suppose you are working in bank and found out that half of that banks ATMs will give you money if you type some "debug sequence". Will this qualify as trade secret?
Maybe section 2860 of the California labor code will fill you in:
> 2860. Everything which an employee acquires by virtue of his
Anyway, this doesn't have anything to do with the subject at hand. Tavis didn't learn about the vulnerability "by virtue of his employment."
Note: I'm not saying I support Tavis's actions, or that I condemn them. I really don't know what to think. I just enjoy thinking about the legal aspect here.
Please read what you wrote... Posted Jul 22, 2010 19:06 UTC (Thu) by cmccabe (guest, #60281) [Link]
Trade secrets, patents, copyright, and trademarks are the 4 kinds of intellectual property. For example, the formula for coca-cola is said to be a trade secret.
I'm not sure whether a vulnerability in an operating system could be considered a "trade secret". In the US, trade secrets must confer some sort of economic benefit to their holders in order to be considered valid. Unless your company is engaged in illegal activity, it's hard to see how a remote root compromise or something like that could meet that criterion. Maybe if your company is making the OS that has the vulnerability?
Anyway, we've gone far into the land of legal conjecture. The point is, the company does not always own everything you've ever done. As always, I am not a lawyer, and this is not legal advice.
Well, it's much simpler then that... Posted Jul 23, 2010 6:32 UTC (Fri) by khim (subscriber, #9252) [Link] Unless your company is engaged in illegal activity, it's hard to see how a remote root compromise or something like that could meet that criterion. Maybe if your company is making the OS that has the vulnerability? If your company uses the OS in question - it's enough. If the vulnerability is unknown but can be mitigated - it gives you clear advantage over competition. If it can not be patched then the fact that you keep it secret it gives you at least "early warning" advantage over competition: you can drop the product in question before vulnerability will bite you. Even if Google only uses Windows XP in some kind of virtual sandbox to detect malware it gives you advantage of making your malware detector better then compatitors! The point is, the company does not always own everything you've ever done. Practically speaking it does. "Trade secret" brush usually is wide enough to cover almost anything in your area of expertise. Only if you are doing something totally unrelated to your work you can get away with 2870-a. For example Google engineer can safely write program to manage music sheets... unless he has access to some kind of stats from the upcoming music service (in this case it can be argued that s/he used these "trade secret" stats to create more marketable program).
Well, it's much simpler then that... Posted Jul 25, 2010 6:27 UTC (Sun) by cmccabe (guest, #60281) [Link]
For those of you not familiar with the definition of a trade secret, here it is:
> (3) the term trade secret means all forms and types of financial,
khim said:
> If your company uses the OS in question - it's enough. If
If the vulnerability is not known to the general public, being protected against it is of no use. In this case, you can only derive economic value from by using it to attack other computer systems. This would be illegal. If the vulnerability is known to others in the public, it can never be a trade secret because it was "readily ascertainable through proper means by the public."
Anyway, there is a more fundamental problem with your argument. I just do not believe that a vulnerability which Tavis found on his own time, without using any equipment from work, and which had nothing to do with Google's operations, could be considered a trade secret of Google.
In short, your argument is prima facie absurd. Just because Google has a few old Windows boxes sitting around somewhere does not give them ownership to every Windows-related thing that their employees do, ever. It's as silly as arguing that since Google has a wooden chair somewhere in a storeroom, they have ownership of any trade secrets I create when doing woodworking on my own time.
Google: Rebooting responsible disclosure Posted Jul 22, 2010 16:46 UTC (Thu) by malcolmt (guest, #65441) [Link]
No, I'm not being dishonest. It has not been made sufficiently clear that he was working on his own time, particularly by Google. Thus something like this implicitly blesses his ridiculous behaviour. It would have been trivially easy for Google to avoid this devaluing of their efforts by not making Ormandy one of the authors of this document. They are explicitly saying he is somebody who speaks for them on security best practices, when real evidence suggests he doesn't have sufficient principles to do so. It's not a case of "only be a good person at work" -- it goes to the quality of character.
Google: Rebooting responsible disclosure Posted Aug 3, 2010 20:43 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
> "here, have five whole days
it was 5 days to get MS to commit to a fix within 60 days, not to 'assess the problem' (turns out they could pull it off, despite all the bitching and moaning in the press later).
> including the weekend, to assess the problem"
they are big and important enough to be able to afford people working on these kind of issues 24/7.
as for the rest of your post, you're quite clueless about this whole disclosure thing (hint: there's no right way, only different tradeoffs).
RFPolicy? Posted Jul 21, 2010 16:32 UTC (Wed) by dmarti (subscriber, #11625) [Link] What about RFPolicy? It looks like a decent compromise between notifying the maintainer in advance and publishing vulnerabilities that go unfixed.
Google: Rebooting responsible disclosure Posted Jul 22, 2010 2:32 UTC (Thu) by jiu (subscriber, #57673) [Link]
I think their post misses a big item by not mentioning the publication of sample attack code along with details of the security hole. That's one big item that shouldn't get published as it gives even more of an incentive to apply the preexisting recipe.
People on Google Security blog don't understand cyber terrorism Posted Jul 23, 2010 5:30 UTC (Fri) by n3td3v (guest, #69207) [Link]
It seems a lot of people on the Google Security blog don't even know what cyber terrorism is.
It is the act of posting a disclosure to change company or government policy, by way of cyber attacks created by the disclosure.
http://googleonlinesecurity.blogspot.com/2010/07/rebootin...
---
Andrew Wallace
|
|||||||||||||