|
|
Subscribe / Log in / New account

Security quote of the week

[Posted September 28, 2022 by jake]

Talking Trojan: Analyzing an Industry-Wide Disclosure tells the story of what happened after we discovered the Trojan Source vulnerability, which broke almost all computer languages, and the Bad Characters vulnerability, which broke almost all large NLP tools. This provided a unique opportunity to measure software maintenance in action. Who patched quickly, reluctantly, or not at all? Who paid bug bounties, and who dodged liability? What parts of the disclosure ecosystem work well, which are limping along, and which are broken?

Security papers typically describe a vulnerability but say little about how it was disclosed and patched. And while disclosing one vulnerability to a single vendor can be hard enough, modern supply chains multiply the number of affected parties leading to an exponential increase in the complexity of the disclosure. One vendor will want an in-house web form, another will use an outsourced bug bounty platform, still others will prefer emails, and *nix OS maintainers will use a very particular PGP mailing list. Governments sort-of want to assist with disclosures but prefer to use yet another platform. Many open-source projects lack an embargoed disclosure process, but it is often in the interest of commercial operating system maintainers to write embargoed patches – if you can get hold of the right people.

Nicholas Boucher, one of the authors
to post comments

Security quote of the week

Posted Sep 29, 2022 4:06 UTC (Thu) by linuxrocks123 (subscriber, #34648) [Link] (4 responses)

Both of those "vulnerabilities" were actually complete non-issues, so I would suggest considering this story to have an unreliable narrator.

Security quote of the week

Posted Sep 29, 2022 11:56 UTC (Thu) by davecb (subscriber, #1574) [Link]

The doubt about it being possible also contributes to the variability of the vendor responses

Security quote of the week

Posted Sep 30, 2022 2:49 UTC (Fri) by mirabilos (subscriber, #84359) [Link] (2 responses)

Trojan "source" is really a problem of the text editors, not the languages, so I agree.

I don’t know the other thing, but then, I don’t use these “AI” things either.

Security quote of the week

Posted Sep 30, 2022 13:32 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

Yeah, the whole thing does not sit right with me. The authors' insistence on assigning blame for a car crash to the house with skid marks in its front garden just leaves the whole thing smelling like an attempt at beg bounty scalp collection that happened to get lucky with its SEO.

Security quote of the week

Posted Oct 4, 2022 0:44 UTC (Tue) by bartoc (guest, #124262) [Link]

esp given this paper, which makes it feel like they _know_ it was a "unique" opportunity _because_ it was a common non-bug that everyone had to patch anyway to avoid bad press.

Given how editors displayed the syntax I think it was a real bug deserving of fixing, but the whole circus surrounding it left a bad taste in my mouth nonetheless.


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds