On exploits, hubris, and software security

[BlueBoar at thievco.com (Blue Boar)]

Gary McGraw wrote:
> Later, we could disclose the problems responsibly, keeping a short leash
> on Microsoft, Netscape, and Sun without ever resorting to FULL
> disclosure.  Our goal was to get the problems fixed with no nonsense.
> The companies also allowed the press to be responsibly involved.

Are you familiar with the backstory on this one?  While I acknowledge 
there is controversy on who is telling the truth, here's the 60-second 
summary, according to how I believe it happened.  (And how I believe it 
happened is important, because other researchers also believe this, and 
are acting accordingly.):

-Researchers show video demo at Black Hat of an attack against a 
wireless driver for a third-party NIC on a MacBook.  They poke fun at 
Mac users.  They claim it works against the driver for the built-in 
wireless, too.  (They also claim it works against Windows drivers, *nix 
drivers, etc.. but no one cares for purposes of the controversy.)

-Reporter reports it, uses sensational headline, backs up their story 
about the built-in card driver being vulnerable, too.  Says researchers 
claim Apple "leaned" on them to remove the video demo of the built-in 
card exploit.

-Researchers claim they told Apple.  Apple denies it to reporters. 
Apple issues press releases denying it.  Apple PR person goes on record 
as claiming Apple was not given one shred of evidence.  Employer of one 
of the researchers appears to be keeping both researchers from saying 
anything to defend themselves.

-Apple releases patch for the vulnerability (so says one of the 
researchers) and Apple claims credit for finding it.

So, if you believe the researchers' side of the story, the press WAS 
involved, Apple denied it, threw around legal threats to gag the 
researchers, and then stole the credit.

Ergo, the next set of researchers (who tend to believe the first set of 
researchers) say screw Apple, and release details in such a way that 
there can be no denial of what they found.

Researchers will tend to take the word of other researchers over the 
vendors, and some researchers already have a tendency to just publish if 
they get flack from the vendor anyway.

The actual hard truth of the situation isn't critical, the researchers 
will behave according to their perception of what happened.  While I am 
extremely interested in the hard truth for this situation, we don't have 
it yet, we might never.  I don't particularly want to debate the actual 
truth here, and I'm pretty sure Gary doesn't want us to, either.  If you 
want to read a very good counterpoint from someone who believes more of 
Apple's side of the story, Dave Schroeder posed a detailed response on 
my blog entry that I referenced earlier.  If you want to debate me on it 
in particular, please feel free to do so there.

Again, the important bit is how Apple appears to behave, to people like 
the researchers.  I have the same bias, and if I were any good at 
finding kernel vulnerabilities, I'd be treating Apple the same way about 
now.

                                        BB

(Apologies for the length.  I've already been debating this for a few 
days, and Gary DID invoke the Full Disclosure debate.)