Secure Coding mailing list archives
On exploits, hubris, and software security
From: BlueBoar at thievco.com (Blue Boar)
Date: Fri, 03 Nov 2006 11:38:13 -0800
Gary McGraw wrote:
Later, we could disclose the problems responsibly, keeping a short leash on Microsoft, Netscape, and Sun without ever resorting to FULL disclosure. Our goal was to get the problems fixed with no nonsense. The companies also allowed the press to be responsibly involved.
Are you familiar with the backstory on this one? While I acknowledge there is controversy on who is telling the truth, here's the 60-second summary, according to how I believe it happened. (And how I believe it happened is important, because other researchers also believe this, and are acting accordingly.): -Researchers show video demo at Black Hat of an attack against a wireless driver for a third-party NIC on a MacBook. They poke fun at Mac users. They claim it works against the driver for the built-in wireless, too. (They also claim it works against Windows drivers, *nix drivers, etc.. but no one cares for purposes of the controversy.) -Reporter reports it, uses sensational headline, backs up their story about the built-in card driver being vulnerable, too. Says researchers claim Apple "leaned" on them to remove the video demo of the built-in card exploit. -Researchers claim they told Apple. Apple denies it to reporters. Apple issues press releases denying it. Apple PR person goes on record as claiming Apple was not given one shred of evidence. Employer of one of the researchers appears to be keeping both researchers from saying anything to defend themselves. -Apple releases patch for the vulnerability (so says one of the researchers) and Apple claims credit for finding it. So, if you believe the researchers' side of the story, the press WAS involved, Apple denied it, threw around legal threats to gag the researchers, and then stole the credit. Ergo, the next set of researchers (who tend to believe the first set of researchers) say screw Apple, and release details in such a way that there can be no denial of what they found. Researchers will tend to take the word of other researchers over the vendors, and some researchers already have a tendency to just publish if they get flack from the vendor anyway. The actual hard truth of the situation isn't critical, the researchers will behave according to their perception of what happened. While I am extremely interested in the hard truth for this situation, we don't have it yet, we might never. I don't particularly want to debate the actual truth here, and I'm pretty sure Gary doesn't want us to, either. If you want to read a very good counterpoint from someone who believes more of Apple's side of the story, Dave Schroeder posed a detailed response on my blog entry that I referenced earlier. If you want to debate me on it in particular, please feel free to do so there. Again, the important bit is how Apple appears to behave, to people like the researchers. I have the same bias, and if I were any good at finding kernel vulnerabilities, I'd be treating Apple the same way about now. BB (Apologies for the length. I've already been debating this for a few days, and Gary DID invoke the Full Disclosure debate.)
Current thread:
- On exploits, hubris, and software security Gary McGraw (Nov 03)
- On exploits, hubris, and software security Blue Boar (Nov 03)
- <Possible follow-ups>
- On exploits, hubris, and software security SC-L Subscriber Dave Aronson (Nov 03)
- On exploits, hubris, and software security Gary McGraw (Nov 03)
- On exploits, hubris, and software security Blue Boar (Nov 03)