SC-L Digest, Vol 2, Issue 183

[mark at markgraff.com (Mark Graff)]

Gary McGraw said:

> Ed Felten and I found out early on (back in 1996) that you can use the
> press as a lever to get companies to do the right thing.  We learned
> this when releasing the very first Java Security hole.  We found out
> that Sun paid much more attention once USA Today picked up the story
> from comp.risks.
>
> Later, we could disclose the problems responsibly...

I told my part of this tale in "Secure Coding" (O'Reiily, 2003--with KRvw, 
of course). I was Sun's corporate-wide "Security Coordinator", responsible 
for fixing, or getting fixed, all security bugs or flaws in our products. I 
had analyzed, without source code, the Java jail approach and had identified 
what I thought was a potential problem. I reached out internally and had a 
series of meetings with the main designer, the main architect, and the 
person who was in charge of security for Java. I told them each that my 
experience and intuition indicated that there would be a serious security 
bug, "right there", and volunteered to round up a group of volunteer 
external experts (I was well plugged into FIRST at the time) to help analyze 
potential problems.

All this was before any security bugs had been found in Java. And as busy as 
I was keeping up with bugs fixes, disclosures, and exploits inh UIX/Solaris, 
I was determined to act proactively and help perfect what I saw as a great 
step forward in security.

The three Java experts gave me the cold shoulder. I persisted. They told me 
to go away, and expressed with force and conviction that there were 
not--could not be--any security bugs in Java.

About 10 weeks later, I was at a national-security conference in Houston. 
While I was walking up to give my address on the Java Security 
Model--literally, while I was taking to the stage--an acquaintance there 
said, "Hard day for Sun security types, I guess" He then showed me the USA 
Today headline Gary referred to in his post. It turned out that Gary and Ed 
had independently discovered and (unsuccessfully) reported the self-same bug 
I had hypothesized about. It was fixed a few short weeks later.

Hubris is not endemic to a single company, or individual. And the inability 
to see our own mistakes (sometimes, even when they are pointed out to us) is 
something I don't believe we software types can even claim as particular to 
our occupation. It is, as luminaries like Peter Neumann and James Reason 
have amply demonstrated, a failure common to that combination of orderly and 
creative thinking we call engineering. Similarly, for reasons Ken and I 
discuss in Chapter 1 of "Secure Coding", the corporate animal really will, 
all too often, turn the Reality Distortion Field on full-force rather than 
deal with a pre-headline problem.

I often ask myself which set of dangerous behavior--corporate blindness, or 
preemptive disclosure--is more likely to trigger the first 
security-bug-caused death. I don't know. Can we turn the ship of software 
development before we hit that rock? I doubt it. One hopes.

-mg-