On Wed, Dec 03, 2003 at 07:46:08AM -0500, JoeHill wrote:
On Wed, 3 Dec 2003 08:24:38 -0500 John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
Ask yourself: if this were a certain proprietary company, would this news leak out so quickly, and would said organization publish a detailed post-mortem as soon as one is available?
There's no "if". Microsoft actually got seriously pissed recently when news of *seven* new vulnerabilities, two of them critical, was released to the general public rather than being privately and secretly notified themselves.
That's a different matter and worthy of everyone being pissed. Anyone finding a new vulnerability should notify the owner of the code and give them some time to find a cure before making a public announcement. For an open source project, the original notification will be partially public, but you still should not try to make the news widely public until there has been adequate time to find a fix and distribute it. (Proprietary source products often require a longer period of time for that process to be carried out.) After the period of time is up, then announcing the vulnerability is fine (and if the code owner has wasted the time and not arranged a fix to be distributed widely enough, it rightly looks bad on them).
I think considering MS's past behaviour in this respect (ie. taking *months* to issue fixes that do not even work), the discoverers of the vulnerabilities did the right thing. Leaving that aside, MS has no right to expect "courtesy" from the security community, taking into account it has acted with aggressive intolerance at any and all criticism of it's security track record, witness the recent case of the CCIA report and the subsequent firing of it's principle author from an MS-connected company, @Stake.
MS has a poor track record for sure, but your example was not a case of MS acting poorly - they weren't given a chance. Now you're saying they don't deserve a chance, but that is irrelevant to your original point that this example proved that open source does a better job. The open source community can't fix problem before they know of them either.
The argument that public disclosure of security flaws encourages hackers is very weak, and reeks of justification, in comparison to the logically sound idea that more public scrutiny means more pressure, and more resources, brought to bear to fix said bugs. Hence Eric S. Raymond's "many eyes make all bugs shallow."
Immediate public disclosure does not provide more eyes for a bug in MS code, just more eyes in the cracker community. Telling MS of a bug, and then telling the world later of the bug (and that MS was told a month earlier so that people can judge whether their response was adequate) provide more than ample pressure, and may reduce the number of exploits carried out against victims who have never had any warning or chance to apply a fix because there wasn't one. If MS responds prompty (which they are doing better at these days - they've learned that they have to), then when the public announcement goes out any attacks prompted by the announcement can only be applied against people who have not yet applied the fix. -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml