Comments on: On disclosure https://grey-panther.net/2007/01/on-disclosure.html Just another WordPress site Thu, 04 Jan 2007 23:14:00 +0000 hourly 1 https://wordpress.org/?v=6.7.1 By: Cd-MaN https://grey-panther.net/2007/01/on-disclosure.html#comment-879 Thu, 04 Jan 2007 23:14:00 +0000 https://grey-panther.net/?p=936#comment-879 Very good points. Probably there is no definitive answer to this question. Everyone does as s/he sees fits and probably half of the people will disagree with him / her. Still it would be nice from the vendors to (a) fix the flaws as fast as possible and (b) don’t try to wage a PR war against these people (IMHO, this campaign is partially the result of the marketing / PR choices Apple made)

]]>
By: Anonymous https://grey-panther.net/2007/01/on-disclosure.html#comment-880 Thu, 04 Jan 2007 21:00:57 +0000 https://grey-panther.net/?p=936#comment-880 I’m inclined to agree with you. And in this particular case – MoAB – I find the spectacle of people huffing and puffing about the disclosures rather ridiculous. This has a lot more to do with the “fanboy” phenomenon than with anything else. That’s to say some people have become too invested in a certain image of themselves as Apple-users and don’t like having their tails tweaked.

Tweaking these people’s tails is, of course, part of the purpose of the exercise (although MoAB has other, and more serious, purposes, too). Hence the logo MoAB uses which is a skit on the “My little Pony” products:

http://en.wikipedia.org/wiki/My_Little_Pony

But I do think there is a reasonable objection to the view you express there. That’s that while there may be a very few others who have already found these vulnerabilities and are exploiting them, disclosing them publicly means that there are many more people who now know of them and could potentially exploit them. There must be a larger pool of people who aren’t smart enough to find flaws themselves, but who know enough to be able to take advantage of them once they know of them. Considering that, a private disclosure to the vendor might be thought to be better.

I’m not sure that’s a telling argument in the end. For one thing, so long as a researcher is prepared to stay quiet the vendor can get away with dragging its feet. In this case, it could be objected that LMH and Kevin Finisterre gave the vendor no time at all to get its house in order. However, they cite previous Apple tardiness, and also express a desire to shake things up a little – so that OS X users become a little less complacent; so I suppose they have an answer to that.

Anyway, to return to the earlier point, you say: “any disclosure whether its coordinated with the vendor or not, is a good thing”. I suppose that’s right, but formulated like that it doesn’t acknowledge that an “uncoordinated” disclosure may – temporarily – render users _less_ safe.

I don’t feel at all angry with LMH and Kevin Finisterre, although I use OS X quite a lot. And maybe what they’re doing will have several beneficial effects. But I do think there’s a legitimate – not possibly a conclusive but certainly a legitimate – argument to be made against what they’re doing.

]]>