Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Software Vendors Should Come Clean on Security Holes



 By: Jim Rapoza
2005-03-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: When it comes to fixing bugs and vulnerabilities, the Sgt. Schultz approach amounts to nothing.

Most people tend to agree with the old adage: Knowledge is power. But there are some groups that think knowledge is a bad thing—knowledge on the part of others, at least—and these groups work hard to keep people in a state of blissful ignorance.

Many software makers actively try to keep data under wraps—information about vulnerabilities or security holes that they are unwilling or unable to fix. But its just these software vendors that would benefit most from the spread of this kind of information.

I can understand why some companies dont want negative information to get out. After profits, most modern corporations are heavily driven by marketing and public relations. And what could be worse news for a software company than a security hole in one of its products?

But any vendor that gives in to this kind of thinking is bowing to the people who know the least about software and IT. The companys developers and customers, on the other hand, know that it is pretty much impossible to build a software program that wont occasionally have bugs or security holes.

Resource Library:

A constant barrage of problems is another story, but customers understand that occasional problems with software are a fact of life. The most important thing to customers is not vulnerability-free software but software that is vulnerable for as little time as possible. Customers also want to know about problems so they can take steps to protect themselves until the problems are fixed.

But some vendors think that security by obscurity is the best way to go, and theyll fight tooth and nail against anyone who prevents them from hiding their security foibles.

The latest round in this battle, early last month, took a chilling turn in a French court decision. The court ruled that a security researcher broke the law by publishing details about a vulnerability in a French security application. The court also ruled that the researcher could no longer disclose security vulnerabilities.

Click here to read more about the decision.

What many people wont hear about is that this researcher may not have obtained the security software legally, which almost certainly affected the ruling. Most people will instead see only the headlines, such as "Researchers who discover programming flaws can no longer legally publish their findings in France" or "Publishing exploit code ruled illegal in France."

Bottom line: The ability for researchers to expose vulnerabilities that vendors would rather keep hidden will be further limited simply out of fear and uncertainty.

Part of the problem is that not all security researchers are paragons of white-hat purity. But most security researchers are simply trying to find out if there is anything wrong with a program that they use or that clients use.

And when researchers find a problem, their first goal is to give the vendor a chance to fix the problem. If the researcher follows proper notification and if the vendor acts responsibly to repair the problem, rather than attack the researcher who found it, everyone benefits from the resulting improved product. (Security researcher Rain Forest Puppy has a good template for notification procedures at wiretrip.net/rfp/policy.html.)

If software companies fear bad PR, then legal action against researchers makes no sense whatsoever. If I see in the news that a vendor is fighting a vulnerability disclosure on one of its products, I instantly assume that the vendor cares nothing about software quality and security. And I doubt that Im alone in this thinking.

On the other hand, I respect companies that deal with problems openly and promptly or that are proactive with things such as bug bounty programs that reward researchers who find problems.

When a vendor feels genuinely wronged by a researcher, the vendor should turn the tables: Share the threatening or extortionary correspondence from the researcher with the security community and the press. That researchers clout and influence will drop like a stone.

In the end, embracing researchers and dealing with problems openly and promptly are in vendors best interest. Throughout history, totalitarian governments that restricted knowledge and resisted openness tended to rot from the inside. The same tends to happen to software vendors that try to hide problems or deceive customers.

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

To read more Jim Rapoza, subscribe to eWEEK magazine.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Software Vendors Should Come Clean on Security Holes
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Jim Rapoza
 


x}ks㶲*Q3CiJNlҌ3R$$1HGɞ?q?q-1qƖhFh|GggD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3;Y| tjGt0.Pk< Z5754o/ne0S.ڎIQ>*֠OմHm(P8 P.w@~TheMGQR`N Cw*?, +Jt/"(?F#&s?9;|'Ț<i@Q5w0NK <[Sա(v2%vn/E@Z#BLȡ[Boi=7dc7.{$-XdUZB bC63!1kkT*T>l[Gݑ[#XsIzVHx)ɡæ'I!_CRp`iFW˩kF?ĶhG's:]dU~7P7nǾ;s270T6'`>6L(L|HI CuaOG@uh3X 2n eþ=rTݯԕ^T/[̾X^poF_{JE4E_.;gW(֝[p nV0n{'Owy@α{A~A7" DT-jR*ND@aBjLx:~HstT㍒~7jy%R߯4E;J KHS Ә= (N,ԑX:dji_Wם^gGם)7b٘XB ji@$m zb!=Y VӓKIGNs!)|vg>!5MP\̱¬8ڪV׏`CK'^AM[CEC0jr]R ~8?_$ZW;Ǥ MXO'䗳90N`mYn_H!aXY|T͢4-I` o$SE@;- u +:u6kiBuV!0ND5cfI5 (,eg5@N)51t9kM`3Ro frCCZ9nVĨ9ESAeEI7CD r<3|!XsI((Ggd{".Ӱerv}ZnVՉ*YX]uUfjZlY?龂[wqnUO^ K/364>hX.B2iK1qKꛫZROTUPrvUq+-Aqb2B c=&M:gvXY8;}JwSjZic;N*5b}4>'AGAtiš4ϬP7&hC:}ҍ;LZ 'pGbHۋrX¤$֔^AE$h-D@wMPIe+f!S@uGA LνbrgmMA(oEnPh^0vhiqppYY?0B]uCb賀B=Śtև *SsfPBxԁ!~9.Wb&A/"h"D&  TAGEBFN@@7׳'B/Vi-\fD˛Oq$cw_&+ay?b -xkb}I)l͌eY&zϏaLlW^, Uto5Muc}s_9Դziښ,Â-Gn]^yfml`aD$%LEw\,OVXwq?7߄xEs;Jh`|XͰ b՜Ee5>du nN-6˘ \ W?f,qٛuV<ۢf|a) lq[rׁfؓ]ȣ =p ؇&|UrI۶ۿi R.CMEc7˅L< +׬UPLg<)*h3ئ4Q{/)J%E` L] T<ty[ F:6n 1H#60/`k .^@>%%@#PTѱ"AaK鬡aKUѫSOm{hCy-h\,*'8AÖ'"!1|ڣ>s3R*/s7+ f)T|;fZV*ժ 6UT\=W*ovT͂)3G  .|_ћxoũ1FtY ~T}f6݂ /]rϙ4|pZMNYvQOs!au0:=J"4B~Qipw\pRk }XL˧Fxxo u;qaz9N8 kqF=cvq : (kuX85 G& ~ '%:"tC):2 Z `jDa#B",`V8!) =mQJk'4EvκԲ)짥Vt u _sM-WG$ ؈GL2>Lk}YPjVR+{9i7,mcD H!#2!Z Gk0h'Lw*1՞$PS*񳛱CĮP_*3=@7_)5 Ue=4. O+bIљ'oj2mvgfӏV"-_dmؘY%7<@:a۴q:i&G2165"j` |=rUʩ,TΩ$2fDeϺVs lO=uz /CUEV:“#ݸy/"w~{`guɛ(.xg@5sDcC:j]-'E&tE׵zE+5W}zGdCzez%~g~{q{;IL=e}XTJRճ(I$ {2 t9t=d}{c5Z8,*z)ODʌiߐ@ڨO( ]?k8ỸĤX2N*,E$R (NYa hٌj}[S?B%V0R@DB +}ƾnRYQ|Z#:j|$>rcOiD:i1TZVR< +8r=)ixў6G+++e-2ǽa n.& 4˷K^-,sKiJg؋_r]rf)uy4Ł5#/4C▶Fuq )3{[qmOK[&ԔuX0TlʪVuZMJ֞'auvٙy(GK\eRLR33׵.[^Hp Ośn3A l(U5ml[-W+wfc"iqC@a ~E-çEr_.ekR-իWʠˤ Z8`dt+]=^NN:k^6J;o#;"U9 us)d}=^xsٖҽNW֓!O"y rBVݫ=utq)qfm2G<2zqaxsD/8 m̀@ c^94c-M'SVaF`NYQy~oUkq  I5:=>   cJ=!Vo8[+Y9HB `E/ԩ #ADrIGzZFdqʼn/`Ea1:(:{_ۑKw?J ~_!cߗ&o8~ ѶP֬=8Y̭rl׸zI~2)}Am9˝~H 9o =%(E٦@7db&ubJT=‹z=O?{0 cdQ(|z&IZ[Ű ݖ>`,5 2e?#S"\ VL PlOҴy=#lQ1 i(K"i$lbTȺRoNwպ4<5ަmWxvImc%3jsdg[eҊ" Pk qki)jݷΪ^؍^ʼnl01޲!pQ\rVTS^J;up=q"h9#7ND8ʬSc`(u+ɅFfo-w3klyT̴jts2fucBƋ=95iѧ~ǜ ޙi A] j5 ל{Jn,Y2kӮ" "KI̷E~hSrpr%>iפuba}%H@2`@wOL4b5zÿTfOf 95C/rBE}l(=lGt?vJow{ѧsE4 7tRR{d;i2ӱ$BUU+j*;A\DVeΜtٓN|;1id7Yu(fd~X:pKҤ%scsd}ݸw[1rifwioHP}I.=]f+wQ(;<]f][tU"EkFOWSE TIzuZSDm֗Fݽ]޿wVȿ5LĴxBw}͎۲x#ft@w0WGgwvg6bp'vO0* ɯ\ݶBx# bs!D"r=prџ [] vW96 I* s9d=Y}@_)_s~Ce@EƙWڕt;R^/i9 I@Aī;ãl>XQ۔>JExX19g߷@ܖݙmҹed +R=_@ % (A,3d@!@^UPK )%IAMqAi K7l+r'q !ZrjHkߊT%k~E9qϽHh޲AEǗ1`5?C (rJZUUk9C' :IC'xH' gS/V]\;'EQ؝z4d91bT=1ꦪ.ـn4&ZuIXt- )t}? nJV 8cWz S׃TZjG88y @QB$ kS+cuő;|3Pf^mW""xT7777׷VJth"4ʢ2UdƟsƩdV]Ep _MI=r\π況ڐN_x9} fm46fCL{0<ƕ %淫Y0Y3P5x%(Ï5s27'Mq8*~#|jAN -ZTA8=fE ªxʟ6Oe4܁5rY׾K׸7777붯4Z}v4^Sr?@]z6,aauꩣu- } G>zx͍}m9M_8uΔIT7赉yrMT"jMxmj G5*^Oa^[L  :V,ckl ?>ڀ>e~Μp&UнHqX 5.F+h ΝkojZ}x_ڳKۨ_xȧ%A/ d^m/'IO:/~7j_A'-g5ͬhgP_sgƖk?I%4+uFEOq\dE'y{Hd1m=M*b m0D~ LuM|{*x%o?^%u(4NzNxNH6ТCxbu~HMpI-?|,(8j S ='EVh;Icp{~^~GrbDݵg#řZ-G ^b+\̐5X9ÈSȡ-ETVG`*׶/N^g?rD*ǹDa'0m+`]+I#샒=%xٓB ,Qx'Dw$;?Ñ:(-VFX9Gab*ZOxǍYV(> =l?QX2{n4?8xTe/ =8l*b6K-'z)5}L1L՜R<^gYr6 z~b= aKRAN5-0S5\UBI |Z>>)F<+Lv`;bA=ںrZ+)~ly 5Jr50ںs[rCjLxcE8eNRcIycVO#!t4fƗYiTp*Om4{`69JJYTj^dӐ/]YiJUeщ&:MQjZc?ۯ/}Z0Y$=Xm7d#/Ry[9kT;~oM X,kG ʥ&_N>Cł1U0@G' cՒn4ݵX>% gB7R8X 'n/0s{YMF^]5X|tDWNDEnJ2\k˙^Dyj $Z$u,e!_`9bS{=3r1cT%'{+,&iqoͳ.0,&nX蜜Xp, Qqb7b~m>9ROF6ވڳbzXsMu5{îY_ŌVR\>dF5mFxr!5xo)$#ETTЍ~V%w>f~z*>Og~f#*_0u 5 ]@x8?AnKet6 ?{DǠD/K> cnRrtd7%eRS[ٓ)8G@`m̬DGRSd&d&48o40/< roEVI 9b ܝ>-<#9a=d)1W`w|35$dV)j y9nXqhyr0ra%?pБ`'r){KI~k47?__RB7FDu2t082*%cH5 xE Aߟ{=>I1- œ5"t B;wII!5Q"F %,ǰglELN[WDHakL7 ȧn犱1r T-"@a=Q#3)-+9:y_A(:* (NЫ8}(bEd7@O44(ϏB6DRKJLi$zs 6N40 uA9@"\2Gza~2?y :=*Xfébpܳ]:ovAN95'P=X:YK ^s)aR;A_xNR] $BqнӜh^Zf!oXֿ2 ><Rh̘_[UD*uMԁRk]j9 @] YQ^&"Ӕ\ BI]t/ (HZ w{Pɾ tP c3bqOtv0 {MZ&GUӽ$G ޔ¶V-J-uuO>w>v.Wם> +1z;d6MƋBrY2 6Sfr{j\ ‹XqxYx>+b,.6/~D0/& ƅ^-ӄ-xa urr|l%6Ng%^NˢW#Ǯ#u$[}uR@_*GM* I8S^}'vԼV(:r<ɿ-VN~9H'vN1?CN?|:Yg}~C:9CL2'ϽB^Ng>ծy3?0_<ߋ^~.rsE}^}^'e/?A3?#'/ra~/s2.a.s # _9 *>UNk{9{9s >#a|r )7{C7MN7@79^$)gVpv('\hK"~)/P9uϑgsvnV`{Jg+^W k{WK0Tt[T쵊cn5k:vB__eqb?AZ̥-c@#]qN8GUts \< x x$> CG0sKk>xwY몮,j8“m(!9q}2opفOj] ߊč, | H0(Zχn9#|@/Oxg v>赏?^wYj7@i__Wm̦d󰡲i)N(Ѵ~P+"D794\9|B8s ;wMm=SO_ NW镺.{0Áa[@ o6*VZ;5" #O1Q5YUdF.j^ޯL3DAI3 .3M^ed FMȡ!,pCFJ]#DK( |@-|1"1 ͛Y-Mu?/ {_A G<8)܁2> >@͝mNu+j6d9?϶`` _X&neP! ؒ:VOD-#E 1N>@ƬLܙx,N~f+g -cV rߡRR-&CNuOȅ`" >oQ^ܺg]N* X2<#A_3˸ 2d jJrXwN$ϑ/gɉF-yCObC_uqtuy9L"k^/4SIpp16`$7Ɲ0b18Xpb f bTAn3 &`T .Lt j1I55~ɑL(^ V1 kDFXd6"V\ޞ31 M!ŇAchl AnӕsX=ڸQg{eIEs5 X =cU?}wΤ Md .^dN*L0@O^gg◠ 0ML+fAl! :2wIo"WS ?Y6 WJL’"e'xIl @C׽~rh=)L|\k֊<#!1苄IMC Vj͙*u9wɰ\\,AOd=:r]+~Ōҷ%,J$Xm%۹b$ӧ6&'sEz=6~o,"UͶ U1^{ 3E3$(z< ASy8A}FW'_5 b gi&5@ gQlVxSDN]czl0)u+ 9نTZvAoL3[Y,&/ă_| Њ/bzRoF'gArD~{J}&*P=fZ;] v,0%^z'{ik3G}c[VeلݡK_!8F1^d L*KbHI@>evEE`C0^|mD$u@Ч togTÉt |! SC@_܅eNVhJm[)uh2-1O MX^ة;qVG 3>&rx{Kk>kSbчee d|%_Ox®~[Qxs%9m<` G&$߀*0u 9@+7A{HJ B O]آO?ވ\ PTjӟ‚WvlZ@cy aYff;I) 3/U@Dv'˫Hvxm< ^:ul뎮E{fuݎ¼жJW`mR>GK]f'[٧2й=-RO/7oan73T %` GYU`Z+r ǩkWVxx }u+y!0 *ɟ=zTI޶7(G,cݴ Q`[:*6 n۲ uyDM7(-'my#Q1V)?Hl}}Xԋka1 g'[yүy~{##>g~wxur 2m^9FfB~eaԐDZͼ*;҆g'rQ\F$#00/y╔ulm=GPX1+ R9(t3> # iGۂv<Ӎk[ƜIrzsgdC^HVlewɵ^2_g^٠C<g`)Ԉ|rZ$?aHb V3|7ZО36C' Sga+b2z(ͦ,1_<,@} P& =`B4igA0}Us!]7L~s'Wi< xTg UhՔ;IhdMn+:cSEᘸe=+Fs>{jZ~ )CUk̹D/4R_JC\rx5 }OTfr$N,qg;f¦[Hxb&fղ](