Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Responsible Disclosure Remains in Murky Waters

    By
    Brian Prince
    -
    June 14, 2010
    Share
    Facebook
    Twitter
    Linkedin

      The issue of full disclosure has come up in two prominent examples in the past week.

      The first was the discovery that AT&T’s Website had been exploited to swipe e-mail addresses of Apple iPad owners. The second was the disclosure of a vulnerability affecting Windows XP and Windows Server 2003 by a Google engineer.

      History has shown us companies tend to respond faster under the threat of public scrutiny than without it. But when does disclosure cross from responsible to irresponsible? As these two incidents show, the rules governing the idea are cloudy.

      In the case of the AT&T leak, it is a disputed question. Here, Goatse Security found an aspect of AT&T’s Website that allowed the group to acquire the e-mail addresses of 114,000 Apple iPad 3G owners from an AT&T Web server. The group admits it did not contact AT&T directly with the findings, but contends that it made sure the security hole was closed before going public with what had been found.

      However, Sean Sullivan, security advisor of North American Labs for F-Secure, told eWEEK it was “completely irresponsible” for Goatse Security to grab actual data.

      “There is no reason why the Goatse Security group needed to write a PHP script to automate the harvesting of data,” Sullivan said. “Once the vulnerability was confirmed, it should have been reported to AT&T. Continuing to harvest the data should be considered criminal. They only did it to sensationalize the issue and they are guilty of violating personal privacy.”

      This, then, leads to possible boundary No. 1: Do not launch an exploit of a vulnerability that you find. However, a successful exploit is the surefire proof that a vulnerability is actual and not theoretical, is it not? Also, not disclosing an exploit presumes attackers have not already come up with the exploit themselves.

      Incident two: Google engineer Tavis Ormandy gave Microsoft five days to patch before going public with a vulnerability, essentially forcing Microsoft’s hand. The day he went public (June 10), Microsoft published an advisory warning of the bug. As of June 14, the company has yet to say when a fix will be ready.

      But whether five days was fair play or not depends on whom you ask, as Microsoft countered on its Security Response Center blog that the workaround proposed by Ormandy can be circumvented easily, underscoring that more time was needed to come up with a solution.

      Ormandy was responsible for catching several of the bugs patched in a recent update to Adobe Flash Player, noted Andrew Storms, director of security operations for nCircle, who speculated that the recent sparring between Microsoft and Google may have played a part in the decision.

      “It’s interesting that he chose to report these bugs to Adobe and not go public before they fixed them,” Storms said. “This discrepancy in behavior is sure to add to the ongoing speculation about his motives with the Microsoft disclosure.”

      In his announcement of the bug, however, Ormandy stated that he was working on his own, and not on behalf of Google.

      “I would like to point out that if I had reported [the issue] without a working exploit, I would have been ignored,” Ormandy wrote. “This document contains my own opinions. I do not speak for or represent anyone but myself.”

      Companies surely need sufficient time to patch. But just what is sufficient time? One month? Two?

      Fundamentally, both these cases show that responsible disclosure is still a swamp full of murky water, so perhaps, then, the only thing really clear is what history has shown us — security by obscurity does not work, and if there is a one-size-fits-all approach to full disclosure, it hasn’t presented itself.

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×