« Win32 CRITICAL_SECTION efficiency and overhead | Main | Self promotion for the technical consultant »

January 19, 2005

Whitehats, Blackhats, and Asshats

In the news recently was a discussion of security vulerabilities in Mac OS X, and it was the same kind of thing we see from time to time on any product. The technical details of the vulnerabilities aren't that important, but the method of discovery was.

from the article:
The company [ImmunitySec] originally found the flaws in June and published them to a private list of customers but did not notify Apple. It published the flaws on Monday, after presenting them at a seminar. (emphasis mine)
Though I don't share it entirely, there is a principled case for immediate, DJB-style full-disclosure without vendor notification on the grounds that it most rapidly achives "fixing the software" and "creating incentives to be secure".

But I cannot think of a principled reason to privately circulate vulnerabilities - and presumably their associated exploits - and then go public without any vendor notification.

ImmunitySec are Asshats.

Posted at 08:49 AM |

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)

ABOUT STEVE

  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Recent Posts

Categories

Archives

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USA[email protected]