Truthful security disclosures should always be legal. Period.

Originally published at: https://boingboing.net/2018/08/15/truth-is-true.html

6 Likes

Perhaps the answer is to go create meta CVEs and placeholder CVEs (until disclosures can be safely completed) directly mentioning that their products are hampered by such legal and extra-legal non disclosures. This way the purchasing powers that be can be educated to have a better understanding of the lack of security diligence of the products and services being sold.

One of the disconnects is the security part of it. To torture an analogy, it’s like discovering the lock is busted on someone’s business. Say, a dry cleaner. Do you tell the business owner, wait some time, and if they don’t fix it, tell the customers? Or just tell the customers so they can get their clothes out of there before someone bad discovers the broken lock and steals everything. How do you balance things?

Telling the owner first seems best, if they quickly fix the lock. But the longer they take, the more likely bad guys will steal all the stuff. So how long do you wait?
Or do you go public, knowing some people aren’t going to hear you and crooks will get their stuff before they can?

So there’s obviously some sort of judgement call. What makes no sense is for the business owner to blame you for checking the door and declare the state of the door lock to be secret information you only learned by rattling the handle without permission.

2 Likes

In this analogy, odds are the crooks knew about the broken lock long before you did, and already stole all the store’s contents without the owners or the customers knowing.

That’s pretty crappy of Mozilla, actually, when you consider how much they blow their own trumpet about how pro-freedom they are.

I’m fairly certain that in reality, no-one knows the odds.

Which is perfect, because it allows each of us to impose our world view on what the odds should be, and then have spirited discussions on how we should form policy based on what the odds “are”.

3 Likes

God, it’s such a self-fucking by these companies to try and push security disclosures into the black hat world.

Hackers (using the generic term here, not the media version) will try and break your product, because some people just live for that shit. Making it illegal isn’t going to stop them, it just guarantees that once they find it, their only pathway to making their lifestyle profitable is selling these zero-days to malicious hackers.

Smart companies accept this reality, but there’s always that “genius” with an MBA, a position they only got through bullshitting, and a permanent case of rectocranial impaction that thinks that they’re gonna intimidate some half-sane authority-hating supergenius with a very developed sense of (idiosyncratic) morality instead of, y’know, pissing them off and making sure that they want to fuck with you. Good move there, buddy.

Numerically, no, I can’t give hard odds, but there are more than enough breaches to determine that the odds of the crooks getting in first are not low enough.

This topic was automatically closed after 5 days. New replies are no longer allowed.