Firm To Release Database, Web Server 0-Days 220
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
Re:What's up with the confusing article title? (Score:3, Informative)
Firm To Drop Database, Web Server 0-Days
The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:
Fed-up security firm to release Database & Web Server vulnerabilities publicly
Look at how much more information is conveyed in that second title. A work of beauty, it is.
In the submit story page, your proposed headline would look like:
Fed-up security firm to release Database & Web Ser
See how it truncates?
Re:What's up with the confusing article title? (Score:3, Informative)
PS: wikipedia was complaint, its should applauded for its effort.
Re:Responsible Disclosure (Score:3, Informative)
Yes, but it's unrealistic to expect that if researchers didn't publish attacks, there wouldn't be any.
Somebody found the hole. It can't be that they're the only person on the planet who could possibly figure it out. Eventually somebody else will find it too, or maybe already has. If that person happens to have something malicious in mind, they won't publically disclose it. They'll exploit it for their own gain, or sell the information to people who will do that.
If nobody disclosed vulnerabilities for the public's benefit, they'd never get disclosed until somebody got hit with them. First somebody would perform a successful attack, and a postmortem examination would eventually result in figuring out what happened. But doing things this way means at least one victim is 100% guaranteed, and nobody can prepare for it in advance.
Re:Is it just me? (Score:2, Informative)
It's a high concentration of words and/or phrases having overloaded meanings. As technology develops, normal words acquire additional connotations, if not denotations. Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.
'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'. Not typical usage, but not uncommon. 0-days obviously refers to vulnerabilities, and conflated would refer to details of the vulnerabilities.
So it's valid, but potentially confusing.
Re:Irresponsible (Score:1, Informative)
What he seems to be saying, is that he's already told the companies and they've done nothing.
As the architect for one of the products listed I can say with certainty that our product team has not been contacted with any vulnerability info. I'm all for open disclosure but I wish the authors of each software would be given a head-up slightly ahead of time.
Re:Responsible Disclosure (Score:5, Informative)
Exactly. The GP is seeing the world in black-and-white, where reality has many gradations in between.
Naive responsible disclosure: give it to the vendors. They do nothing. The bad guys figure it out. Everyone loses.
Irresponsible disclosure: hand out a zero-day to the bad guys. Everyone loses.
Effective responsible disclosure: disclose it to the vendors along with the promise to disclose it publicly on a scheduled date.
It should be noted that the third way is how CERT does things, and is the only way that the end users stand a chance of not getting screwed. It is important to make it clear that the vulnerability will be released to the public on that date no matter what. It is also important to make this date no more than two months in the future. Make the time frame too short and you're accused of creating a zero-day exploit. Make it too long and they won't bother looking at it until a week before, then they'll tell you that they can't fix it in time, and they'll accuse you of creating a zero-day exploit. There's a middle range in which it's close enough to scare the pants off of the manager types but far enough out that the fix can actually happen.
Most importantly, though, if the vendor doesn't fix it, you must disclose it anyway. Otherwise you lose all credibility, and vendors will simply put off fixing the problem because they'll assume that you will keep backing down.
Re:Responsible Disclosure (Score:5, Informative)
That's really not fair either.
Many bugs that are security related are a result of interactions that people simply didn't think of as possible. While bug free code is desirable, and possible, would you be willing to pay 10 times more for a "provable" product? 100 times more?
Look at the space shuttle code. Provable software with an average of something like 2 man years per line of code on average? Is that realistic for consumer or even pro commercial software?
On the flip side I abhor this type of disclosure as well. I think 0 days should be forwarded to the vendor and given at least 90 days before release. Hell set a timer on it, even say the following timeline would be ok(ish):
discover exploit: notify vendor
notification + 1 week: notify world of nonspecific vuln in product
notification + 1 month: notify world of type of vulnerability
notification + 2 months: notify world of specific vuln
notification + 3 months: notify world with exploit code.
-nB