Gary McGraw wrote:
> Later, we could disclose the problems responsibly, keeping a short leash
> on Microsoft, Netscape, and Sun without ever resorting to FULL
> disclosure. Our goal was to get the problems fixed with no nonsense.
> The companies also allowed the press to be responsibly involved.
Are you familiar with the backstory on this one? While I acknowledge
there is controversy on who is telling the truth, here's the 60-second
summary, according to how I believe it happened. (And how I believe it
happened is important, because other researchers also believe this, and
are acting accordingly.):
-Researchers show video demo at Black Hat of an attack against a
wireless driver for a third-party NIC on a MacBook. They poke fun at
Mac users. They claim it works against the driver for the built-in
wireless, too. (They also claim it works against Windows drivers, *nix
drivers, etc.. but no one cares for purposes of the controversy.)
-Reporter reports it, uses sensational headline, backs up their story
about the built-in card driver being vulnerable, too. Says researchers
claim Apple "leaned" on them to remove the video demo of the built-in
card exploit.
-Researchers claim they told Apple. Apple denies it to reporters.
Apple issues press releases denying it. Apple PR person goes on record
as claiming Apple was not given one shred of evidence. Employer of one
of the researchers appears to be keeping both researchers from saying
anything to defend themselves.
-Apple releases patch for the vulnerability (so says one of the
researchers) and Apple claims credit for finding it.
So, if you believe the researchers' side of the story, the press WAS
involved, Apple denied it, threw around legal threats to gag the
researchers, and then stole the credit.
Ergo, the next set of researchers (who tend to believe the first set of
researchers) say screw Apple, and release details in such a way that
there can be no denial of what they found.
Researchers will tend to take the word of other researchers over the
vendors, and some researchers already have a tendency to just publish if
they get flack from the vendor anyway.
The actual hard truth of the situation isn't critical, the researchers
will behave according to their perception of what happened. While I am
extremely interested in the hard truth for this situation, we don't have
it yet, we might never. I don't particularly want to debate the actual
truth here, and I'm pretty sure Gary doesn't want us to, either. If you
want to read a very good counterpoint from someone who believes more of
Apple's side of the story, Dave Schroeder posed a detailed response on
my blog entry that I referenced earlier. If you want to debate me on it
in particular, please feel free to do so there.
Again, the important bit is how Apple appears to behave, to people like
the researchers. I have the same bias, and if I were any good at
finding kernel vulnerabilities, I'd be treating Apple the same way about
now.
BB
(Apologies for the length. I've already been debating this for a few
days, and Gary DID invoke the Full Disclosure debate.)
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
