[ISN] Debunking Google's security vulnerability disclosure propaganda

From: InfoSec News <alerts_at_private>
Date: Wed, 29 Oct 2008 00:05:11 -0600 (CST)

By Chris Soghoian
Surveillance State 
October 27, 2008

Question: You're a multibillion dollar tech giant, and you've launched a 
new phone platform after much media fanfare. Then a security researcher 
finds a flaw in your product within days of its release. Worse, the 
vulnerability is due to the fact that you shipped old (and known to be 
flawed) software on the phones. What should you do? Issue an emergency 
update, warn users, or perhaps even issue a recall? If you're Google, 
the answer is simple. Attack the researcher.

With the news of a flaw in Google's Android phone platform making The 
New York Times on Friday, the search giant quickly ramped up the spin 
machine. After first dismissing the amount of damage to which the flaw 
exposed users, anonymous Google executives then attempted to discredit 
the security researcher, Charlie Miller, who's a former NSA employee 
turned security consultant. Miller, the unnamed Googlers argued, acted 
irresponsibly by going to The New York Times to announce his 
vulnerability instead of giving the Big G a few weeks or months to fix 
the flaw:

    Google executives said they believed that Mr. Miller had violated an 
    unwritten code between companies and researchers that is intended to 
    give companies time to fix problems before they are publicized.

What the Googlers are talking about is the idea of "responsible 
disclosure," one method of disclosing security vulnerabilities in 
software products. While it is an approach that is frequently followed 
by researchers, it is not the only method available, and in spite of the 
wishes of the companies whose products are frequently analyzed, it is by 
no means the "norm" for the industry.


Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Tue Oct 28 2008 - 23:05:11 PDT

This archive was generated by hypermail 2.2.0 : Tue Oct 28 2008 - 23:08:33 PDT