There is major confusion about exactly what the Blackhat Apple wireless exploit represents. At various times it was reported that it was the flaw in the OS, the wireless driver shipped with the OS or a third-party wireless driver.
The security researchers claim one thing, the press claims another and Apple claims something else.
The researcher’s claims should be verified by an independent, accredited third party before being made public and/or the details released with full-disclosure.
At this point in time and under normal conditions, it still seems to me that responsible disclosure is the way to go. But when very large claims are being made that can affect the public’s perception and someone’s reputation, full-disclosure seems to be necessary.
Below are a few links to the confusion. They’re not worth the read:
http://www.secureworks.com/newsandevents/blackhatcoverage.html
http://www.macworld.com/news/2006/08/17/wirelesshack/index.php
http://www.itweek.co.uk/vnunet/news/2161673/apple-macbook-hacked-wireless
http://abcnews.go.com/Technology/wireStory?id=2267626&page=1
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco.html
http://blog.washingtonpost.com/securityfix/2006/08/followup_to_macbook_post.html
http://blog.washingtonpost.com/securityfix/2006/08/the_macbook_wireless_exploit_i.html
http://blog.washingtonpost.com/securityfix/2006/08/intel_issues_patches_to_fix_wi.html
http://www.wireless-weblog.com/50226711/macbook_is_safe_from_wifi_exploit_after_all.php
Popularity: 4%
2 Comments
What does full-disclosure to a third party (who presumably isn’t going to divulge the details to the public; that’s the point, right?) win, other than some protection for the reputation o the reseacher?
And if protecting the researcher’s reputation is all we’re going for, it seems to me there’s easier ways to do it.
I think this industry needs fewer “reputable third parties”; we haven’t been well-served by the ones we have now.
I think there is some confusion here over what I mean by “The researcher’s claims should be verified by an independent, accredited third party before being made public and/or the details released with full-disclosure.”
In other words, to maintain responsible disclosure — and that is the key — the details of the claims may be verified by a trusted third party so that party could verify that “It really was Apple drivers or is was a third party driver not installed by default” or whatever the case may be. This would give the public accurate information without the fear that the vulnerabilities could be exploited en masse before the proper fix is released. This is the same effect the researchers hoped to produce by showing a video rather than the exploit itself (since it could be captured via wireless transmission and the vulnerability/exploit discovered).
This effect of the public knowing the truth without full knowledge is different than your question that “What does full-disclosure to a third party (who presumably isn’t going to divulge the details to the public; that’s the point, right?) win, other than some protection for the reputation o the researcher?” The aim is not the researcher’s reputation, although that is a byproduct. This is similar to Microsoft giving details about the patch (and hence vulnerability) before it is released.
The other route is simply full disclosure in which all details are on the table. This consequences of this case seems self evident to me so I will not further discuss it.
I hope that clears up any potentials misconceptions.
One Trackback
[...] In August it was Apple, now it’s Mozilla/Firefox. [...]