[ insider_reports_insider ]
Disclosure Debate On Security Problems
David Utter
Staff Writer
2007-03-16
 Insider Reports RSS Feed
A post by PHP security expert Chris Shiflett about a flaw in Amazon's 1-Click process that he disclosed to them a year ago does not appear to be fixed; his discussion of the issue brings up the problem of publicly disclosing security problems.
 | | Disclosure Debate On Security Problems |  |
Does it do more harm than good to talk about security problems? It's been a debated topic for years. Microsoft has frequently been part of that discussion, criticizing security researchers who publicize flaws before they can be patched.
The argument has been that security issues don't get fixed without publicity. That may have been the case years ago, but most companies have become better at listening to researchers and fixing the problems they find.
Shiflett doesn't think Amazon has taken resolving an issue he reported to them in March 2006 as far as they need to do. He posted his description of the 1-Click problem he found, along with supporting documentation.
The problem still exists, Shiflett claimed:
After some mild prodding, I finally received a reply letting me know that my email had been received, the vulnerability had been verified, and Amazon considered fixing it a top priority.
Despite my prodding, the vulnerability remains a year later.
I feel like Amazon has exploited my cooperative behavior and placed me in a moral dilemma. In fact, at this point, I feel like I've already done the wrong thing by withholding this information for so long. The silence ends today.
Here's where the sticky part begins. On one side of the argument for disclosure, the vulnerability has existed for at least a year. As fast as malicious people can create attacks against disclosed issues before all users can patch them, a year may as well be a geological age of time. Talking about it doesn't give the bad guys anything more than they either figured out already or got from someone else.
The other side holds that no security issues should ever be discussed publicly, even if the company in question has not addressed them, no matter how long a time it takes to address them, if ever. Public disclosure just gives someone who didn't know about the problem a brand new exploit to probe.
One person complained to me about covering the problems SecLists.org faced after their registrar GoDaddy quietly dropped the SecLists domain records at the behest of MySpace. That happened because a single page out of the quarter-million on the site contained a username/password list of thousands of MySpace users that had been in active circulation on black-market sites for at least several days at the time.
We disagreed on GoDaddy's way of handling the problem, the writer holding the point of view that any business at any time should be able to shut down another site with a phone call, and me disagreeing with what I saw as not just a slippery slope to Big Brotherhood, but a vertical one as well.
It's a difficult issue, and one that will get Amazon's attention if it hasn't already. One Shiflett commenter thinks the problem may have been fixed; another takes the view the GoDaddy supporter did and criticized Shiflett's post as a 'self-serving morality play.'
Who's right?
---
Tags: Computer, Security, Disclosure
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
