Showing posts from November, 2017

Public Disclosure Shaming SO HOT RIGHT NOW

Obviously I'm going to employ that very popular zoolander meme. Because i think InfoSec (not exempt unfortunately in its vulnerability to group think hypnosis) is becoming this meme.

Critically speaking:
The amazing culture that has taken over what seems to be a large section of the InfoSec community is to shame and lambast people who publicly report bugs. This is done with the notion that exposing potential attackers to knowledge of the bug somehow makes matters worse.  (If i understand it correctly)

Couple interesting questions:

Will lambasting and shaming cause more people to make us aware of the bugs?Does it really make things worse for users?How much worse is this worse for users? Can we argumentatively determine the weight of the worse-ness for users?Is it always always better to only report to the vendor?Is every bug when reported publicly immediately worse in effect before the vendor responds? Now that last question is the ringer for me. I'll start with this one: "…

[InfoSec Rant] "Unspecifying" vulnerabilities is a vulnerability for vulnerability specification.

There is a practice in the information security world in which vendors issuing statements about the vulnerabilities reported to them can withhold as much information as they like; reducing what is meant to be helpful identification and declaring of software errata as another place for companies to save face. It is literally like someone writing a book and lying about things they got wrong so the book keeps selling- given the strong language parallels I can make here this analogy is quite applicable! Essentially capitalizing not only on software but also on the errata of their software. Which is to say they make money from making mistakes in the way the have essentially declared they will make money i.e. "We said we would sell you this wonderful software, but it turns out is completely broken and possibly doesn't do anything we initially promised it does; so in order to preserve our rights to say it does the initial stuff we promised we are not really gonna tell you why the s…