Free Phone + Bluetooth @T-Mobile.com
- Related Stories
-
This week in Microsoft
September 2, 2005 -
Open-source split of Mambo software begins
September 2, 2005 -
Windows Firewall flaw may hide open ports
September 1, 2005 -
Zotob worm linked to credit card fraud ring
August 30, 2005 -
Microsoft investigates another IE flaw report
August 29, 2005
(continued from previous page)
but instead the company is unhappy about the way he went about distributing the information to the public.
"This incident violated aspects of normal protocol for dealing with security flaws," said Bob Gleichauf, CTO for Cisco's Security Technology Group. "And we are real sticklers for protocol."
But it seems that there have been several instances where Cisco has had similar problems in its dealings with researchers.
Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol that could be exploited on a number of networking products, including Cisco's routers. Watson said he initially e-mailed two of Cisco's engineers, who responded promptly. They were helpful and even contributed some thoughts and ideas to his research, he said.
But once the issue was identified as a serious security risk by the legal team at Cisco, the tone of the communication changed, Watson said. Cisco still wanted information from Watson, but no longer responded to his queries. Watson provided Cisco with several possible methods to correct the problem.
Frustrated by the lack of communication with Cisco, Watson decided to present his research at the CanSecWest Security Conference in April 2004. In a scenario similar to that at Black Hat, Cisco and the U.S. Department of Homeland Security asked the conference organizer to pull the talk. The request was denied.
The impending talk spurred the company into action. Fixes were released a few days before the conference. However, Cisco not only provided patches, it also patented a fix for the flaw. This raised fears that Cisco might charge for the fix, which also affected other vendors, although Cisco did not.
"I was shocked," Watson said in an e-mail. "It really broke my trust in them." Cisco, like other software makers, wants security researchers to report flaws privately and have time to patch before disclosure, but Cisco took advantage of this period to apply for a patent, he said.
Playing it smart
A similar situation played out about a year later. Cisco tried to patent a fix to a flaw in the ICMP protocol that was discovered by Fernando Gont. The researcher outsmarted Cisco by documenting his discovery and the fix, and also by sharing the information privately with the open-source community and the Internet Engineering Task Force, a standards organization.
Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. "The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so," Davidson said.
Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided.
Oracle chided Kornbrust as irresponsible for disclosing the data.
Although not entirely happy about his dealings with Oracle, Kornbrust said it is not an adversarial relationship. "Hostile is not the right expression. I did get feedback from Oracle," Kornbrust said. But that was only immediately after he reported the bugs. Oracle did not give Kornbrust updates on how it was addressing the problems afterwards.
"Oracle supports guidelines for responsible disclosure. One of those guidelines is that the company should send out updates to the researcher. They don't," said Kornbrust, who runs Germany's Red Database Security.
In the past, many hackers and security researchers outed glitches without giving much thought to the impact the disclosures would have on Internet users. Software makers have been working to provide a channel for disclosure. Several have also established patching schedules. Microsoft releases patches every second Tuesday of the month, and Oracle has a quarterly schedule.
Still, the debate on responsible disclosure rages. Recently the French Security Incident Response Team, or FrSIRT, was the subject of discussion on a popular security mailing list. FrSIRT, formerly known as K-Otic, releases details on vulnerabilities and also publishes exploit code that could help attackers. Sometimes the holes aren't yet patched. Other than FrSIRT selling its service, what good can such publishing do? critics have asked.
"With our dependency on IT systems, responsible disclosure is of paramount importance," said Howard Schmidt, an independent security consultant who has served as cybersecurity adviser to the White House and security executive at Microsoft and eBay.
Technology companies that are not responsive to security researchers do pose a problem, Schmidt said. He suggests that the government, specifically the US Computer Emergency Readiness Team (the Department of Homeland Security's Internet security agency), could act as an intermediary. "And then perhaps the government could put some pressure on (technology companies)," he said.
See more CNET content tagged:
researcher,
Cisco Systems Inc.,
disclosure,
flaw,
security
Since Microsoft try to issue patches once a month perhaps six weeks would have been a reasonable wait until he used his discovery to promote his website.
Doesn't bother me anyway as I am using Opera!
information about a software flaw is disclosed
is an embarrassing waste of effort.
Software will always have some sort of flaws, be
they mechanical, logical, or whatever. Since you
know this a priori, and also that there's a
tendency to exploit such flaws to undesirable
ends, it behooves all involved to have in place
a contigency for dealing with the exploit. It
really doesn't matter whether it's brought to
the fore by public disclosure in a news article,
accidental disclosure in a web forum, or by
release of self-propagating exploit code.
One need only assume the worst possible scenario
and plan for that. This applies not only to
software vendors, but also to consumers who must
be prepared to take things (apps and even
hardware) off-line on a second's notice, if
necessary.
The most dangerous exploits are not those that
are publicized or cause obvious problems, they
are exploits that operate by silently
transmitting, redirecting, and modifying
information. A company whose network is slowed
to 10% its speed is inconvenienced, but a
company whose research is quietly transmitted to
a third party for resale without any hint is one
that's more than inconvenienced.
One hundred years ago, if you created a widget you could patent it. If someone found a way to improve your widget they could patent the improvement. this allowed them to sell their improvement.... but not the widget that it improves. (check your land line telephone it probably has a dozen patents listed)
now in the land of software widgets we see this occurring... a gentleman found a flaw and reported the fix to the company who tried to take advantage of the good man by trying to patent his idea(the fix to their problem) It appears that persons who find flaws, AND create repairs should patent the fix so the company doesn't screw them.
When Eli Whitney patented the cotton gin(an enGINe that removed seeds from cotton) others tried to make subtle changes that did the same thing.... the courts ruled in favor of Mister Whitney because all the other versions had the same "Look and Feel" (my interpretation)
should anyone else try to make a patch it surely will have the "look and feel" so thus comes the quandary.
How do we keep holes hushed up until a fix is found but protect the rights of the discoverer and get the consumer the fix in the quickest possible way?
if we don't watch it we will create an industry of patent fixes being sold to the 'fools' gullible enough to buy products that should be code named "Swiss Cheese"
My thought is a non-profit organization that acts as a conduit for security problems and has a set schedule for disclosure. while a problem that is submitted with an acceptable fix(how determine acceptable?) should have a faster release schedule than one without a fix... (days instead of weeks) there should be few if not no reasons to allow extending a set schedule of: report to company; give 2 or 3 weeks to repair; publicly announce need to patch; and a week later explain the problem
and the public should have public access to the number of items in each category in real time and even the company's turnover time for repairs (two days is better than two weeks)
unfortunately it probably should be funded entirely by tax dollars (I am a believer in smaller government) since it affects all Americans to some degree and partial funding should be directed according to customers affected (problems times users = affected)(this will affect the companies to encourage better products)
and since it is all software related, partial funding by taxing software itself is probable remember even a game has the ability to affect security(though unlikely) (this will hit the consumer in proportion to its spending)
there could even be a rebate program for the companies with the least problems per customer to encourage them to produce better products (fair implementation, or rather its inability to be fairly implemented, will probably kill this idea)
The key here is in independence. Underwriters Laboratories and the Federal Communications Commission (aka UL [found on all electrical equipment] and the FCC [regulating the airwaves])are two examples that come to mind. they (especially UL)regulate without dictating beyond their scope. UL prevents fire hazards without saying what you can manufacture and FCC keeps you from stomping on another's signal.
likewise we need an agency to encourage quick repairs and protecting everyone's rights
here>, look for bugs in their software, patent
the fix, then refuse to license it. Either they
don't fix the problem, or they willfuly violate
the patent and earn you triple damages. Suddenly
the wisdom of software patents shines through...
responsibility to fix the problem.
If a software maker is creating software with the knowledge that
there could be problems; then it is there responsibility to fix the
problem.
I can't make the taxpayer's fix your house because of my
workmanship, so the same senario works for software makers
too.
Take responsibility of your problems, don't pawn them on
someone else.
~Justin~
program or operating system, it is the responsibility of the
manufacture to maintain updates and security fixes.
When an independent security researcher finds a flaw and
reports it to the company, his job is done. Now it is up to the
software manufacture to ensure that there software is not
compromising critical data.
In the case with Microsoft, all is true. For the largest software
company in the world, with the smartest people in the world,
you would think that they could find there own flaws and fix
them within' days or even hours.
Although this is not the case. As stated in the article by more
than one security researcher, software companies like Oracle
and Cisco get angry with independent researchers for exploiting
the flaws publicly. Why?
These researchers are doing the job of the software
manufacture's and getting little if any credit and no monetary
reimbursement for there time. Yet these independent
researchers do this to ensure public safety.
Companies like Microsoft, Oracle, and Cisco have plenty of
money and once again "the smartest people" working for them.
Yet in a scurry to try and release the newest piece of software
they tend to forget the upkeep on title's they already own.
In retrospect, the public release of software flaws is the only way
to get these companies to spend time on patches to ensure the
security of the program.
With that said, maybe it's time for Microsoft and the rest of them
to start finding there own flaws; and releasing patches before
general public would find out. To me this is just simple logic! To
them, the software companies, it tends to be more about money
than security.
Kudos to all the researchers the exploit these flaws; because it's
the only way that our society will be able to use technology
without fear of losing your identity or even worse, your life.
~Justin~
This is How I reproduce it :
I have updated my browser to IE 7. I signin using my login and password
and check my yahoo mails . I signout using the sign out link and get sign out
complete page with return to yahoo mail link on the top . On clicking
return to yahoo mail link I am redirected to my inbox without re-loging
in . This is a huge security concern. If some one thinks he is logged out and leaves system any one can re-login and acces his mail by clicking return to yahoo mail link .