undefined | Better HN

0 pointscrankylinuxuser8y ago0 comments

So, obscurity is responsible disclosure? Cause being "closed disclosure" is being obscure.

A root password solves this issue. Its seconds to implement and helps right now.... Not "later" as closed disclosure does.

I'd rather know every error and critical bug. I can bring up with our team and decide now to either sudo service * stop or continue.

Your closed options keep the fact I'm vulnerable away, along with any pathways I might have to fix.

0 comments

BinaryIdiot8y ago

This is a rather limited view point. You forget the majority of macOS users are NOT technically savy. This is why responsible disclosure is so important as it gives tech companies time to create and push a fix to protect their users.

Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

AlexandrB8y ago

> Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

Let's be clear - Apple put their users in harms way by letting a bug of this nature slip past testing. Disclosing "responsibly" would certainly be nicer to users, but mostly it would be nice for Apple by helping mitigate the bad publicity.

adamwk8y ago

Apple isn't the first company to have security bugs. Is this how all 0days are to be reported?

crankylinuxuserOP8y ago

> You forget the majority of users are NOT technically savy.

Fixed that for you.

Sorry, I'm not going to cater to the lowest common denominator of "users". If my system has a hole, I want to know so I can get in a fix or shut down that particular feature until its fixed by a vendor.

Ive only 60k machines and 40 clients that depend on that decision. And they agree with me. If something's broke, I can analyse how it breaks and if it impacts us. If it does, we can triage it. I can do a damage assessment. I certainly can't do that if it's being sold on the darknets and whispered.

sjwright8y ago

> I want to know so I can get in a fix or shut down that particular feature until its fixed by a vendor.

That assumes you can shut down that particular feature without crippling your business operations. If my system had a hole, I'd prefer that it were disclosed to the vendor before it's disclosed to hackers, adversaries and foreign governments.

jachee8y ago

So, if if find a security bug with your product, you prefer that I publish it directly to twitter as a 0-day?

crankylinuxuserOP8y ago

Yes. Ideally you would also ping me in your public release, so I know whom to pay. Because that would also for be the users benefit to know to either fix, firewall, or not use until software is deployed.

I've seen the dark side where this leads. It leads to BTC transactions and 0days bought and sold. That's the worst, further past scrappy company sitting on exploits.

I strongly believe in transparency. It empowers users and admins more than any other option out there.

thetruthseeker18y ago

I think the responsible way to handle it is, you inform Apple in a closed way. Once they come up with a fix, if you think they didn’t come up with a fix soon enough, make that information public then on how long it took Apple to turn this around. Disclosing every vulnerability to the internet and setting their ass on fire is not a good way to solve this IMO.

azernik8y ago

Obscurity is not long-term security, but it can buy you a bit of time to get a fix released and pushed out to users.

j / k navigate · click thread line to collapse

0 comments

BinaryIdiot8y ago

Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

AlexandrB8y ago

> Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

adamwk8y ago

Apple isn't the first company to have security bugs. Is this how all 0days are to be reported?

crankylinuxuserOP8y ago

> You forget the majority of users are NOT technically savy.

Fixed that for you.

sjwright8y ago

> I want to know so I can get in a fix or shut down that particular feature until its fixed by a vendor.

jachee8y ago

So, if if find a security bug with your product, you prefer that I publish it directly to twitter as a 0-day?

crankylinuxuserOP8y ago

I've seen the dark side where this leads. It leads to BTC transactions and 0days bought and sold. That's the worst, further past scrappy company sitting on exploits.

I strongly believe in transparency. It empowers users and admins more than any other option out there.

thetruthseeker18y ago

azernik8y ago

Obscurity is not long-term security, but it can buy you a bit of time to get a fix released and pushed out to users.

j / k navigate · click thread line to collapse