undefined | Better HN

0 pointsCodeWriter238y ago0 comments

So, security through obscurity. No thanks. I'd rather know about the exploit ASAP so I can implement a workaround, rather than wait months for the vendor to get off their ass while my systems are getting hacked by the hundreds if not thousands of hackers that have 0-day knowledge.

Calling what you describe as "Responsible" is intellectually dishonest.

0 comments

4 comments · 2 top-level

will_hughes8y ago· 1 in thread

Perhaps you can write a patch or mitigate effects of (say) an OpenSSL bug. I can't. Certainly not for the myriad of devices that embed well known libraries in firmware images that I don't get to modify myself.

I'd much rather that those things which are remotely exploitable across millions of devices to be kept quite for a small period of time (30-90 days depending on the complexity of the fix required) so that I can get patches from our vendors and schedule an update at the first available opportunity.

You might call it security through obscurity, I call it keeping shit from burning down.

CodeWriter23OP8y ago

There are numerous potential workarounds besides authoring a patch. And they can be distributed in a user-accessible fashion, like the workaround for the macOS blank root password was.

Not telling the world about it does not keep shit from burning down. Eliminating vulnerable targets is the only thing that does that. And that is more expediently served by full and prompt disclosure.

daveFNbuck8y ago· 1 in thread

What do you think it is that I'm calling responsible? I'm in favor of the public disclosure for this particular bug, and that seems to be your position too.

CodeWriter23OP8y ago

Sorry, I man-read your first sentence then hit reply. Please accept my apology.

j / k navigate · click thread line to collapse