Sending of Hacks to the Graveyard

[hambil]

Quote:

Originally Posted by bobster65

5) PLEASE DO NOT stop informing members of vulnerabilties!

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

[quiklink]

Quote:

Originally Posted by hambil

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

How do you possibly justify leaving an end user vulnerable for even 24 hours after you have become aware of a security flaw in your code? What part of this do you not get? What right do you possibly believe you have to put someone at continued risk for a security flaw on their system due to your improper coding? Let not stop to forget the legal implications to both the coder and Jelsoft. Sorry, a disclaimer saying 'we take no responsibility...' doesn't usually fly to well in court if you knowingly allow it to happen.

It would be like a food processor saying 'lets wait a day or two and see if we can find the problem and get it fixed before we notify the public that our food has been contaminated. I doubt anyone will get sick'...

Nobody likes to admit there is a problem, and yes it might even have a financial impact if you are selling the product. But you have an obligation to notify those who are at risk as soon as you find out about it.

[bobster65]

Quote:

Originally Posted by hambil

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

Nobody suggested it or needed to suggest it, I made it part of my recommendation in case someone did happen to bring it up in the future, because I don't want to see that policy go away. One of the staff members asked that people provide recommendations, so I did. Not all of mine were based off arguments between members of this site.

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known. Its not your decision as a programmer whether the client wants to disable or remove the hack while you are coming up with a solution, but it is your responsibility to inform then about the vulnerability. Asking for vBorg to delay an announcement is doing just that. I've yet to see anyone provide one positive thing about a delay to the end user. Giving the programmer 24 hours to work on the solution before the end user is informed is NOT a positive thing. The only thing that a delay does is give the author time to work on the fix while the client doesn't know about it and sits there vulnerable. It seems like the attitude from some is "Who Cares about the client, its just one more day".

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).

btw, for those that took my thread personal (since I wasn't pointing out anyone personally), you may want to take a long look in the mirror tonight as it obviously hit home.

[hambil]

Quote:

Originally Posted by bobster65

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known.

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

Quote:

It seems like the attitude from some is "Who Cares about the client, its just one more day".

I assume you have the best interests of the user at heart, even though I don't agree with your solution. Now that, is agreeing to disagree.

[quiklink]

Quote:

Originally Posted by hambil

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

Leaving an end user vulnerable IS unprofessional. As to a selfish agenda, any delay in notification is only to the benefit of the coder not the user...

[hambil]

Quote:

Originally Posted by quiklink

Leaving an end user vulnerable IS unprofessional. As to a selfish agenda, any delay in notification is only to the benefit of the coder not the user...

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

[quiklink]

Quote:

Originally Posted by hambil

Immediate notification does not automatically mean the end user is safer.

But delayed notification certainly makes sure they remain unsecured and at risk.

I ask once again, who are you to decide upon the security of the end user's system? It is up to them to decide whether or not to continue to use the mod or to disable it or to uninstall it.

I don't care who you have worked for or what you have written. I've been in this field just as long and sorry, I've never worked for any company willing putting themselves at further legal risk by not informing a customer of a security flaw immediately. Why? Because the notification can help limit potential damages that might arise should a breech occur due to the flaw.

As for the slander comments, thanks for the laugh! Oh and it would be libel, not slander...

[Kirk Y]

Quote:

Originally Posted by hambil

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

WE are not Jelsoft and the decision has already been made that Users will be notified immediately upon the discovery of a vulnerability, so debating this point is fruitless.

[bobster65]

Quote:

Originally Posted by hambil

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

I assume you have the best interests of the user at heart, even though I don't agree with your solution. Now that, is agreeing to disagree.

You are correct that I accused some coders of having an unprofessional and selfish agenda. This very thread shows the entire community that its an issue.. Maybe it will hit home and they will take some time to rethink about the way they code and care about their code. If they don't, they have no business releasing code to end uers.

I take it since you are so personally consumed with how I feel about this, you are feeling guilty otherwise you wouldn't be responding as such as It wouldn't pertain to you.

I gave 7 recommendations (as requested by the vBorg Staff) that covered End users, Programmers and Vborg Staff and one of them is something that you don't like. Oh well. I highly doubt that vBorg is going to delay notification to end users because they understand the importance of security vulnerabilities and won't put themselves in a compromising position just to benefit the personal agenda of a few unprofessional hackers.

Quote:

Originally Posted by hambil

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

You are correct Hambil.. Immediate notification does not automatically mean the end user is safer... what immediate action does is give the end user the option to take a course of action that they would not have by delaying the notification. The end user has just as much of a right to know of a vulnerability as the author of the code and its up to the user to decide what is the best course of action to take. You still have not given one good solid professional reason to delay notification.

[hambil]

Quote:

Originally Posted by bobster65

You still have not given one good solid professional reason to delay notification.

ARGGGGH! I've given several, and more than once. You may not agree with them but to call them unprofessional is, well, unprofessional. I will repeat myself, yet again.

1) Notification of a security flaw before a fix is available can actually help inform those who wish to do harm. This is why vBulletin.org has already changed the wording of the notification sent to be generic, instead of specifically stating the security flaw (as they did when I first got involved in this conversation). Why would they make such a change unless there was a danger inherent in the proliferation of knowledge about security flaws? They wouldn't, period.

So, you may disagree with me on the details of this, but to call the idea that spreading information of security vulnerabilities carelessly is not dangerous unprofessional, is well... as I said - unprofessional.

link

Quote:

Some said that publicly announcing security holes before a company has a chance to fix the problem gives malicious hackers a head start on exploiting the holes.
Richard Schaeffer, deputy director of the National Security Agency, and Presidential Cybersecurity czar Richard Clarke spoke at Black Hat and Defcon. Both men agreed that the current level of software security is "terrible," as Clarke put it.
But both Schaeffer and Clarke also strongly requested that security experts act with discretion when they discover holes in software, delaying public disclosure until companies have time to release patches.
Others firmly believe that swift, open disclosure of discovered flaws serves users better than trusting the software companies to quickly deal with and publicly admit responsibility for security issues discovered in their products.

This is a seriously debatable topic, being dealt with by the top people in our field, and hardly a black and white issue. You do great injustice and potential harm to the very users you seem to think you are protecting by not giving the discussion the weight it is due.

I could list several more reasons, and have already, but that one alone should be enough to show the subject is debatable - at least to anyone who is still being rational.


@quiklink: slander, liable, either way it is wrong, and people on this board have been reprimanded for it before. I have not notified any staff or asked for their involvement, yet, because I am hoping you are mature enough to see the light on your own.

Quote:

Originally Posted by Kirk Y

WE are not Jelsoft and the decision has already been made that Users will be notified immediately upon the discovery of a vulnerability, so debating this point is fruitless.

It's nice that a decision has been made, but productive debate should never be considered pointless. And, as seen many times already, nothing is written in stone. Ending a debate and declaring it over before it's run it's course doesn't really work in the long run, because decisions then get reversed, or worse - the staff is forced to irrationally hold to a position because they stated strongly "we won't change".