Comment by DanAtC
4 years ago
A 9 month embargo is disgusting. Linux users have been sitting ducks while others may or may not received silent updates.
4 years ago
A 9 month embargo is disgusting. Linux users have been sitting ducks while others may or may not received silent updates.
Often many companies and organizations from many countries are getting informed about such security problems under the embargo. I assume that the intelligence agencies form many countries are also getting these information. Either they are officially informed, because they also protect the government networks or they have just good working relationships with their local companies.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.
And those nations got a chance to freely exploit it* for way longer than a typical reasonable disclosure of 90 days.
*Assuming they didn't already know about it which is why fast disclosure is so important.
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
I think such long embargoes are bad.
Embargoes prevent that the average cyber criminal knows about the problems, but the resourceful organizations already get the information before the public knows about them. I think even 90 days are pretty long.
For example 253 vendors were informed about the problem in dnsmasq about 3 months before it was published: https://www.kb.cert.org/vuls/id/434904 (all vendors listed here were informed) In each organization probably multiple people know about this.
1 reply →
I appreciate the distaste for a security-vulnerability being sat on for so long. However, the appropriateness of a long-embargo would seem like a bigger topic.
That said, about being sitting ducks.. dunno how much the situation really changes like that. For example, was this really unknown before this particular discovery? And what other vulnerabilities aren't currently being reported, whether under embargo or not?
Seems like users ought to have reasonable expectations about how secure popularly practiced technology is. If someone believed that a vulnerability like this wasn't a possibility, then they may need to update their expectations.
The embargo for binary patches was May 3rd. Of course, if random me knew about these issues, every interested party also did. Think about vendors like Qualcomm, Intel or Mediatek; they were all informed and all of them then had to inform their chip buyers because they don't make any of the actual customer products.