When to tell?

C-Net has another good article up talking about the fault lines that seem to be growing between the independent security researchers and the vendors. Specifically under the microscope is the guy who released a whole slew of vulnerabilities to the public, that it had known about for seven months, without first going to Apple to allow them to have updates ready.

His words were interesting:

"I don't believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."

Interestingly enough, this is the same guy who is part of the movement to start an association for security researchers and tinkerers, in order to try to be able to present their site of things to the lawmakers. The idea would be that if they had their own own association, they might be able to ~~lobby~~ educate lawmakers so that cases like this don't happen:

Filed on Tuesday in San Francisco's Ninth District Court of Appeals, the unusual request conceded that federal prosecutors in Los Angeles erred in bringing a criminal case against, and obtaining the conviction of, 30-year-old Bret McDanel. The one-time system administrator has already served his 16-month sentence and is currently on supervised release, during which time his access to computers is curtailed.

The conviction stems from an incident in September 2000, when McDanel notified the customers of his former employer--Tornado Development, which has since closed its doors--that the company's Web-based e-mail system had a flaw that could allow an attacker to gain access to a user's e-mail.

This is becoming a growing problem. The long and short of it is that companies like Apple and Microsoft have tried to gear the system so that socially accepted norm in security circles if you find a vulnerability is to report it, give the company time to fix it, and then go forward only if they haven't released a patch within a certain amount of time.

That 'window' is generally considered to be 30 to 90 days, depending on who you ask. Unfortunately, 30 to 90 days can be a very short time to the vendor, and an achingly long time for those affected.

When a security flaw comes into a company, a few things have to happen. It has to be reproduced, and then the problem has to be tracked down, and then a fix has to be devised. That fix has to be tested, sometimes taking a short time and sometimes taking a much larger time. In a worse case scenario, it's a bug or flaw that other software actually depends on working that way.

And then there are 'patch windows', which are a whole other ball of wax, but basically means companies, if possible, like to put one patch out the door (and through testing and Q&A, if it exists) rather than 5. So depending on when the fix for the problem occurs between patch windows, it could get out surprisingly fast or seem to take a long time.

Still, many would argue that many of the larger viruses or exploits that have come out, have become major problems once the vulnerability has been announced, and that if you don't give the company time to fix the problem, then you're essentially dooming the public to a zero-day exploit with no fix available from the vendor.

There's some truth to this, but it often misses a big point: many of the worms and viruses are done by the equivalent of script kiddies. In many cases, those who are up to serious no good either aren't sharing their found exploits, or are guarding them closely within their select groups.

And, unfortunately, sometimes a company just doesn't take something all that seriously, for whatever, and the researcher ends up waiting 7 months with hardly a word from the company and finally comes forward out of exasperation. Some if this thought is pulled from the article:

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

It's a very, very valid question.