A case of fictional disclosure

Submitted by Mike Rothman on Tue, 2006-10-03 17:48.
::

So it's all a joke. HA HA, friggin' HA. What am I talking about? The Toorcon presentation by two "kids" that purported to have found a 0-day exploit that allowed remote code execution in Firefox. The PC World coverage is here.

This is bad. They both should be drawn and quartered. In a public square preferably. The guy that works for Six Apart should be fired. This is a nightmare for his employer. The spin-meisters will be cleaning up this turd for weeks, as opposed to doing their job.

But Six Apart seems to be coming to the guy's defense, based on this quote:

"To hear Six Apart spokesperson Jane Anderson tell it, the Toorcon presentation was a joke invented by two kids barely out of their teens who didn't understand the ramifications of their actions."

Bad move. I'm not trying to be harsh or insensitive. But these fellows need to be made examples of. If Six Apart tolerates this behavior, why wouldn't other vendors? No thank you. Take decisive action. Nip this in the bud. Send them out of the airlock.

We are having enough trouble with responsible disclosure given the behavior of vendors like Apple. So now I'm coining a new term to describe this "fictional disclosure."

I'm a big fan of "so what?" So here's what: Every hacker presentation at good conferences like Black Hat and Defcon will now be suspect. Part of responsible disclosure is that the real exploits are NOT used and published at these conferences. But who is going to know if the attacks are real?

So now we face a two-step process. Cool stuff will be presented at Black Hat, and a couple of weeks later we'll figure out whether it's real or not. It's sad and innocent people are going to get hurt because vendors that are just looking for excuses to ignore holes in their software you can drive a truck through will now have another reason to do nothing.

And these guys are young is no excuse. Kids go to jail for doing stupid things. I'm pretty sure these guys are over 18. That makes them responsible for their actions. And take responsibility they should. Be contrite. Show remorse. And get ready for your new career's as freelancers.

 

and justice for all?
Submitted by ivan (not verified) on Wed, 2006-10-04 00:39.
Mike, isnt that an over the top reaction? I mean yeah those two guys did a "fictional disclosure" but shouldnt we all be more angry at those that covered and amplified the "news" without following some *VERY BASIC* journalistic best practices? check the facts, check the sources, look for confirmation from independent sources, yadda yadda... Also, somebody accepted that talk for Toorcon so that should say something about the selection criteria for security research presentations (I am not pointing fingers at Toorcon in particular, many other conferences got burned in similar ways in the past). Every hacker presentation from now on will be suspect *IF AND ONLY IF* said presentation is not detailed and robust enough to withstand the public scrutiny of its audience, among whom there should be -and usually are- at least a few subject matter experts. As for making an example of those two guys... what is that going to achieve? In the early 90s some judicial rulings sought to 'make an example' of a few individuals, almost teenagers, that got caught in hacking activities with rather harsh sentences but that did not stop skript kiddies, did it? In any case, firing them provides an easy way out, having them help to clean up their mess is a lot more useful and educational.
Somewhat agree with Ivan
Submitted by Michael R. Farnum (not verified) on Thu, 2006-10-05 09:21.

I have to agree with Ivan's point that some constructive punishment would be a better solution than just letting these guys go. If these guys are that young, they obviously have brains bigger than their maturity level. They need to be taught that this is serious business without killing their creativity and without sending them out in the wild to possibly bear a grudge (which can lead to bad things when you are a smart young punk). I know that's a tall order, but a good manager can handle this.

Also, they will likely be known for years to come (maybe through their whole careers) as those two punks who lied at Toorcon. That is going to be pretty bad, as well.

Michael

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.