Re: GnuPG efail - researcher discussion failure
I think there's a discussion relating to CII here. I agree this isn'ttoggle quoted messageShow quoted text
the right place but since there's no general CII discussion list (nor
is there really enough traffic for one) - we hijack away!
One of the discussions I've had in the past as it related to CII is
how Open Source projects should handle patches for vulnerabilities.
I've pointed to OpenSSL as a model for example. They are very diligent
about developing fixes and not pre-releasing them; they give
notification of the day and approximate time for patches, and these
things give enterprises (I imagine, not actually in charge of patching
enterprise-deployments of OpenSSL) a lot of comfort and capacity
This type of coordinated disclosure is another situation where the
interests of affected vendors, affected consumers, and security
researches are not necessarily at odds - but are neither in alignment.
Security Researchers want (and sometimes need to justify their
position in orgs) big press coverage. Fancy websites, demos, and
'simplified' impact statements all work to their favor. (And when I
say 'simplified' I don't mean that derogatorily: "Attack leaks
contents of PGP/S/MIME Encrypted Email" is still accurate and much
simpler than "Poor Content Handling in certain Email Clients may leak
Proposals that push on security researchers to avoid hype; avoid
trying to make a big impact with their work are doomed to failure. All
you're going to do is push them to coordinate with you less, to the
point where a disclosure date will come and they'll release a website
and exclusive on CNN and you won't have known either was coming.
Instead, i think the way to do it is to push Security Researchers to
coordinate with you _more_.
They've got a big attack on drupal? Hell give them
bigattack.drupal.com so you can lend it legitimacy and show you're
working with them. Work to crate a joint media message together and
provide quotes that can be used in stories about it. Instead of
silently identifying and fixing a variant of their attack you
discover; add to their paper/presentation. If it's significant enough,
you can ask to co-present/co-author. Some bugs are so simple there's
not much meat to the story, but as someone who has reviewed
submissions for security conferences, it's really rare and really
great when a researcher and the researched co-present and tell both
their sides of the story. There are a _lot_ of lessons to be learned
from those types of talks.
While all of this applies to FOSS and non-FOSS, I think (or hope) that
FOSS should be more open to it. I think (or hope) that there's less
ego in FOSS when it comes to projects and it's easier for open source
projects to say "Wow that's a really awesome find" or "That's a really
impressive chain that was built to exploit this" and congratulate and
appreciate researchers instead of seeing it as an us vs them
On 14 May 2018 at 18:35, Luis R. Rodriguez <firstname.lastname@example.org> wrote:
As you may know there is tons of media coverage over efail: