Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Windows

Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing (csoonline.com) 79

itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.
This discussion has been archived. No new comments can be posted.

Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing

Comments Filter:
  • by Anonymous Coward on Thursday March 24, 2016 @07:15AM (#51767711)

    Let's make some educated guesses about this problem.

    1. It is a protocol-related bug, since it affects two different implementations.

    2. It involves file locking, hence the name.

    3. There might very well be some ruthless self-promotion going on here.

    • by phayes ( 202222 ) on Thursday March 24, 2016 @07:32AM (#51767751) Homepage

      Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      > 1. It is a protocol-related bug, since it affects two different implementations.

      Ha. As if there was any separation of protocol and implementation at Microsoft.

    • Re: (Score:3, Interesting)

      by hey! ( 33014 )

      For years I had a company whose clients were public health agencies. One time one of my customers said this to me, "You guys can do all kinds of great stuff, but the problem with you is that you want money for everything."

      I was nonplussed. I just couldn't get my brain around the fact that he saw the fact that we charged for our services as somehow venal; after all this wasn't a field I went into to get rich, because that sure would have been a bust. The reason we could do things that people had only dreame

      • but public health (education, drinking water, you name your liberal cause) should be free!
        • And according to "conservatives", businesses should be free from taxes.

          Because. . . trickle down.

          • by mwvdlee ( 775178 )

            Trickle down economics:
            Small government, because otherwise a lot of money is wasted on people who are not me.
            Big corporate, because otherwise a lot of money is wasted on people who are not me.

          • by Anonymous Coward

            Good that you put that in quotes. The heavily-propagandized, totally delusional, right-wing extremists are anything but "conservative." They'd tear down civilization if they could, because being expected to treat people decently is too much for them. They say it conflicts with their superstitions, so in addition to being dangerous extremists, they're also idiots.

          • Better than the Trickle up Poverty we're seeing now, don't you think?

            You cannot make more people successful by attacking success.

            You cannot make more people richer, by taking from the rich.

            But socialists somehow think this works.

            • By definition, taking from the rich and giving to the poor makes more people richer.

              100 50 20 20 20 10 10
              50 50 30 30 30 20 20

              One less rich; five more rich. So 4 net more rich.

              • You're under a delusion. I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut, the government destroys wealth with their schemes and the rich just get better at hiding their wealth from people who like to take things simply because "We voted on it, that makes it legal".

                In the end, while your simplistic rational s

                • It's not a delusion; it's 3rd-grade math.

                  I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut,

                  I guess I just don't understand how in your world it's not true that 30 > 20.

                  If you mean to say we shouldn't take from the rich and give to the poor (because the rich will utilize the money more efficiently? is that what you're saying?), that's a different argument. But you shouldn't make trivially falsifiable absolute statements :)

            • by smooth wombat ( 796938 ) on Thursday March 24, 2016 @12:20PM (#51770063) Journal
              Trickle down hasn't worked in over 30 years. Just ask Kansas how well it's working for them. Yet somehow "conservatives" think this works.

              You cannot make people more people successful if you attack the people who make them successful.

              You cannot make more people richer by only giving them crumbs.

              I'm not a socialist. I'm one of the dying breed of real conservatives. However, when I hear multi-billion dollar companies whine they can't pay their people more yet have no problem giving out multi-million dollar bonuses to people already making a million or more a year AND have billions socked away overseas AND go to the taxpayer for either bailouts or tax breaks or have them build something, it's disingenuous at best and arrogant at worst for them to claim how horrible things are.

              We always hear why certain people are paid huge salaries, because the companies want the best, yet by their actions these same companies are showing they don't want the best people working for them in other capacities because they're not willing to pay them.

              If trickle down had ever worked the salaries of people wouldn't still be the same, adjusted for inflation, as they were 20+ years ago [pewresearch.org].
              • Because Reagan pushed his voodoo economic, and Reagan is a deity, this makes trickle down economics a matter of doctrine.

                • Yeah, Reagan sucked, that's why we followed up the crappy years of Carter with unprecedented growth, which suddenly failed right after Clinton. And after eight years of Obama, things suck about as bad as ever.

                  • Of course it is all due to those individuals and nothing to do with corporations, oil producers, foreign economies, high tech booms, etc.

      • by swb ( 14022 )

        No different at private, for-profit businesses. The same skinflints are in charge, with a mindset that IT products are just like normal durable goods that don't wear out until their moving parts actually break and have no software obsolescence that renders them unusable in spite of their age.

        I've found that they will almost paradoxically spend high amounts on labor to maintain old hardware and software environments versus replacing them with cheaper to operate products, but they will still complain.

        "The fo

      • by KGIII ( 973947 )

        any time money wasn't coming in we'd be bleeding it at eye-popping rates

        This is very, very astute and true. It's one of the things to note if you're going to hang out your shingle and expect to employ people. They expect to be paid - even if there's no money coming in and making payroll is important. Which, if you're curious, is how I ended up having to learn to do all the various tasks that needed doing. There was a point in time where I even helped to keep the place clean - emptying trash, sweeping and mopping, and even coming in on weekends to clean everything from workstati

  • Vulnerabilities aren't profitable. The cockroaches who make money from their fallout might see it that way because that how racketeers think, but vulns hurt business overall. And that's setting aside potentially ruined lives because of identity theft etc. The heartbleed marketing fiasco brought out of the woodwork low-lives who made fake "test your system for heartbleed" pages. This is not a good thing.
    • Vulns are most assuredly profitable or there wouldn't be anyone looking for them.
    • by MeNeXT ( 200840 )

      I somewhat agree with you but when you try to do it right and your competition just slaps it together a good vulnerability shows your clients that it was all worth the extra time and money. Which leads to profit.

  • If not this, what is the best way to do responsible disclosure?

    a 20-day lead time gives criminals plenty of time to tear Samba apart

    Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.

    • This *appears* to be all about hitting the next Microsoft Patch Tuesday. I'm somewhat peeved that all the users of Samba are being made to wait on a fix until that day. I almost want someone else to figure out the vulnerability and publish it so as to get the patches released sooner.
      • Just wait for anybody to discover a vulnerability before that date. Given that they provide no information whatsoever, I bet you that will be it!
    • by tlhIngan ( 30335 )

      If not this, what is the best way to do responsible disclosure?

      a 20-day lead time gives criminals plenty of time to tear Samba apart

      Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.

      Well, you first give both Microsoft and Samba the vulnerability a heads up privately so they can try to fix the bug on their own, not announce to the world that there's a super major bug that won't be fixed or announced for 20 more days.

      And 20

  • by Junta ( 36770 ) on Thursday March 24, 2016 @09:05AM (#51768213)

    We shall see when the details are released, but in the wake of Heartbleed, I've grown desensitized to marketing treatment for vulnerabilities. Security people jump up and down and are frequently justified, but sometimes are just stating the obvious and/or something of low practical risk. The problem being in general security folks tend not to weight their 'discoveries', so it's hard to know if this time the sky really is falling (sometimes it really is) or they just didn't like some subtle design decision that actually isn't really invalid, just not how they would have done something.

  • by jlv ( 5619 ) on Thursday March 24, 2016 @09:41AM (#51768439)
    They'd release the details on the bug 20 days *after* the patches had been released. Saying that they'll release the details on April 12 on the same day patches will be available is bogus. The fact that they made not just a catchy name but also a logo leads me to agree they are attention whores.
  • You're doing it wrong anyway.
    • by Yenya ( 12004 )

      Why would we? There are plenty of usable protocols for service discovery, file sharing, instant messaging, etc., but because of NATs and firewalls, everybody is doomed to use HTTP[s] to some public cloud service instead. The fact that I cannot easily copy photos between my laptop and a cell phone of my friend laying on the same desk and connected to the same WLAN without coming through the remote cloud service is pretty disappointing.

A complex system that works is invariably found to have evolved from a simple system that works.

Working...