Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing (csoonline.com) 79
itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.
Re:SMB File Shares? (Score:4, Insightful)
SMB==CIFS
It's the only decent option for WindowsLinux file sharing. My home server runs Samba as well as Netatalk, because NFS doesn't work as well as it should with OS X either.
Re: (Score:3)
Out of curiousity, what troubles have you had with an OSX NFS client to a Linux server? I use the automountd approach (access /net/SERVERNAME/SHARENAME), and it’s pretty good. It does get stupid if the NFS server goes away for any reason. Usually have to restart the Mac before things are normal again if the server reboots or any of the NFS/sunrpc daemons crash. And of course I still need Netatalk for TimeMachine.
Other than that, I find NFS is faster than Netatalk by a goodly bit. I have been mean
Re: (Score:2)
I prefer to have it show up as a Volume in Finder. Don't ask me why, because you won't get a good answer. I have NFS shares set up on that server too, which is how MythTV accesses my movie library.
Re: (Score:2)
I wish I could remember. I do use some OSX-specific things that require that resource fork. Color labels for files is one. But also, I don't think some files got proper icons when on an NFS share. And some Mac software needs the resource fork for important file data (FCP is a likely one), but I don't know for sure that I store any files there that need it.
I also like being able to reconnect within the GUI when the server is rebooted.
Re: (Score:2)
The resource forks are transparent to UNIX users, but Windows users complain about the garbage dotfiles. Dropping connections though, predominantly on sleep but also other random cases, is the killer. Logging out to reconnect makes me love my Mac...
Fortunately, only have to log out and/or reboot about 10% of the time.
Glad I have shell access and can SFTP when using the VPN though.
Re: (Score:2)
I have Samba set to portray dot files as hidden, so I don't have any trouble there.
My server rarely reboots, but the server "goes away" when I have to reboot my cable modem (and then reboot my router or it won't work because it's a cheap modem).
Re: (Score:2)
How do you make the dotfiles hidden on Samba, but still accessible for the resource fork? I love the reliability of our Samba server at work; 400 days of uptime (between power outages) is normal. Really looking forward to rebooting a Windows server every month...
Re: (Score:2)
How do you make the dotfiles hidden on Samba, but still accessible for the resource fork?
One, hidden files are not inaccessible.
Two, I don't use Samba with OS X - I access the same folder over AFP with Netatalk.
Re: (Score:2)
Thanks; I was thinking you used veto_files. Wasn't aware of hide_files until you sparked my curiosity.
Does Netatalk have issues with file locking when "sharing" with Samba?
Re: (Score:2)
Haven't any idea. I just simply don't have a use case where the same file will be open for editing on two systems at once. But I would assume both Samba and Netatalk pass file locks down to the underlying system, considering local access should be restricted the same way.
Re: (Score:2)
If you are hiding the dot files, what happens when a PC user moves a Mac generated file? Won't it loose the resource fork?
I'm not running any Linux file servers, but when a Mac access a Windows server over SMB, or even AFP, it will encode the resource fork into the file as an alternate datastream. It makes my Mac users' live a whole lot easier when their Adobe CS files are not broken.
Re: (Score:2)
It's my home server. So any "user" is going to be me (I'm the one using Mac files). Most file types don't use resource forks anymore (Adobe Suite being the one main exception), but I think the only thing in the resource fork on AI or PSD files is just a preview thumbnail - which I don't want to lose. I can still open the file from Windows and it works just fine. Very few file types still have a separate mac-only variation, so all the important data is in the data fork anyway.
Re: (Score:2)
Besides, I thought they were shying back toward SMB terminology, since 'CIFS' didn't really catch on. I prefer SMB because CIFS doesn't really describe it as well (it's not really the best strategy for 'internet', it's 'common' by virtue of everyone else having to cave because MS wouldn't do it like anyone else, etc).
But yes, the description of the *potential* security is out of date (Though NTLM still in practice plays a huge role for most folks).
Re: (Score:2)
Samba sucks with OSX. Stupid UNIX rights-carryover issues, dotfiles, broken connections, sleep issue... it is horrible.
--"Proud" Samba, Linux, and OSX user for well over a decade, stuck switching to Windows servers.
Re: (Score:2)
This is why I use Netatalk too. AFP is fairly smooth compared to SMB.
Let's make some educated guesses. (Score:5, Insightful)
Let's make some educated guesses about this problem.
1. It is a protocol-related bug, since it affects two different implementations.
2. It involves file locking, hence the name.
3. There might very well be some ruthless self-promotion going on here.
Re:Let's make some educated guesses. (Score:5, Informative)
Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.
Re: (Score:3, Insightful)
> 1. It is a protocol-related bug, since it affects two different implementations.
Ha. As if there was any separation of protocol and implementation at Microsoft.
Re: (Score:3, Interesting)
For years I had a company whose clients were public health agencies. One time one of my customers said this to me, "You guys can do all kinds of great stuff, but the problem with you is that you want money for everything."
I was nonplussed. I just couldn't get my brain around the fact that he saw the fact that we charged for our services as somehow venal; after all this wasn't a field I went into to get rich, because that sure would have been a bust. The reason we could do things that people had only dreame
Re: (Score:1)
Re: (Score:1)
And according to "conservatives", businesses should be free from taxes.
Because. . . trickle down.
Re: (Score:3)
Trickle down economics:
Small government, because otherwise a lot of money is wasted on people who are not me.
Big corporate, because otherwise a lot of money is wasted on people who are not me.
Re: (Score:1)
Good that you put that in quotes. The heavily-propagandized, totally delusional, right-wing extremists are anything but "conservative." They'd tear down civilization if they could, because being expected to treat people decently is too much for them. They say it conflicts with their superstitions, so in addition to being dangerous extremists, they're also idiots.
Re: (Score:1)
Better than the Trickle up Poverty we're seeing now, don't you think?
You cannot make more people successful by attacking success.
You cannot make more people richer, by taking from the rich.
But socialists somehow think this works.
Re: (Score:2)
By definition, taking from the rich and giving to the poor makes more people richer.
100 50 20 20 20 10 10
50 50 30 30 30 20 20
One less rich; five more rich. So 4 net more rich.
Re: (Score:2)
You're under a delusion. I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut, the government destroys wealth with their schemes and the rich just get better at hiding their wealth from people who like to take things simply because "We voted on it, that makes it legal".
In the end, while your simplistic rational s
Re: (Score:2)
It's not a delusion; it's 3rd-grade math.
I would postulate that taking from the rich, skimming off the top to government's cut, and giving what's left over to the poor doesn't make anyone richer, including the poor. At best, it is a Zero sum. For the Poor do not create wealth with their cut,
I guess I just don't understand how in your world it's not true that 30 > 20.
If you mean to say we shouldn't take from the rich and give to the poor (because the rich will utilize the money more efficiently? is that what you're saying?), that's a different argument. But you shouldn't make trivially falsifiable absolute statements :)
Re:Let's make some educated guesses. (Score:4, Insightful)
You cannot make people more people successful if you attack the people who make them successful.
You cannot make more people richer by only giving them crumbs.
I'm not a socialist. I'm one of the dying breed of real conservatives. However, when I hear multi-billion dollar companies whine they can't pay their people more yet have no problem giving out multi-million dollar bonuses to people already making a million or more a year AND have billions socked away overseas AND go to the taxpayer for either bailouts or tax breaks or have them build something, it's disingenuous at best and arrogant at worst for them to claim how horrible things are.
We always hear why certain people are paid huge salaries, because the companies want the best, yet by their actions these same companies are showing they don't want the best people working for them in other capacities because they're not willing to pay them.
If trickle down had ever worked the salaries of people wouldn't still be the same, adjusted for inflation, as they were 20+ years ago [pewresearch.org].
Re: (Score:2)
Because Reagan pushed his voodoo economic, and Reagan is a deity, this makes trickle down economics a matter of doctrine.
Re: (Score:2)
Yeah, Reagan sucked, that's why we followed up the crappy years of Carter with unprecedented growth, which suddenly failed right after Clinton. And after eight years of Obama, things suck about as bad as ever.
Re: (Score:2)
Of course it is all due to those individuals and nothing to do with corporations, oil producers, foreign economies, high tech booms, etc.
Re: (Score:2)
No different at private, for-profit businesses. The same skinflints are in charge, with a mindset that IT products are just like normal durable goods that don't wear out until their moving parts actually break and have no software obsolescence that renders them unusable in spite of their age.
I've found that they will almost paradoxically spend high amounts on labor to maintain old hardware and software environments versus replacing them with cheaper to operate products, but they will still complain.
"The fo
Re: (Score:3)
any time money wasn't coming in we'd be bleeding it at eye-popping rates
This is very, very astute and true. It's one of the things to note if you're going to hang out your shingle and expect to employ people. They expect to be paid - even if there's no money coming in and making payroll is important. Which, if you're curious, is how I ended up having to learn to do all the various tasks that needed doing. There was a point in time where I even helped to keep the place clean - emptying trash, sweeping and mopping, and even coming in on weekends to clean everything from workstati
Re: (Score:2)
Marketing aside, the main goal appears to have mass-patching occur all at once. The company's name is only mentioned in the background info and in tiny print at the bottom. Something tells me that it is a deep enough bug that unpatched systems will no longer be fully compatible with patched systems.
Bad for everyone (Score:2)
Re:Good for everyone (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Vulnerabilities in *other* products are the prize. Then these companies come knocking on the doors of the other companies to offer their services for private auditing, the ability to point to security papers in the wild being very valuable as a proof point.
Profitability is relative. Just like a broken window isn't good for the economy at large, it is however good if you are specifically a glass maker. It's more cost than profit overall, but if you are a company offering auditing services, you don't incur
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I somewhat agree with you but when you try to do it right and your competition just slaps it together a good vulnerability shows your clients that it was all worth the extra time and money. Which leads to profit.
Re: (Score:3)
There are a lot of embedded implementations of Samba, meaning a lot of firmware patches going out right after this. That includes hundreds of models of routers and NAS units.
Re: (Score:1)
Probably much more. In Microsoft land, bug == undocumented feature. It could be quite possible that many "enterprise" software "solutions" depend on the bug for functioning at all. Fixing the bug will pull the rug under them and make them stop working.
Re: (Score:2)
This is a long standing issue with MS in particular but is not exclusive to them in any way.
Developers find undocumented features or have some inside track to learn about them but, since they are undocumented, they are subject to change without notice.
So, if you are relying on undocumented features for your software to work... you are living precariously.
Re: Quoted line about lead time is stupid (Score:2)
Re:Quoted line about lead time is stupid (Score:5, Insightful)
I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)
XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).
But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.
Heartbleed got a patch for XP despite it being out of support entirely.
Re: (Score:2)
MS has already backtracked once and released an out-of-cycle patch for IE on XP.
If this is severe enough, they may do it again.
Re: (Score:1)
Wtf? You should give 20-days lead time *privately* to the responsibles to fix it (Microsoft in this case).
You should *not* *publicly* announce it until the day before or the day the patch goes live, because that gives time for other people (including people not even in the business that wouldn't care otherwise) to re-discover the vulnerability on their own (any detail about the product, versions affected, etc. is a hint; and some of that people *may* actually have a way to buy/fetch more info about the bug
Re: (Score:1)
Actually this whole this is really dumb. They didn't give any information other than a name and a website and that they told microsoft.
Watch, I can do it too!
I have just discovered a bug "LinkLock" in the SMB protocol! I've informed microsoft and they will patch it on April 16th.
See? Now can I have my 500,000 hits please?
Is 20 days wrong? (Score:2)
If not this, what is the best way to do responsible disclosure?
a 20-day lead time gives criminals plenty of time to tear Samba apart
Indeed, but it's a trade-off between the bad guys getting time to rediscover the bug, and the good guys needing time to schedule repairs.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Well, you first give both Microsoft and Samba the vulnerability a heads up privately so they can try to fix the bug on their own, not announce to the world that there's a super major bug that won't be fixed or announced for 20 more days.
And 20
Could be important, might not be... (Score:3)
We shall see when the details are released, but in the wake of Heartbleed, I've grown desensitized to marketing treatment for vulnerabilities. Security people jump up and down and are frequently justified, but sometimes are just stating the obvious and/or something of low practical risk. The problem being in general security folks tend not to weight their 'discoveries', so it's hard to know if this time the sky really is falling (sometimes it really is) or they just didn't like some subtle design decision that actually isn't really invalid, just not how they would have done something.
Re: (Score:2)
I meant to be saying that after Heartbleed *everything* got hype. Heartbleed deserved it, but after people say marketing for one security issue, suddenly it became a thing that all security issues get some ridiculous marketing-style bump.
If they really wanted to be useful (Score:3)
If someone can see your shares outside your lan (Score:2)
Re: (Score:2)
Why would we? There are plenty of usable protocols for service discovery, file sharing, instant messaging, etc., but because of NATs and firewalls, everybody is doomed to use HTTP[s] to some public cloud service instead. The fact that I cannot easily copy photos between my laptop and a cell phone of my friend laying on the same desk and connected to the same WLAN without coming through the remote cloud service is pretty disappointing.
Re: (Score:2)
I was not talking about not being able to reach the other device on the third layer (IP). My point was that even though we have perfectly good _application_-layer protocols for file sharing (CIFS, which GP thinks should be blocked), we are still doomed to share data between our devices using a third-party public cloud over HTTP[s].