[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] The small people - THE OFFICIAL BLOG OF THE SBS DIVA
Sat, Jun 19 2010 23:48 bradley

The small people

Recently a security researcher took it upon himself to make a risk decision for us all on the Internet.  He decided that it was better to put people at risk, make them deploy a fixit workaround than to work with a vendor for a long term fix.

During a month like June was with lots of updates and patches and especially .NET ones, the fact that one person took it upon himself to make a risk determination for the Windows computing world annoys me.  Fixits and workarounds that mitigate security issues are nice, but only if someone installs the mitigation. 

If you only think in terms of risk to Enterprises, you forget consumers.  If you only think of the impact to consumers, enterprises may need something different.

I challenge every security researcher to help someone get their computer fully up to date.  No really.  I mean FULLY up to date.  On both a Mac and a Windows platform you need near enterprise patch management tools to determine if you are really up to date.  And in getting up to date, try keeping tool bars and marketing relationships off your system.

Just the other day I was updating Adobe on Windows and had to ensure that I didn't get the Google toolbar.  Yet on my Mac, there was no offending marketing offering in the Adobe flash update.

Sometimes there's just as much risk from patching as there is from the thing you are putting out the patch for.

There is no absolutes in security.  There is no black and white. 

And sometimes one person doesn't get the right to make the risk decision for the entire Internet without having some of us "small people" question that decision.

Filed under:

# re: The small people

Sunday, June 20, 2010 9:36 AM by Tom

he didnt put anyone at risk, microsoft did by shipping a product with a critical security flaw (which should have been caught in code review). All he did was tell people about an exploit that for all you know may well have been previously leaked to the underground anyway.

The fact people are using a hotfix rather then a proper microsoft patch, is because microsoft hasnt released one in a timely manner. Yes the researcher could have helped them tremendously by sitting on his work whilst they get their sh*t together, but really how long does it take to make a 2 line change to your code?

Ultimately if you work in security research, your publications are your resume, and you have to disclose at some point. If you sit on something and work with the vendor, and it gets out anyway, you still get blamed.

I would far rather know that my server has a massive flaw, then carry on in the false belief that its insecure until some 12 year old owns it. You seem perfectly happy for microsoft to make the kind of arbritary security decisions that you so criticise this researcher for making.

# re: The small people

Sunday, June 20, 2010 9:46 AM by bradley

It's easy for us to say that this could have been found in code review when it took him how long and how many resources to find it.  Three business days to code up a fix, test it, and prepare it for release?  Sorry, no vendor could do that and prepare a quality release.

This isn't a server flaw, this is a "Mom and Dad" flaw.  They have no clue to get a workaround.

There's times I'm not thrilled with the security risk decisions they make either, but what he did without concern to consumers, sorry we get the right to question his decisions as much as we do Microsoft's.

# re: The small people

Sunday, June 20, 2010 11:42 PM by bradley

In Tavis's own words  "The current design is actually pretty sound, I'm sure Microsoft are dissapointed they missed this flaw. In their defense, I think there's a good chance I would have also missed this in code review".

Code review is not this perfection that finds everything.

# re: The small people

Thursday, July 01, 2010 12:23 AM by Dean

Did you know that the back and forth you had with that guy made it to the Register ?