So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple’s built-in wireless card or third-party wireless drivers for a possible third-party wireless card.
And look at where Maynor and Cache are now. In the middle of this summer’s biggest IT feud which is spreading a feeling amonst the “blogosphere” that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.
All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else’s posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don’t think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don’t think so), or for the details to finally be released (after a fix, of course).
Until such time, we’re all still left with uncertainty. But what I am certain about is our approach to “responsible disclosure” is going to be coming to a head, and I don’t think corporations will be happy with the imminent conclusion.
Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.
Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.
Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a “proper” amount of time. This year we have Maynor and Cache with wireless driver attacks.
In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.