On Mon, Oct 06, 2014 at 06:35:35PM -0700, Greg wrote: > Thanks for letting me know. Looks like only some of the sparsebundles > are getting properly timestamped for some reason. We'll fix this for > the next release. > > You of all people, however, should know better [1] than to ignore my > request that you disclose any security-related matters in a > responsible way (by emailing us directly).
Nope nope nope. You don't get to try to shame free research and sweep this issue under the rug by insisting on private email. You've been repeatedly promoting and defending your closed-source app on a public forum, and insisting on NDA for actual in-depth research. A researcher graciously donates to you his time in downloading your app and actually thinking about it for 15 minutes, and then takes 5 minutes to actually tell you about a bug he found. He is *entirely* within his rights to choose the forum for disclosure. Since you're promoting yourselves in the public forum, criticism in the public forum is appropriate too. In this case, your attitude is inappropriate and dangerous to the community you are trying to serve. The bug was evidently easily discoverable if Steve found it within minutes. You are giving evidence of being incompetent at the task you're advertising yourselves as solving, and if you are incompetent then you are actively endangering the people you purport to protect. (The incompetence consists in either not knowing about the information disclosure channel, or per your claim that this recently broke, in not having a test in your system to notice that you experienced a regression in a critical feature of your information hiding system. The system design that is implied by the bug description you used seems fairly horrifyingly insecure to me, but perhaps you've got a clear and secure design that you simply haven't shared.) Given that you're trying to make a profit from your product, you're going to have to step up and pay for the necessary security audits to gain confidence that your product is secure -- nobody else has an obligation to do free review work so that you can make a larger profit. When systems are open sourced, well engineered, and potentially of broad interest or applicability, it can make sense for skilled engineers to put volunteer effort into reviewing their security. When systems are proprietary, make grandiose claims of dubious validity, and do not carry any of the hallmarks of being well engineered, it is unlikely that they are worth spending much time on. It might make sense to take a paid gig reviewing such a system, but I'd probably turn down that gig if it seemed like the creators were unlikely to use my feedback to build a system that was actually useful. -andy -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
