Gordon Wendt wrote: > > On Fri, Dec 26, 2008 at 2:40 PM, Gordon Wendt > <[email protected] <mailto:[email protected]>> wrote: > > If it's > > something without a quick fix that can be fixed or even just > mitigated > > client side I trust Nicholaz and the other 3rd party viewer > makers more than > > LL to get a good patch out to their users. > > I'm confused at the distinction here. If I take "without a quick fix" > to mean something like "LL thinks the ETA for the fix is far enough in > the future that sending separate disclosure to third-party viewer > maintainers makes sense", this sounds a lot like an early disclosure > group to me. What's the difference? > > Celierra > > > My bad for not being more clear, by disclosing the problem I meant to > everyone not just to the "select" group of people. If LL can't get a > fix out in time and especially if it's something that can be mitigated > then everyone should know about it so that they can at least do their > best to mitigate their exposure to it and if it's a client side issue > possibly patch it themselves before LL can. What are people's thoughts on issues that cannot be mitigated by the user? While there's a lot of people couldn't manage to disable quicktime on their own (and perhaps half of SL users have never even heard of that exploit), there's still a whole class of security issues about which the user may be able to do nothing (some examples were dealt with recently).
Pending any better information, I'm guessing the Lab's best effort response to a serious viewer security exploit would be 48-72 hours. The exploit needs to be confirmed and found; options to fix it have to be discussed; any concomitant factors need to be taken into account; the fix has to be *tested* to make sure it actually fixes the exploit and any obvious variations. Then formal QA starts to make sure that the viewer still works properly in all other ways - because, heck, the fix may have had an unforseen side-effect. Somewhere around the time this last QA phase begins, I'm guessing is when it is proposed that the third-parties on the disclosure list get notified, which would have their own viewers ready around the same time that Linden Lab finishes its QA pass on the first-party viewer. During all this time, exploiters will presumably be sharing information about the exploit with other exploiters and exploring variations of the exploit to see if other flaws can be .. well, exploited by similar means. Most of the information actually in circulation among the users about (imagined) current exploits is largely incorrect - of the order of urban myths, and the penetration of knowledge of actual exploits and how to mitigate them (where that is possible) rarely spreads very far among the user-population. Paradoxically, security updates cause more anger and resentment than any other feeling. Actually, that brings me almost full circle. Let's assume that there is an exploit which can be mitigated by users, but is quite severe. (something of the order of the quicktime exploit for mitigation). Assume that this is fully disclosed when discovered. Roughly 65% of active users (which is a guess, but an educated one, so it's a pretty solid number) either won't become aware of it, or won't apply any mitigation (there are a number of factors involved there). Does that present a problem, if the majority of the users do nothing when exploit details become fully public? I think it does. _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/SLDev Please read the policies before posting to keep unmoderated posting privileges
