"Responsible disclosure" starts with "bug bounties". If you aren't paying people to discover vulns in your code, then any way the discoverer wants to disclose the vuln is "responsible".
In other words, "responsible disclosure" is an idea pushed by vendors as a way to cover up bug, by insisting it's the discoverer who is responsible for vulns not the vendor.
Yes, yes, if we remove every consideration other than how a discoverer discloses a vuln, we could say they should wait until it's patched.

But that means ignoring concerns larger than disclosure itself.
Netgate's irresponsible Wireguard code in FreeBSD is just one example of this. However the discover chose to disclose the problems is meaningless compared to Netgate's grossly irresponsible behavior.
It's the vendor's responsibility, not the discoverer's.
It's the vendor's responsibility, not the discoverer's.
It's the vendor's responsibility, not the discoverer's.
It's the vendor's responsibility, not the discoverer's.
It's the vendor's responsibility, not the discoverer's.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

26 Mar
Wait, what??? I'd take out my laptop IMMEDIATELY and start using Microsoft Word.

"What do you mean it's not free software? It came preinstalled on the laptop!"
Why would anybody miss this opportunity I cannot imagine.
I mean, he might be lazy that day and not respond to Word. So then I'd have to open up Visual Studio and start writing code. There's no way he'd be able to resist that temptation. "Omg, a programmer, they must be indoctrinated!!"
Read 6 tweets
18 Mar
No, none of them.
- Yes, our best data suggest masks probably reduce the spread covid. But even then it's not protection. Depends on your definition of "work".
- There's much clearer evidence of vaccine efficacy, but still, "work"?
- The Belarus 2020 election was stolen.
"Masks work" is one of those polarizing political statements made to shut down legitimate debate. I'm never going to agree to that sort of nonsense. It's by questioning and debating such things that we acquire knowledge.
Now, the claim that the 2020 US presidential election indeed is an illegitimate conspiracy theory, but that's because we can easily debunk the claims. Yes, questioning the election is legitimate, refusal to hear the answers is when you become illegitimate.
Read 8 tweets
17 Mar
A good analogy to what'll happen when government tries to regulate cybersecurity.
Germany, France, and Italy paused use of the vaccine over concerns over bloodclots -- even though by every rational measure this will costs thousands of lives.
There were 15 deaths due to bloodclots out of 17 million doses.
(a) this is no higher than the normal deaths due to bloodclots
(b) is an entirely acceptable number of deaths due to bloodclots compared to the risk of the disease.
Read 4 tweets
16 Mar
One thing about this bug is "why does a JSON parser need random numbers?"

The answer is that all libraries need random numbers. It's one of the things they don't teach you in computer science class.

news.ycombinator.com/item?id=264636…
While a JSON parser parses the input, it puts things into a hash table, which is very efficient ON AVERAGE. But if a hacker constructs the input in a special way, it becomes very inefficient -- essentially, it'll crash/hang.
Thus, you need to randomize where things get placed in a hash table such that a hacker can't possibly guess the order. This means grabbing a TRUELY random number from the operating system or hardware.
Read 14 tweets
13 Mar
Time for another lesson in dictionaries. Yes, dictionaries are supposed to reflect how people DO use words, not how they SHOULD use words. But this includes documenting the fact people will look down on you for using it.
Wikitionary.org gets it right, labeling the use of "supposably" for "supposedly" is "nonstandard".

Dictionary.com gets it wrong, declaring that it's a "new word" (it's not new) and failing to document that it's a nonstandard use.
This thread isn't about "supposably" but is subtweeting the debate about "hacker".

Here, we see Wiktionary.org gets it mostly right, and Dictionary.com gets it somewhat wrong.
Read 4 tweets
11 Mar
1/ BTW, the criticisms we techies have of Perloth's zero-day book isn't with Perlroth but with the NYTimes-style reporting. NYTimes reporters don't understand the subject but nonetheless attempt to explain it, leading to mangled information and outright lies.
2/ For example, Dave Sanger has a book on nation state hacking "A Perfect Weapon". In a chapter titled "Man In The Middle", he describes the Snowden "MUSCULAR" revelation as:
3/ Um, no. This contradicts everyone else's reporting on MUSCULAR. This contradicts how Wikipedia describes the program. It contradicts how I, a techy, read the diagram. Nobody (of note) but Sanger thinks that arrow points to where the NSA is tapping things.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!