tag:blogger.com,1999:blog-37798047.post7600665751357157079..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Disclosure ethics apply to BOTH partiesDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-37798047.post-74376527886795810072007-01-08T08:16:00.000-05:002007-01-08T08:16:00.000-05:00It is a fair question. It’s not that ethics aren’t...It is a fair question. It’s not that ethics aren’t relevant/useful/functional/important; it’s that without both parties being ethical one party runs the risk of being dragged through the mud. Rob is not suggesting that just because someone treats you badly it’s suddenly OK to treat them badly. What he is saying is that so much of the disclosure argument rests on what the researcher should do with little or no discussion of what companies should do.<br /><br />Think of disclosure ethics like traffic laws: they work because everyone is supposed to obey them. But in situations where people decide they are above the law and start doing things like running red lights or speeding or driving while intoxicated they put not only themselves at risk but everyone else on the road. This doesn’t mean you should stop following traffic laws, it just means you should drive defensively.<br /><br />It is the same with vendor notifications. After a vendor does to a researcher what was done to Jon and me you should never put yourself in that position again. This doesn’t mean that suddenly disclosure ethics need not apply; it just means we will not risk the exposure of having any kind of communications with Apple. We can have third party people do the coordination and what not, but we will not report anything directly to Apple again.David Maynorhttps://www.blogger.com/profile/09921229607193067441noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-73811331494933738762007-01-07T23:40:00.000-05:002007-01-07T23:40:00.000-05:00This is not a troll; I'm truly interested in this ...This is not a troll; I'm truly interested in this ethics question.<br /><br />Your post implies that ethics are only relevant/useful/functional/important when others are also ethical.<br /><br />Is that really where you want to stake your claim, given that your business is cybersecurity? <br /><br />If I do something you don't like and am your client, your post would make me nervous. And not 'nervous' because I was necessarily being unethical, but rather because *your* ethics and actions would seem dependent on *your* interpretation of *my* choices. You give yourself the role of arbiter of my ethics, and the right to absolve yourself of ethical responsiblity at your discretion. This raises all kinds of red flags. <br /><br />It seems to me to make more sense to stand by a set of clear ethics, rather than make them contigent upon the actions others. If you're going to have tit-for-tat, game-theory-inspired deviations, you need to put them out there in advance. Otherwise, your ethics seem like mere conveniences, devoid of any real intent or meaning.<br /><br />Blanket statements like "Attempts at ethics usually go badly" are little jarring, too.<br /><br />That's just my opinion, however.curious_surferhttps://www.blogger.com/profile/05812266910797224844noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-41782009619803473752007-01-07T14:52:00.000-05:002007-01-07T14:52:00.000-05:00That seems fair, I'll do that this week.That seems fair, I'll do that this week.David Maynorhttps://www.blogger.com/profile/09921229607193067441noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-85553723741714008962007-01-07T00:46:00.000-05:002007-01-07T00:46:00.000-05:00Why doesn't Maynor just come out with what happene...Why doesn't Maynor just come out with what happened with Apple and the wireless driver thing (or did I miss it -- sorry if I did)? <br /><br />Apple came out with their story and the patches have been released. I understand NDAs, but certainly releasing what happened when and how it was disclosed can be discussed. I mean, Apple did (via George Ou and the patch notes) and pretty much called Maynor and Cache er, not so smart. Were their (Apple's) released statements lies? Or were they wordsmithing? Or was is accurate on how the disclosure happened (i.e. no info about Apple products were given to them)?Juan Miguel Paredeshttps://www.blogger.com/profile/14027659645575367269noreply@blogger.com