By Chris Soghoian
October 27, 2008
Question: You're a multibillion dollar tech giant, and you've launched a
new phone platform after much media fanfare. Then a security researcher
finds a flaw in your product within days of its release. Worse, the
vulnerability is due to the fact that you shipped old (and known to be
flawed) software on the phones. What should you do? Issue an emergency
update, warn users, or perhaps even issue a recall? If you're Google,
the answer is simple. Attack the researcher.
With the news of a flaw in Google's Android phone platform making The
New York Times on Friday, the search giant quickly ramped up the spin
machine. After first dismissing the amount of damage to which the flaw
exposed users, anonymous Google executives then attempted to discredit
the security researcher, Charlie Miller, who's a former NSA employee
turned security consultant. Miller, the unnamed Googlers argued, acted
irresponsibly by going to The New York Times to announce his
vulnerability instead of giving the Big G a few weeks or months to fix
Google executives said they believed that Mr. Miller had violated an
unwritten code between companies and researchers that is intended to
give companies time to fix problems before they are publicized.
What the Googlers are talking about is the idea of "responsible
disclosure," one method of disclosing security vulnerabilities in
software products. While it is an approach that is frequently followed
by researchers, it is not the only method available, and in spite of the
wishes of the companies whose products are frequently analyzed, it is by
no means the "norm" for the industry.
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!