Hacker News new | ask | show | jobs
by ehPReth 3084 days ago
I wonder what happened to "This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public." Executive meddling?

Edit: Probably the 'extreme circumstances' bit mentioned in https://news.ycombinator.com/item?id=16108434
3 comments
adjkant 3084 days ago
I think for a bug this big it is pretty understandable. So far, it seems clear the actions of all involved were in a good spirit of responsible disclosure.
link
HugoDaniel 3084 days ago
Except if you are into *BSD. In that case you might want to label it "selective disclosure" instead of "responsible disclosure".
link
Xylakant 3084 days ago
Well, since some of the BSD folks publicly stated that they’d ignore any embargo, that seems like a pretty predictable consequence. And in this case I understand that it took a while to develop workable mitigations. Immediate disclosure might have caused great harm.
link
JdeBP 3084 days ago
Tarring all of the BSDs with the same brush is wrong, both in general and here specifically. There's also the matter of both Matthew Dillon and Theo de Raadt discussing this topic months or even years before Google Project Zero made its discovery.

* https://news.ycombinator.com/item?id=16086047

* https://news.ycombinator.com/item?id=16074531

* https://news.ycombinator.com/item?id=16075744

Moreover, the OpenBSD people have made some remarks about how it was commentaries in Linux patches and discussions on LWN that actually let the cat out of the bag this time.

* http://pythonsweetness.tumblr.com/post/169166980422/the-myst... (https://news.ycombinator.com/item?id=16046636)

* https://news.ycombinator.com/item?id=16084404

link
inferiorhuman 3084 days ago
> Tarring all of the BSDs with the same brush is wrong, both in general and here specifically.

Is that actually being done? The FreeBSD team got notified (late), the DragonFlyBSD, OpenBSD, NetBSD teams did not get notified. Matt, of course, seems to have a patch already.

link
tptacek 3084 days ago
The bugs Theo was talking about were unrelated to these ones.
link
JdeBP 3084 days ago
I did point to https://news.ycombinator.com/item?id=16074531 . However, it is also wrong to err in the other direction as you have and to say that they were unrelated. Others have already made this point in https://news.ycombinator.com/item?id=16075744 , which I also pointed to.
link
loeg 3083 days ago
Theo de Raadt (OpenBSD BDFL) does not represent FreeBSD in any way. FreeBSD's policy is to work with embargoes.
link
blablabla123 3084 days ago
Yeah, if you're not using Linux/Windows/macOS, this sucks. I wonder what happens next. Either alternative OSs for Desktops/Servers will become less popular or people are moving away from Intel chips. Obviously Intel CEO's betted on the latter - stocks are a representation of the future value of a company.

Last year I was already hoping that ARM Chromebooks would become more popular but in reality you cannot find them in any retail store.

link
pyvpx 3084 days ago
probably because Intel doesn't look too fondly at companies who make ARM motherboards.

I believe it's high time the long history of anticompetitive actions by Intel end, and their near/effective monopoly in major market segments be regulated.

link
tptacek 3084 days ago
Re: "responsible disclosure": https://news.ycombinator.com/item?id=9945686

Just something to keep in mind, not something we need to litigate on this thread.

link
ehPReth 3084 days ago
Hmm, wasn't there that Microsoft Windows(?) bug that they derestricted before the patch was out? Memory escapes me at the moment. I thought it somewhat cemented/promoted their adherence to 90 days regardless of patch availability.
link
runesoerensen 3084 days ago
Perhaps you're thinking of this bug report https://bugs.chromium.org/p/project-zero/issues/detail?id=11...

Project Zero evaluated and relaxed their disclosure policy after that incident as described here https://googleprojectzero.blogspot.com/2015/02/feedback-and-...

link
ehPReth 3084 days ago
Ah yes.

I see there's some extensions there (maximum of 14 days) but this bug would have probably been covered under "As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances."

Thanks!

link
vardump 3084 days ago
One could also consider Microsoft leaking Meltdown here:

https://twitter.com/aionescu/status/930412525111296000

link
Rondom 3083 days ago
Last time I checked, Alexandru Ionescu was not a Microsoft employee.
link
JdeBP 3084 days ago
See https://news.ycombinator.com/item?id=16087060 .
link
CiPHPerCoder 3084 days ago
https://bugs.chromium.org/p/project-zero/issues/detail?id=12...

> Project Member Comment 4 by hawkes@google.com, Aug 7

> Labels: Deadline-Grace

It looks like Ben Hawkes would know the reason why, but I think the speculation that this grace period was done due to the scope and severity of this finding is likely correct.

link
londons_explore 3084 days ago
Perhaps project zero wasn't the first to discover the vulnerability. If they discover it 2nd, I think it is only reasonable for the initial discoverer to set the disclosure process.
link
sp332 3084 days ago
The embargo date agreed among the several teams that were working on this was today, the 9th.
link