Hacker News new | ask | show | jobs
by freeopinion 922 days ago
> The vulnerabilities were discovered during the course of 2020, and were reported to the NCSC in the Netherlands in December of that year. It was decided to hold off public disclosure until July 2023, to give emergency services and equipment suppliers the ability to patch the equipment.

Interesting discussion about responsible disclosure. It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters. Aren't they often one and the same? What's a reasonable approach here?
2 comments
gwbas1c 922 days ago
> It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters

I suspect that there was an update (or replacement) to the radios that was generally described as an ordinary update / maintenance.

link
freeopinion 922 days ago
Do you also suspect that the patch was generally ignored because nobody knew it was important?

Should the vendor be allowed to continue to sell models they know are compromised while their competition loses those contracts? Shouldn't there be some consequence for such fraud?

link
tptacek 922 days ago
Immediate public disclosure.
link
freeopinion 922 days ago
I'm inclined to agree. I'm not comfortable with the way this unfolded.

> The Dutch NCSC (NCSC-NL) was informed in December 2021, after which meetings were held with the law enforcement and intelligence communities, as well as with ETSI and the vendors. Shortly afterwards, on 2 February 2022, preliminary advice was distributed to the various stakeholders and CERTs. The remainder of 2022 and the first half of 2023 were used for coordination and advisory sessions with stakeĀ­holders, allowing manufacturers to come up with firmware patches, updates or workarounds.

This reads to me as if malicious parties were notified some 18 months before users were notified.

link
actionfromafar 922 days ago
Depends on who the stakeholders were.
link
freeopinion 922 days ago
Does it? Intelligence agencies were among the first informed. Those are the bad guys.

I know "bad guys" is a harsh phrasing, but when it comes to encrypted communication, they are literally the definition of the adversary. Anybody in intelligence that doesn't play for my team is a "bad guy". And since everybody belongs to multiple conflicting teams, even a person who plays on one of my teams is a "bad guy" from the perspective of my other teams.

If the first place you go with a disclosure is to the intelligence community, you are hurting users.

link