Tuesday, May 08, 2007

Blogging Hiatus, New Travel Blog

I am now safely in Munich, Germany, and thus for the next 4 months, mostly beyond the reach of the US government and the nasty DMCA.

Just as I did last summer, I will be taking a break from blogging, at least about computer security, and anything else likely to get me in trouble. I'm working for a respectable Japanese company, and I want to keep a low profile while I'm here.

This blog will not remain 100% silent, as I have a bit of unfinished business to take care of. There are two semi-big project that I worked on this past semester at university. I fully expect to announce the details of one of them in the next few weeks. I'm attempting to follow the practice of 'responsible disclosure', and thus I'm giving the various vendors a reasonable period of secrecy in which they can fix the design flaws in their products.

The second project is currently being held up with the lawyers. I do not know when they'll approve it - but I would rather not receive the latex glove treatment, or worse when I fly back to the US in August, and so I'm playing it safe on this one. Stay tuned for that project, which should be very very fun.

However, I do at least want to continue writing about my travels - but I don't want to bore those regular readers of this blog who come here to hear about computer security-ish things. I've therefore created another blog, available here where you can read about my travels. I've got 3 months in Germany, and a month in India that I'll be writing about.


Arvind Narayanan said...

One more reason why blogger sucks -- AFAICT you don't have feeds for individual tags. If you did, you wouldn't need a separate blog, you could just ask readers to use one or the other tag.

Even if you aren't writing about your own activities, it would be nice if you could write about security once in a while.

aaron said...

First time communicating with you, but wanted to just throw my two-cents onto the table about responsible disclosure.

When disclosing a vulnerability to a vendor it's best to either a) work through CERT, and/or b) propose a hard deadline during the first disclosure.

CERT has a hard deadline of disclosing the vulnerability 45-days after they are informed.
This is necessary as the vendor is economically motivated to keep the vulnerability secret forever, as the vulnerability costs the vendor [patchDevCost + (someFraction)*CustomersCost] where Customers are those who have the software installed.

The patchDevCost is the major portion of the total VulnCost until the Vulnerability has been made public.

A large company with a huge code-base(Microsoft for example) can reasonably develop, test, and release a patch within 1-2 weeks if necessary. 30-45 days is merely to allow typical patch cycles to complete, and/or for smaller organizations to develop the patch.

Working through an intermediary like CERT typically absolves you from any unfounded threats of liability.


Anonymous said...

interesting article, good read thanks.