Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Responsible Disclosure

95 views
Skip to first unread message

Samuel Sidler

unread,
Jul 27, 2012, 12:48:14 AM7/27/12
to mozilla-g...@lists.mozilla.org
Hello,

Previously, when I was more involved in the Mozilla Project, and when I was working for the Mozilla Corporation, we immensely appreciated responsible disclosure of security flaw from security researchers (and others). There were at least a couple of instances I can remember around this time of the year (BlackHat, DefCon conferences) when security researchers would responsibly disclose prior to giving a talk at a security conference about the hack they had devised. This allowed us to fix the root problem before or at the same time as their public disclosure at the conference. In fact, there were times we'd coordinate with other vendors (Microsoft, Opera, Apple) who had the same issues.

I was stricken by how important this methodology was after attending one DefCon talk in which a physical key hacker had devised a method to break into the most robust and "impossible to hack" key lock in the world. He had disclosed this to the company over a year in advance of his talk to give them time to make the real, physical world changes needed: devising a new, more advanced lock; changing their manufacturing procedures; alerting their customers; upgrading as many customers as possible to the new locks. He even worked with them to ensure he could discuss his hack publicly without doing too much harm to the company. (I think it was along the lines of... "Now that you've implemented a fix for a good percentage of your customers, would it immensely hurt your company to give a talk now?")

Thus, I was very saddened to read this article in Forbes.

http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/

>From page one:

At the Black Hat security conference Tuesday evening, a Mozilla software
developer and 24-year old security researcher named Cody Brocious plans
to present a pair of vulnerabilities he’s discovered in hotel room locks
from the manufacturer Onity, whose devices are installed on the doors of
between four and five million hotel rooms around the world according to
the company’s figures.

So far so good. I imagine Mozilla encourages these sorts of activities as they help in all aspects of security research. Then I went to page two:

In a move that may dismay security practitioners, Brocious never
contacted Onity or its parent company United Technologies Corporation to
tell the firm about its security flaws, and doesn’t plan to ahead of his
talk. But he says that’s because there’s little the company could do:
the locks can’t be simply upgraded with new firmware to fix the problem.
New circuitboards will have to be installed in every affected lock, a
logistical nightmare if millions of locks prove to be vulnerable.

This makes me sad. It's not clear to me that he actually knows how many locks are vulnerable ("_if_ millions of locks...") or if Onity could actually get a fix out there. It's even possible that there *is* something Onity can do, but they have no way to know prior to disclosure. Later in the article he says that this was a better way to get hotels aware of the situation. Having not contacted Onity, how can he know what that company might do as far as disclosure to its customers?

My question is this:

If Mozilla appreciates responsible disclosure, it should definitely expect the same from its employees. Does a responsible disclosure policy exist at Mozilla?

-Sam

Robert O'Callahan

unread,
Jul 27, 2012, 1:18:38 AM7/27/12
to Samuel Sidler, mozilla-g...@lists.mozilla.org
On Fri, Jul 27, 2012 at 4:48 PM, Samuel Sidler <samuel...@gmail.com>wrote:

> My question is this:
>
> If Mozilla appreciates responsible disclosure, it should definitely expect
> the same from its employees. Does a responsible disclosure policy exist at
> Mozilla?
>

Another question is, "Should Mozilla compel its employees to 'responsible
disclose' work that was done outside of their Mozilla employment?"

Rob
--
“You have heard that it was said, ‘Love your neighbor and hate your enemy.’
But I tell you, love your enemies and pray for those who persecute you,
that you may be children of your Father in heaven. ... If you love those
who love you, what reward will you get? Are not even the tax collectors
doing that? And if you greet only your own people, what are you doing more
than others?" [Matthew 5:43-47]

Samuel Sidler

unread,
Jul 27, 2012, 1:25:39 AM7/27/12
to mozilla.g...@googlegroups.com, Samuel Sidler, mozilla-g...@lists.mozilla.org, rob...@ocallahan.org
On Friday, July 27, 2012 12:18:38 PM UTC+7, Robert O&#39;Callahan wrote:
> Another question is, &quot;Should Mozilla compel its employees to &#39;responsible
> disclose&#39; work that was done outside of their Mozilla employment?&quot;

If they're going to use Mozilla's name, I think yes. It reflects incredibly poor on Mozilla and hurts its reputation.

But what I'm saying is there should be a policy that all employees (and community) know about and understand. People should understand not just that good Mozillians responsibly disclose but _why_ we responsibly disclose. If they choose to break it, I'm not saying anyone should be fired or anything that crazy, but I know I didn't like firedrills when I shipping Firefox. I can't imagine Onity does... Golden Rule and all that.

-Sam

Samuel Sidler

unread,
Jul 27, 2012, 1:25:39 AM7/27/12
to mozilla-g...@lists.mozilla.org, Samuel Sidler, mozilla-g...@lists.mozilla.org, rob...@ocallahan.org

Robert O'Callahan

unread,
Jul 27, 2012, 1:46:04 AM7/27/12
to Samuel Sidler, mozilla.g...@googlegroups.com, mozilla-g...@lists.mozilla.org
On Fri, Jul 27, 2012 at 5:25 PM, Samuel Sidler <samuel...@gmail.com>wrote:

> On Friday, July 27, 2012 12:18:38 PM UTC+7, Robert O&#39;Callahan wrote:
> > Another question is, &quot;Should Mozilla compel its employees to
> &#39;responsible
> > disclose&#39; work that was done outside of their Mozilla
> employment?&quot;
>
> If they're going to use Mozilla's name, I think yes. It reflects
> incredibly poor on Mozilla and hurts its reputation.
>

Perhaps so. However, in this case I can't tell that Mozilla's name was used
in any way beyond the statement of biographical fact that the speaker is
currently a Mozilla employee.

I appreciate that such nuances are likely to be lost in the brutish
discourse of the Internet.

David Bruant

unread,
Jul 27, 2012, 4:10:38 AM7/27/12
to rob...@ocallahan.org, Samuel Sidler, mozilla.g...@googlegroups.com, mozilla-g...@lists.mozilla.org
Le 27/07/2012 07:46, Robert O'Callahan a écrit :
> On Fri, Jul 27, 2012 at 5:25 PM, Samuel Sidler <samuel...@gmail.com>wrote:
>
>> If they're going to use Mozilla's name, I think yes. It reflects
>> incredibly poor on Mozilla and hurts its reputation.
> Perhaps so. However, in this case I can't tell that Mozilla's name was used
> in any way beyond the statement of biographical fact that the speaker is
> currently a Mozilla employee.
>
> I appreciate that such nuances are likely to be lost in the brutish
> discourse of the Internet.
From a purely reputation perspective, imagine that after the Forbes
article, some other article is released saying "Mozilla trains hackers
to unlock your door" and everyone picks it up. Then, if Mozilla has an
official Responsible Disclosure policy, it leaves room to do an official
PR we the following structure:
1) "We have a Responsible Disclosure policy that we expect our employees
to follow"
2) [explain what Responsible Discloure is]
3) Explain how the specific accusations are false on that basis

If the Mozilla name is associated and it turns into a bad buzz, having
the policy is a good way to defend. If Mozilla has no such policy,
Mozilla can still make an official statement, but probably weaker.

Besides the pure reputation perspective, that would be a good idea (if
it isn't the case already).

David

Gervase Markham

unread,
Jul 27, 2012, 8:56:24 AM7/27/12
to mozilla-g...@lists.mozilla.org
On 27/07/12 02:46, Robert O'Callahan wrote:
> Perhaps so. However, in this case I can't tell that Mozilla's name was used
> in any way beyond the statement of biographical fact that the speaker is
> currently a Mozilla employee.

http://www.blackhat.com/usa/speakers/Cody-Brocious.html

It is not clear whether Cody wrote that himself, of course - although
I've recently been asked to speak at a conference of similar ilk and I
was asked to provide and to validate a bio for myself.

I think this is a conversation he needs to be in anyway, so I've emailed
him to make him aware of its existence.

Gerv

Gervase Markham

unread,
Jul 27, 2012, 9:04:50 AM7/27/12
to mozilla-g...@lists.mozilla.org
On 27/07/12 01:48, Samuel Sidler wrote:
> If Mozilla appreciates responsible disclosure, it should definitely
> expect the same from its employees. Does a responsible disclosure
> policy exist at Mozilla?

This page used to say that we believe in it:

http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/causes/security.html?pathrev=48036&view=diff&r1=48036&r2=47790&diff_format=l

but it no longer exists; it must have got removed when we reorganised
the "about us" stuff. And it wasn't a policy page anyway.

The "Background" section of this document does not use the phrase
"responsible disclosure" but I think it commends the idea:
http://www.mozilla.org/projects/security/security-bugs-policy.html

Of course, it is focussed on us receiving vulnerabilities rather than
reporting them.

Gerv


Robert Accettura

unread,
Jul 27, 2012, 10:37:29 AM7/27/12
to rob...@ocallahan.org, Samuel Sidler, mozilla.g...@googlegroups.com, mozilla-g...@lists.mozilla.org
On Fri, Jul 27, 2012 at 1:46 AM, Robert O'Callahan <rob...@ocallahan.org> wrote:
> On Fri, Jul 27, 2012 at 5:25 PM, Samuel Sidler <samuel...@gmail.com>wrote:
>
>> On Friday, July 27, 2012 12:18:38 PM UTC+7, Robert O&#39;Callahan wrote:
>> > Another question is, &quot;Should Mozilla compel its employees to
>> &#39;responsible
>> > disclose&#39; work that was done outside of their Mozilla
>> employment?&quot;
>>
>> If they're going to use Mozilla's name, I think yes. It reflects
>> incredibly poor on Mozilla and hurts its reputation.
>>
>
> Perhaps so. However, in this case I can't tell that Mozilla's name was used
> in any way beyond the statement of biographical fact that the speaker is
> currently a Mozilla employee.
>
> I appreciate that such nuances are likely to be lost in the brutish
> discourse of the Internet.



This is a very valid point. I can add a little more to that. I know
from past experience journalists sometimes will just grab the employer
or association of an individual (provided that relationship can be
authenticated as factual) to improve credibility. How does that factor
in? In the past I've personally even contacted one and asked them to
remove it when I thought it was completely unnecessary and unrelated.

When I read the coverage, I personally assumed it was outside of
official work and the reference of the employer was just to make the
subject more credible by using a well known association (employer).
But I might be bias, so I'll just leave it at that.

As I understand it, this stuff is the bane of many HR and corporate
communications dept's in many companies.

Majken Connor

unread,
Jul 27, 2012, 11:34:45 AM7/27/12
to Robert Accettura, Samuel Sidler, mozilla.g...@googlegroups.com, mozilla-g...@lists.mozilla.org, rob...@ocallahan.org
On Fri, Jul 27, 2012 at 10:37 AM, Robert Accettura <rob...@accettura.com>wrote:

> On Fri, Jul 27, 2012 at 1:46 AM, Robert O'Callahan <rob...@ocallahan.org>
> wrote:
> > On Fri, Jul 27, 2012 at 5:25 PM, Samuel Sidler <samuel...@gmail.com
> >wrote:
> >
> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance
>

This did leave me uneasy when I read it. I assume that Cody's employer had
control over the process of informing the employer and what to do with the
information. However. Mozilla is a community of people, and the culture of
Mozilla depends on the attitudes of its community members. I think it does
reflect poorly if Mozilla employees don't respect responsible disclosure
policies. I think Mozilla's attitude towards security problems is a huge
part of our culture. How open source handles security issues vs proprietary
software has been a way we try to set ourselves apart and how we promote
open source as better. So in that sense I think the article does reflect on
Mozilla's reputation.

But like I said there is probably more to the story. I'm not trying to say
Cody did something wrong, I have no idea. Just that's why the article made
me uncomfortable and it might be good for Mozilla to fill in the pieces.

Michael Coates

unread,
Jul 31, 2012, 7:13:41 PM7/31/12
to Samuel Sidler, mozilla governance, mozilla-g...@lists.mozilla.org

----- Original Message -----
> From: "Samuel Sidler" <samuel...@gmail.com>
> To: "mozilla governance" <mozilla.g...@googlegroups.com>
> Cc: "Samuel Sidler" <samuel...@gmail.com>, mozilla-g...@lists.mozilla.org, rob...@ocallahan.org
> Sent: Thursday, July 26, 2012 10:25:39 PM
> Subject: Re: Responsible Disclosure
>
> On Friday, July 27, 2012 12:18:38 PM UTC+7, Robert O&#39;Callahan
> wrote:
> > Another question is, &quot;Should Mozilla compel its employees to
> > &#39;responsible
> > disclose&#39; work that was done outside of their Mozilla
> > employment?&quot;
>
> If they're going to use Mozilla's name, I think yes. It reflects
> incredibly poor on Mozilla and hurts its reputation.
>
> But what I'm saying is there should be a policy that all employees
> (and community) know about and understand. People should understand
> not just that good Mozillians responsibly disclose but _why_ we
> responsibly disclose. If they choose to break it, I'm not saying
> anyone should be fired or anything that crazy, but I know I didn't
> like firedrills when I shipping Firefox. I can't imagine Onity
> does... Golden Rule and all that.
>
> -Sam


Mozilla has a long-standing policy for handling disclosures related to Mozilla and our work as Mozillians. In this case the research was outside of Mozilla, completed before the individual joined Mozilla, and is not related to Mozilla work. Mozilla typically does not have policies stating how individuals behave in their private lives. So jumping to a policy that applies outside of Mozilla work has a lot of problems.

Being identified as a Mozillian, or as associated with Mozilla raises other problems. Active Mozillians and especially Mozilla employees can end up "representing" Mozilla whether they meant to or not. We've seen a bunch of this lately. I'll commit to making sure that this incident is included in the discussion of when and how people represent Mozilla, and when and how they should make sure they are not representing Mozilla.

--
Michael Coates
Director of Security Assurance
mco...@mozilla.com


Al Billings

unread,
Aug 3, 2012, 10:37:27 PM8/3/12
to mozilla-g...@lists.mozilla.org
0 new messages