Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism (WIRED)

[Security] Posted Mar 24, 2016 20:30 UTC (Thu) by jake

The security circus continues to get sillier, it seems. WIRED is reporting on the "Badlock" bug that is being "reported" by SerNet—with the requisite catchy name, logo, and web site—but without any details for three weeks. "But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks. The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network."

Josh Bressers's blog post also has some thoughts on the "disclosure": "The thing everyone always should remember in a situation like this is there are a lot of really smart people on the planet. If you think of something clever or discover something new, there are huge odds someone else did too. 3 weeks almost guarantees someone else can figure out whatever it is you found. It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person."

Comments (26 posted)