The weirdness of this whole debacle between Maynor/Cache and Apple involving possible Apple wireless driver exploits continues. There are some fishy things going on here, and Apple is being very shifty in their dealings.
I previously likened the weight and importance of this situation to what Michael Lynn went through with ISS and Cisco last year, and the similarities continue to grow. David Maynor has been forced to pull out of his revelatory Toorcon presentation which was probably going to finally pull the veil back on this situation.
Now, SecureWorks and Apple are working through a third party, CERT, on security issues. Sadly, there is the possibility that Applie may stiff-arm CERT as well, which kinda digs at a suggestion I read and agreed with that perhaps security issues need to be verified by a third party so that full disclosure and corporate protections can coexist.
Unfortunately, the integrity of a third party is then in question, as are the rules of engagement for that third party. As Brian Krebs’ mentions, what if CERT decides to just never authorize the release of information? We’re back to having no real solution for the full disclosure debate.
If this keeps up, full disclosure will just plain happen, and corporations affected will simply be alienated from the research communities. Also, complete non-disclosure will happen by those who can’t afford to fully disclose and possibly be attacked legally, which threatens the health of our systems and networks when corporations just stifle any problems with their products. In that case, one may as well sell the exploit to someone else.
Not only that, but just look at Brian Krebs’ comments to see exactly how enflamed and impassioned even the security industry can be, on both sides of the issue.