Is Sybase's management well intentioned and dumb, or a crowd of control freaks who want to dictate to everyone -- including Sybase customers -- exactly what they're allowed to say about security? The question comes up after Sybase threatened to sue Next Generation Security Software, a security research company in England. Last year, NGS found a batch of vulnerabilities in Sybase Adaptive Server and notified Sybase. Sybase issued patches for the holes. So far, so good.
But now, NGS wants to publish details of the problem, as is its usual practice. And Sybase says that if NGS does so, Sybase will sue.
On what grounds? Sybase is reportedly pointing to its license agreement, which states in part: "Results of benchmark or other performance tests run on the Program may not be disclosed to any third party without Sybase's prior written consent."
Let that one sink in. Sybase is claiming that finding security holes in one of its products qualifies as a "performance test." Sybase executives know that's bogus. But it's the only clause in the license agreement that sounds even remotely like it could apply. And so far, the threat has worked; NGS has delayed publishing its report.
Wait, it gets better. Here's the start of Sybase's official statement about the NGS situation: "Sybase constantly strives to improve the security and functionality of its software. Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybase's attention."
Did you catch it? That's right -- in talking about its threat against NGS, Sybase is specifically including any other customers who find problems with Sybase software too.
Sybase's statement goes on to say that the company is primarily concerned about the security of its customers and that "the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
Which sounds very well intentioned. It also sounds very dumb.
After all, the bad guys already know the details of these security holes. They've likely already reverse-engineered Sybase's patches and developed exploit code. They're surely not sitting around waiting for NGS's description of the problem.
Let's presume Sybase's patches work. Then for any customer who has applied them, the problem is fixed. And publishing the details of the vulnerability is a nonevent.
Except, of course, for customers who haven't applied the patches. Those customers are at risk. Every unpatched day is another opportunity for bad guys to attack them. If Sybase truly cares about the security of those customers, the vendor should be cajoling and nagging and harrumphing and doing whatever it takes to make sure the patches are applied and those security holes are history.
That's the smart thing to do. It actually solves the problem. But it also reminds Sybase customers that there was a problem to begin with.
How much easier to threaten a lawsuit against the security outfit, and hint that any customers who find security holes and make them public could get the same treatment, eh?
That must have sounded awfully clever to someone in Sybase management. It's not. Security-by-obscurity is dumb. A mangled reading of license terms is dumb. Gratuitously dragging customers into lawsuit talk is very, very dumb.
And nobody wants a dumb software vendor. Greedy? That comes with the territory. Likely to dodge blame for problems? We expect that. Willing to strong-arm customers? We can even live with that, so long as the vendor convinces us that it's smarter than we are.
But threatening customers, misreading license terms and suing security people who are looking out for Sybase's customers? That doesn't sound smart. Or even well meaning.