"Chilling Effects" paper at USENIX

[Joshua N Pritikin]

On Tue, Apr 08, 2008 at 09:54:51PM -0700, Jaya Kumar wrote:
> On Tue, Apr 8, 2008 at 9:21 PM, Mitch Bradley <wmb at laptop.org> wrote:
> > It would have been nice if the criticisms had been delivered directly to
> > OLPC, instead of broadcast in a public forum, where enemies of OLPC can cite
> > and expand on them as evidence that "OLPC is hopelessly screwed up, so you
> > should buy our competing product instead".  If you get my drift.
> 
> In the free and open source community, people generally post their
> technical opinions and criticisms in the open. If they're wrong, then
> we can say it, while moving forward, or if they're right, then we can
> fix it, and move forward.

Of course, but these authors are also playing politics.

> >  I believe that the prevailing ethos in the white hat security community is
> > to report newly-discovered vulnerabilities first to the company in question,
> > thus giving them some amount of time to develop a patch before the public
> > announcement.
> 
> If the paper provided an exploit or specifically identified a
> vulnerability then they should have sent it to you guys first. Did
> they identify a specific vulnerability or exploit?

Sure, they identify lots of them and imagine a few more implausible 
ones for good measure.

> >  The authors appear to be academics, however, so they would get little
> > credit for having contributed to OLPC security by privately contacting OLPC
> > and giving us an opportunity to address their concerns. Publishing is the
> > coin of the realm in academic circles.
> 
> Agreed. Are any of their concerns valid?

Valid, yes, but their tone is insulting.