Yes, a thousand times yes. The point isn't to market a vulnerability, the point is to get a fix out there.
Forcing the entire world to scramble is great marketing, but poor security. Vendors needed time to prep releases and communications; there's tons of confusion flying around out there.
Likewise, patio11's trying to capitalize on the awareness to market himself may also be great marketing, but it's bad advice.
I don't know why parent is being downvoted, either. This is simply not how you keep people secure. This is how you grandstand to promote yourself at the cost of other people's security.
How is patio11 using this "to capitalize" and "to market himself"? Anyone who follows him knows that security-related "PSAs" are a staple of his Twitter feed. Combine that with the fact that he writes about marketing on a regular basis and this post is very much par for the course. Both his PSAs and his material on marketing and business are a real service to everyone. That's why they've been so popular on HN for years.
> Both his PSAs and his material on marketing and business are a real service to everyone. That's why they've been so popular on HN for years.
HN loves startup porn, but how is this any different than how self-help books are marketed?
Distrust anyone who makes a business out of telling other businesses how to be successful in business because of how they're successful in business.
The people who are successful don't have time to run consultancies, and anyone that knows anything about consultancies knows that the lessons you learn there are very different than what's useful and necessary for product companies.
Bingo Card Creator and Appointment Reminder. The latter is big enough he's started doing angel investing. Keep in mind, he runs both of them by himself and he no longer consults. I'm not saying he doesn't have an ulterior motive, but his motives are considerably more pure than 99% of the articles on hacker news.
Not that it matters. Who cares where the advice comes from if it works? And if it doesn't work, the purest motives in the world isn't going to make it work.
The path to fixing it is in part through marketing. A lot of companies need to be aware about how dangerous this vulnerability is. Look how hard is it to get them to upgrade to latest TLS or most modern/secure ciphersuits, and so on. If marketing can help convince them to do it a lot sooner, than god speed.
The problem is that just "getting a fix out there" isn't enough. People have to deploy that fix for it to mean anything. And the way you get people to deploy a fix is to make them aware that they need to.
Given how widely deployed OpenSSL is, and how many of those systems are run by part-time or amateur sysadmins who aren't going to be monitoring CVE lists constantly, getting the word out that (1) there's a huge problem and (2) here's how you fix it is of paramount importance.
I believe that in this case marketing is a great way to get a fix out there. It's a commitment act, Schelling-style [0]. They basically forced everybody in the world to drop everything and fix this issue right fucking now. The seriousness of Heartbleed warrants that level of marketing, IMO.
Part of getting the fix out there is marketing. If the fix is out there and no one knows about it, or the powers that be don't care, what good is the fix?
Marketing is entirely the wrong way to get the people who release fixes to scramble. At least at the top few tiers (package developers and distribution maintainers) you know the organizations necessary to contact, and how to contact them. If the orgs are worth their salt, a descriptive email to their security contacts is faster and easier than a marketing campaign.
Marketing is useful to get sysadmins too lazy to subscribe to security announcement mailing lists to apply the already-released patches or take other mitigation.
> Marketing is useful to get sysadmins too lazy to subscribe to security announcement mailing lists to apply the already-released patches
Which, let's be honest, is the vast majority of people who admin servers these days.
With cloud servers, VPSes, etc., anyone can become a "sysadmin," and lots of people do who don't really understand what they are signing up for. These are the people running the unpatched boxes that Ars Technica recently called "the slum houses of the Internet." (http://arstechnica.com/security/2014/03/ancient-linux-server...)
Those people aren't going to patch their system just because a CVE was issued. They don't know what a CVE is. So marketing the problem is critical to reach them and get them off their duffs.
No, it's a good way to get half-broken fixes rushed out the door while users are left blowing in the wind due to premature grandstanding public release.
Forcing the entire world to scramble is great marketing, but poor security. Vendors needed time to prep releases and communications; there's tons of confusion flying around out there.
Likewise, patio11's trying to capitalize on the awareness to market himself may also be great marketing, but it's bad advice.
I don't know why parent is being downvoted, either. This is simply not how you keep people secure. This is how you grandstand to promote yourself at the cost of other people's security.