The risk in the Google design, according to Mr. Miller [note: security researcher Charles A. Miller], who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.
That's a nasty one. But it seems that while Miller told Google of the flaw, he also disclosed its existence before Google had a chance to patch. Miller explains his reasoning to Markoff:
Mr. Miller said he was withholding technical details, but said he felt that consumers had a right to know that products had shortcomings.
First: if you don't know that products have "shortcomings," you probably lack the IQ necessary to dial the G1.
Didn't we experiment with this partial-advance disclosure earlier this year with the now-famous DNS flaw which was announced sans-technical details by Dan Kaminsky? We all know it didn't take long for other security experts to figure out the nature of the flaw, and the information got released before everyone had time to patch. Despite Kaminsky's best intentions, the situation went into a nasty flat-spin that lasted for weeks.
Thankfully, since the T-Mobile G1 doesn't come remotely close in importance to the Internet's DNS, we're not in for a repeat of the same magnitude. But it does show the debate on the proper disclosure of vulnerabilities just isn't going to die.
No. The disclosure debate is like the maniacal killer in a bad horror flick: he just keeps lurching out at you at every turn.