1 / 21

A Politics of Vulnerability Reporting

This research agenda explores the politics of vulnerability reporting, analyzing ideologies, actors, and initiatives in the field. It examines the past, present, and future trends, and discusses the power relations among vendors, researchers, governments, media, and the public.

sherell
Download Presentation

A Politics of Vulnerability Reporting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Politics ofVulnerability Reporting Black Hat Briefings, Europe 2001 Scott Blake Director of Security Strategy BindView Corporation/RAZOR Research

  2. Agenda • Introduction • What is Politics? • The Past and Present • Ideologies, Actors, and Initiatives • The Future • Trends and Probabilites

  3. What is Politics? • The study of power • Power is the ability to make one do what one would not otherwise do. • Important Terms • Actor: One who uses or is subject to power • Ideology: A set of beliefs or ideas • Legitimacy: In accordance with established standards or patterns • Authority: Legitimate power

  4. Ideologies • Full disclosure • Zero disclosure • Responsible Disclosure

  5. Full Disclosure • Tenets • Information wants to be free • Use the power of public opinion to make vendors improve code • Exploit code is more useful than destructive • Adherents • Most non-profit researchers • Very few commercial researchers

  6. Zero Disclosure • Tenets • Responsibility for fixing vulnerabilities lies with software vendor • Authors of software should control information relating to that software • There is no public good in broad availability of vulnerability information • Adherents • Many software vendors • Many government actors • Much of the Public

  7. Responsible Disclosure • Tenets • Exploit code causes more problems than it solves • Broad dissemination of vulnerability information is required to improve security awareness • Use the power of public opinion to make vendors improve code • Adherents • Most commercial researchers • Some notable software vendors

  8. The Actors • Vendors • Researchers • Governments • Media • The Public

  9. Vendors • Motivators • Shareholder value • Financing • Software Sales • Interests • Limit damage to brand value • Limit vulnerability of customers • Sell more software • Power Relations • Often try to prevent public disclosure of vulnerability information through legal action, market leverage, lobbying

  10. Researchers • Motivators • Advance state of the art • Build more security • Build name recognition/peer respect • Financing • Day Job • Customers (Grant, Contract) • Software sales

  11. Researchers (2) • Interests • Continue financing source • Maintain/extend reputation • Power Relations • Hobbyists are largely free from external influence providing the day job does not interfere • Academic and consultative researchers are largely beholden to their funding source, but different funders set different restrictions • Commercially-sponsored researchers are beholden to the parent company’s interests

  12. Governments • Motivators • Technocratic perception of public good • Financing • Taxes • Campaign Contributions • Interests • Economic growth • Public Safety • Power Relations • Prosecution of criminal or negligent behavior • Large purchaser of information technology

  13. The Media • Motivators • “All the news that’s fit to print” • Financing • Advertisements • Subscribers • Interests • More readers • Power Relations • Very powerful creators of brand, image • Influencers of public perception

  14. The Public • Motivators • Too chaotic to be relevant • Financing • Too chaotic to be relevant • Interests • Stable, secure software • Power Relations • Wields tremendous power, but very difficult to direct in any specific direction

  15. Initiatives • Council of Europe Cybercrime Treaty • US Anti-terrorism legislation • Disclosure Forums • Coalition for Internet Safety

  16. Council of Europe’s Cybercrime Treaty • Intended Outcomes • Harmonize and update European computer crime laws • Unintended Outcomes • Potential for mis-implementation of tools provisions may have chilling effect on research • Language pertaining to intent may lead to certification requirements for security practitioners

  17. USA’s PATRIOT Act • Intended Outcomes • Adds cybercrime to list of terrorist acts • Strengthens provisions against aiding and abetting terrorists • Unintended Outcomes • Since hackers are now terrorists, is publishing vulnerability information aiding and abetting?

  18. Disclosure Forums • Intended Outcomes • Get information to those who need it • Unintended Outcomes • Puts information in the hands of the “bad guys”

  19. Coalition for Internet Safety • Intended Outcomes • Limit availability of information to “bad guys” • Unintended Outcomes • Limit availability of information to everyone

  20. Trends • Increasing legislation • Improving communication channels • More and more research being done • More vicious attacks • Continuing penetration of Internet access

  21. Probabilities • Will the public demand security? • Who will pay for security? • A war on hackers/cyberterrorists? • Lessons from recent events • Security for the people?

More Related