Security Basics mailing list archives
Re: People on Google Security blog don't understand cyber terrorism
From: Chad Perrin <perrin () apotheon com>
Date: Wed, 28 Jul 2010 17:29:04 -0600
On Wed, Jul 28, 2010 at 09:49:07AM +1000, Murda wrote:
The aims of the so called cyber terrorists may well be as illogical and unreasonable as their real life counterparts but they will no doubt find that their goals (ever shifting and nebulous as they are) will not be facilitated by carrying out more and more attacks. Why? Because terrorism never seems to actually work to deliver the goals that the terrorists think that they want. http://maxabrahms.com/pdfs/DC_250-1846.pdf Max Abrahams has a great piece on reasons why. Not strictly related to the terror being waged across the internets by these irresponsible disclosure-driven fiendish fiends but still relevant in some manner.
While Mr. Gillett (who also responded to you) made very good points, and I agree with his statements, I feel it incumbent upon me to add one more thing: The term "terrorist" should not be applied to the case of Tavis Ormandy's public disclosure of a vulnerability in software distributed by Microsoft. In fact, there is quite obviously no malicious intent involved -- obviously, at least, to anyone willing to actually read about what happened, and to think about it for more than the half second it takes to come up with a completely overblown reaction like calling him a "cyber terrorist" for doing what he felt was in the best interests of software security and Microsoft's customers. Even if you disagree with his conclusions, I don't see how one could honestly read the available information about what happened and conclude his actions could be described as malicious or having evil intent. "Full disclosure" isn't an attack. It's a philosophy of vulnerability reporting intended to ensure the greatest security for all. Whether it is the most effective means of pursuing that end is not at the moment statistically quantifiable, so we really don't know whether it works or not, though at first blush the theory seems sound at least in principle. By contrast, "responsible disclosure" as practiced and advocated by Microsoft flies in the face of principles of information security that can be traced back at least as far as Kerckhoffs' Law, formulated in the 1800s, and corroborated by more than a century of evidence since. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
Attachment:
_bin
Description:
Current thread:
- People on Google Security blog don't understand cyber terrorism andrew.wallace (Jul 23)
- RE: People on Google Security blog don't understand cyber terrorism Dan Lynch (Jul 23)
- Re: People on Google Security blog don't understand cyber terrorism josephhammond (Jul 23)
- Re: People on Google Security blog don't understand cyber terrorism greimer (Jul 23)
- Re: People on Google Security blog don't understand cyber terrorism Chad Perrin (Jul 27)
- Re: People on Google Security blog don't understand cyber terrorism josephhammond (Jul 23)
- Re: People on Google Security blog don't understand cyber terrorism Patrick Kobly (Jul 23)
- RE: People on Google Security blog don't understand cyber terrorism Murda (Jul 28)
- RE: People on Google Security blog don't understand cyber terrorism David Gillett (Jul 28)
- Re: People on Google Security blog don't understand cyber terrorism Chad Perrin (Jul 29)
- Re: People on Google Security blog don't understand cyber terrorism Curt Purdy (Jul 29)
- RE: People on Google Security blog don't understand cyber terrorism Dan Lynch (Jul 23)
- <Possible follow-ups>
- FW: People on Google Security blog don't understand cyber terrorism Murda (Jul 29)