Dailydave mailing list archives
Re: [Regs] Did the list just Die?
From: Katie M <k8ek8e () gmail com>
Date: Wed, 9 Sep 2015 09:15:30 -0700
Those who don't know history are doomed to repeat it. There have been multiple attempts at gathering all the stakeholders and trying to gain consensus on vulnerability disclosure principles, even when parties disagree. http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated- <http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx> vulnerability-disclosure-bringing-balance-to-the-force.aspx <http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx> This was just one example. There are many others. Vulnerability disclosure is something where reasonable people will continue to disagree on the best way to minimize risk. This fundamental disagreement and source of tension will not shift very much until organizations have better and more consistent responses to vulnerability reports. There are plenty of open problems in vulnerability coordination that are solely vendor ecosystem issues, like the complexity in coordinating across a hardware and software supply chain (e.g. a mobile phone has hardware, software, users, and service providers as stakeholders that play a role in the security level of that device at any given time). Another open problem in vendor to vendor vulnerability coordination is illustrated by Heartbleed, when a widely deployed library is affected and a coordinated public disclosure and simultaneous patch rollout is warranted. Both of the above, as well as driving the adoption of the existing ISO standards (29147, 30111) aimed at improving vendor vulnerability response, are ways that vendors and coordinators, can improve the current state of vulnerability coordination and disclosure in a multistakeholder meetup whose goal it is to agree on principles. Security researchers are not the biggest problem in the realm of vulnerability disclosure. Vendors wrote the buggy software. Vendors are the ones who need to figure out better ways of dealing with that fact, with all the stakeholders including secure researchers, their partners, and their customers. We should be working on improving true multistakeholder vulnerability coordination, that has much more to do with vendor capabilities and willingness to coordinate than it does with hacker behavior, as illustrated in the examples above, not redoing the basic vulnerability disclosure principles that have been described and agreed upon (or not) multiple times throughout history. Katie Ok, so here's what I get from talking to Allan about it briefly last week. It reminds me a whole lot of the 2003 Loya Jirga <https://en.wikipedia.org/wiki/2003_loya_jirga> convened in Afghanistan, for ALL THE RIGHT REASONS. I mean, if you ask the question "Does the status quo work for you?" enough, then people will want to come to the table, because no, clearly it is not working. And in theory, you can then force some sort of "consensus" from whoever shows up, either by excluding the most contentious defenders of their positions or by simply finding a middle ground that is so banal that is is palatable. "Everyone is for cute puppies, right? As a principle?" Then in theory you can take this statement of principles to the people who are trying to rework the CFAA and related bills and say "Look, people are FOR PUPPIES, so maybe we shouldn't throw everyone in jail all the time for incrementing numbers in the URL bar?" There are two major problems with this extremely expensive Vulnerability Management Loya Jirga: The first is that clearly you only get a veneer of respectability for any statement of principles. Oracle is NOT an outlier with their opinions <http://arstechnica.com/information-technology/2015/08/oracle-security-chief-to-customers-stop-checking-our-code-for-vulnerabilities/> on how copyright allows them to deal with vulnerability researchers. And researchers are of many many minds, but pretty much rightfully wary of any attempt to put an official imprint on what way is "responsible" when it comes to releasing or handling vulnerabilities, even at its most watered down way. We JUST got over Microsoft trying to enforce the rules of responsible disclosure, and I don't think anyone wants to go backwards on that. One day is maybe enough to discuss an introduction to the problems involved, assuming nobody sleeps or eats or uses the bathroom, even though only .01% of the interested stakeholders will be in the room or watching the video feed. The second major issue is of course the stick. The current stick for a lot of this is "Congress is going to make a law. It is inevitable. Don't you want to help them do it right?" The natives hear this and are perfectly willing to play stupid even though they know for a fact that this is by no means inevitable. We have an administration on the way out and Congress's basic policy is lockjam. Much like in Afghanistan, where everyone knows that you can wait out the occupation, any time a stakeholder feels it is losing their position, they're going to ask a few thousand pertinent questions and push the issue back about 16 months. And of course there's no talk of a backup plan. What happens if there's NO consensus? This is what worries me the most. When failure is not an option, then it is unfortunately guaranteed. Here's what will happen: A consensus will be forced. SOME documented set of "principles" will be taken to people writing bills. That is not necessarily Mission Accomplished, but it's sometimes close enough to write a Washington Post article about... -dave On Mon, Aug 31, 2015 at 4:09 PM Claus C. Houmann <cch () improveit dk> wrote:
I'm not from the U.S. and my POV might be both irrelevant to you and wrong, but it seems to me that if all US interest groups could work together on this, you might have a chance at avoiding further, future legislation that would hamper even more than any compromise now Claus Cramon HoumannOn 31 Aug 2015, at 21:55, Jason <jason () brvenik com> wrote: My $.02 - If the only output is an agreement that mutual respect coupled with an understanding that one of N possible paths is the typical outcome for the un agreed term "vulnerability" I would consider it a net positive. It is clear something is going to be done and we need to involve if only to minimize the potential negative outcomes of that something.On Mon, Aug 31, 2015 at 2:44 PM, Dave Aitel <dave.aitel () gmail com>wrote:I'm watching his BSides talk now. Lots of times people disagree becausetheyhave valid opposing views and interests. Vulnerability disclosure is one of those times. What do they do if they can't come to a "consensus"? Just give up, or propose a standard that pleases nobody? I haven't spoken to him yet, but I don't think you can come to aconsensuson defining what a vulnerability is, let alone what to do about them, assuming something must be done. -daveOn Mon, Aug 31, 2015 at 3:41 PM Jason <jason () brvenik com> wrote: I spoke with him and my take is that there is a sincere desire to better understand the various constituencies and differing needs and that through a collaborative effort perhaps we can find a normative set of principals that everyone agrees on and from there begin to address the differing needs. To me it seems a lofty goal but one worthy of pursuit in a forum more conducive than a mailing list. On Mon, Aug 31, 2015 at 2:13 PM, Jennifer Granick <jennifer () law stanford edu> wrote:I'll be attending this meeting on 9/29. Via Twitter I asked Allen Friedman who is organizing this meeting whyisthis is on Commerce's agenda and I was told that they want to "expand norms: awareness, adoption, adaptation, innovation of practices &standards". Iasked what the problem was they were trying to solve, but no answer.Heinvited me and others to contact him further, but I'm not sure aprivateconversation is anything but a waste of time. I think NTIA should publicly justify its efforts and interest here. My guess from Twitter chat is that Friedman has heard a number of complaints and thinks it would be agreatidea for all the "stakeholders" to get in a room and compromise. Myviewis that the fact that people complain is not necessarily a good reason to do anything about their complaints. J Jennifer Stisa Granick Director of Civil Liberties Stanford Center for Internet and Society 559 Nathan Abbott Way Stanford, CA 94305 650.736.8675 jennifer () law stanford eduOn Mon, Aug 31, 2015 at 12:01 PM, Jason <jason () brvenik com> wrote: Surprised to not see follow on conversations and no commentary regarding the NTIA announcement. "NTIA will convene meetings of a multistakeholder process concerning the collaboration between security researchers and software andsystemdevelopers and owners to address security vulnerability disclosure."http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-disclosure-pre-registration_______________________________________________ Regs mailing list Regs () alchemistowl org https://lists.alchemistowl.org/mailman/listinfo/regs_______________________________________________ Regs mailing list Regs () alchemistowl org https://lists.alchemistowl.org/mailman/listinfo/regs_______________________________________________ Regs mailing list Regs () alchemistowl org https://lists.alchemistowl.org/mailman/listinfo/regs
_______________________________________________ Regs mailing list Regs () alchemistowl org https://lists.alchemistowl.org/mailman/listinfo/regs
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: [Regs] Did the list just Die? Dave Aitel (Sep 08)
- Re: [Regs] Did the list just Die? Katie M (Sep 10)