Re: Security Mailing Lists Come Under Fire

[InfoSec News <isn () c4i org>]

Forwarded from: Emerson Tan <et () c4i org>

Under normal circumstances I don't post much to the ISN list. I hope
people will forgive this indulgence.

It occours to me that there a number of fundamental problems and
conflicts of interest here most of which arise from the structure of
the internet community and it's relationship with real world
organisations and their own internal imperatives. I have attempted to
list some of them here in bullet form, and at the end suggest one or
two ideas for solutions.


a) In the real world functions like security and emergency response
and alerting are handled by the state or state mandated bodies like
the police or the fire service. They are paid for by peoples taxes,
and they are pretty universal, as they deal with public safety.

However there is no equivalent to any functions of the state for the
internet community. Those organisations with global responsibility
such as ICANN seem to be quite fractious, which is good for a
democracy, but no good if you need a rapid co-ordinated structured
response. Corporates have the organisational structures needed for
rapid structured response, but have problems that make them unsuited
to providing universal services.

b) The profit imperative will always drive corporate entities to
ration out information if there is nothing to stop them doing so in
the way of regulation or compelling business case. It should come as
no suprise if Bugtraq and the like now coming under the Symantec
umbrella should go first to paying customers. The general internet
community has no stake in Symantec and therefore symantec has no
responsibility to the internet commuity at large. Rather Symantec's
shareholders call the shots and it should come as no suprise that they
want to maximise their investment.  Same logic goes for Secunia, they
might be small and Danish, but they are still bound by the same
imperative.

c) Bodies like CERT although nominally academic and non corporate, are
closed bodies. They are not subject to audit of their methods or their
procedures. Furthermore there is no way of imposing these on these
bodies as once again they are not accountable to the commuity at
large, their funding coming from a slection of bodies with only
limited oversight.

Some ideas regarding potential solutions.

a) In the very recent past, a number of governments have started
programs deisgned to protect their critical national infrastructures.
 
These organisations however are local in scope and really focused on
national needs. However, information technology threats are geography
independent, a vulnerability discovered in spain is as likely to be
used in an attack there as in the United States.

Therefore if these bodies are to have any role they must be
internationally focused as well as being nationally based. If this
criterion can be met, these organisations may provide the basis of a
an international network of infrastructure protection organisations
capable of digesting vulnerability information and distributing alerts
in some meaningful way in the absence of any global, accountable, not
for profit body in the internet community. There sould be an issue of
transparency of course, but this can be addressed, if only civil
servants in participant countries will let it be so.

b) If these organisations are not up to the task, then an independent
not for profit organisation should be founded. It would be subject to
the following controls:

-Public audit of accounts.
-Public disclosure of donations over a minimum amount.
-Publication of methodology.
-Periodic published audit of methodology and performance.
-Published list of directors and executives
-An oversight comission elected by affected and interested parties 
(everyone effectively)

Transparency might inspire the kind of trust which seems to be missing
from both corporate and governmental bodies, and oversight elections
might give the body the legitimacy required to bring recalcitrant
vendors and others who play badly into the system.

c) If this doesn't work, then there is always the option of everyone
buying shares of symantec stock. This gives the possibility of
influencing corporate policy, in whichever direction one thinks is
right with regard to this issue. It's not ideal, as I suspect the
majority of institutional investors are less interested in global
issue and with huge bloc votes could easily block any initative that
might hurt a profit margin. But it is better than no oversight at all.

These issues are going to come up repeatedly. The explosion in
software development and the economic slowdown mean more
vulnerabilities and a driving commercial imperative to squeeze revenue
growth from an market that is no longer growing. At the same time
attempts to structure the release of security information for
commercial reasons is obviously not a good idea, as it's no good being
protected if your clients, business partners, and anyone with a
machine capable of propagating a worm such as SQL slammer or a DDoS
attack aren't.

Security in the on-line world is both global and collaborative. We
forget this at our peril.

Emerson Tan


InfoSec News wrote:

> http://www.eweek.com/article2/0,3959,974781,00.asp
>
> By Dennis Fisher
> March 25, 2003 
>
> A Danish security company, angry over what it perceives as
> censorship on several popular mailing lists, is launching "a
> revolution to remove SecurityFocus and CERT from power."
>
> At present, the revolution consists of a new mailing list that will
> aggregate vulnerability advisories and other security-related
> reports from a variety of sources. Employees of Secunia Ltd. will
> take advisories from these sources, research and verify them and
> then submit them to the new list.
>
> The list, known as the Secunia Security Advisories List, is designed
> to compete with lists such as SecurityFocus' BugTraq and to
> complement more open lists, including VulnWatch and Full-Disclosure,
> Secunia executives say. Company executives are upset with the
> direction that BugTraq has taken since Symantec Corp. acquired
> SecurityFocus last year.
>
> "The problem with SecurityFocus is not that they moderate the lists,
> but the fact that they deliberately delay and partially censor the
> information," said Thomas Kristensen, chief technology officer of
> Secunia, based in Copenhagen, Denmark. "Since they were acquired by
> Symantec, they changed their policy regarding BugTraq. Before they
> used to post everything to everybody at the same time. Now they
> protect the interests of Symantec, delay information and inform
> their customers in advance. This is a problem as only companies who
> pay over $30,000 can get access to this information."
>
> Unlike some other security lists, BugTraq is actively moderated and
> therefore not every submission makes it onto the list.
>
> Full-Disclosure, for instance, is only lightly moderated, meaning
> that virtually all posts are approved and immediately sent to
> subscribers.
>
> SecurityFocus officials did not respond to a request for comment on
> this story.
>
> Secunia officials also take the CERT Coordination Center to task for
> its policy of providing some organizations with advance notice of
> vulnerability reports as part of a fee-based program in cooperation
> with the Internet Security Alliance.
>
> "At Secunia we feel that SecurityFocus has betrayed the community it
> used to serve so loyally, that's why we started Secunia," said
> Kristensen. "I believe that security information should be free, so
> that administrators can patch their systems and software developers
> can learn from the mistakes made by others."
>
> Secunia is a provider of security services and tools. 


-- 
"None are more hopelessly enslaved than those who falsely believe they are free." - Goethe
Emerson Tan: Occasional freelance purveyor of ideas.
et () c4i org : PGP public key on request or from http://pgpkeys.mit.edu 
PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5  BB3D 09D4 0B6E 2734 DC72



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.