Slashdot Mirror
Schneier Discusses Ethics of Crypto PR Tactics
vaxzilla writes "There's a really great article in Bruce Scheiner's January 15th
CRYPTO-GRAM newsletter. He questions the ethics of various security companies who use announcements of security problems to bolster the sales of their products and services. When I read about the recent articles talking about the weakness of the current web browers, I pretty much thought, "Yeah, so what?" But nCipher looks to be pushing the hype to help push their product. The article is worth reading. "
The person Bruce Schneier demonstrated that stories that aren't headline-grabbing tend to get ignored, and that the best way to publish your research is to do it quietly without any reward. Bruce Schneier's Cryptogram talked of a "blatant attempt ... to get some free publicity". Huh? Why is this news? It's not the fact that we aren't all aware of advertising. That's obvious, companies have to do it. It's not the fact that Bruce Schneier was running out of things to say. That's obvious, too. It's not the news that companies that sell anti-virus solutions (that scan for competitors products) want to sell their products. We've seen dozens of these attacks in 1999. But wait ... Bruce Schneier sells a solution to the same problem that nCipher does. Okay, now I understand.
I call this kind of thing a publicity attack. It's a blatant attempt by Bruce Schneier to influence thousands of people against buying hardware crypto, and instead relying on "security professionals" to provide an "integrated and adaptive set of information security services". You don't want a secure webserver where the keys can't be compromised. You want a comprehensive assessment of your information security environment and tailored, integrated intrusion detection. It's a blatant attempt by Bruce Schneier to remind us all that he is the foremost authority on cryptography, information security and writing security bulletins (forget Fred Cohen!), and to scare e-commerce vendors into not purchasing other solutions. And people fall for this, again and again.
This kind of thing is happening more and more, and I'm getting tired of it. Here are some more examples:
* Follow the Money (Score 3) by DreamerFi basically restates Bruce Schneier's last sentence.
* Zigg asks Bruce Schneier to "preach on, brother"
* okay, I'm bored, but you get the point
Now this is not meant to be a total troll, just to remind you of what Bruce Schneier was trying to say.
And above all - never trust anybody.
---
My employer is not responsible for anything I say here.
I wrote the New York Times article that Bruce attacks in his CryptoGram. His piece would have been fairer if he had mentioned the fact that the NYT article explores the ethical quandries of the nCipher attack. I discussed,_at length_, whether nCipher's announcement amounted to blackmail and I reported, _at length_, about their reponses. I asked all of these questions weeks ago and printed their explanation, which I thought was rather reasonable. They felt that publicizing the details were more ethical than keeping silent. It's also important to realize that there was something NEW in what they reported. They had implemented their key finding attack and coupled it with a number of standard hacks around the memory protection schemes of major OSs. You might argue that there's nothing novel about a frightening practical demonstration of a theoretical concept, but I want you to try that argument out on the folks from Hiroshima and Nagasaki first. Anyone can check this out for themselves. Alas I can't give you the exact URL because I'm at the RSA conference. But if you go to www.nytimes.com and log in (sigh), actually find the search screen (sigh), and search for past documents containing the word nCipher, you'll be able to read it. Feel free to write me if you have any concerns or thoughts on this matter. Peter Wayner pcw@flyzone.com pwayner@nytimes.com
However, I think that the underlying threat has a measure of validity, too. Insecure memory does leave the door open to a lot of potential vulnerabilities. (Actually, IMHO, nabbing the key as it goes through is probably the least of these.)
IMHO, it's important to see where a security company is using scare tactics, but it's also important not to dismiss the tiny (sometimes infinitesimal) kernal of truth that's in there, in the process of throwing away the lies.
(Sometimes it's just so much easier to throw away everything, but if that leads you away from something important, it might be worth spending the extra time and effort.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Maybe he genuinely feels that Twofish and/or Blowfish are sufficient alternatives to the already existing algoryhms. Maybe it's his ego that gets boosted. And I don't know for sure, but after reading all of his articles, i would be suprised if he stood to make a dime from any implentation of his algorithms. Why? He's always pushed for royalty free, patent free cryptosystems, saying that since they already exist and work fine, there's no incentive for anyone to spend money licensing a new technology.
So, yeah, his ego gets stroked a bit, and he's definetly sided with his algorithms in the AES submission process, but in the end his only motivation is for pride's sake, rather than blatantly chasing the dollar signs.
is that someone who has the power to read arbitrary memory or server binaries/configs on disk has the power to replace the server with a trojan that (a) stores the secret information and then (b) calls the original server or (c) just reads the credit cards right out of the database. There ain't no hardware encryption solution that is going to protect you in that case. The "security vulnerability" which this supposedly reveals in order to sell their hardware, actually hurts them too. But you didn't read that in the article.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Back in the days when personal security safes were still new, the manufacturers would stage publicity stunts to discredit the competitors and promote their "superior" solution. So someone (e.g. Chubb) would go through a line of opposition safes, look through the keyhole, file a wooden subsitute for the key, then unlock it in front of newspaper media (with the added bonus of cutting a notch off the wooden key then locking it so that the original key wouldn't work). As you could expect, the media hype and claims/counter-claims would rival anything happening in today's world of e-commerce and security scares. I just thank the gods that so far, it is still a tiny fraction of the world's economy and no really serious commercial system is exposed. Can you imagine the panic if somebody revealed they created and flogged/forged transfers of synthetic treasury bonds or currency exchanges? It is unfortunate that the customer bears the brute of untried systems and the cost of replacement and if history is any evidence, will take some time for technology to stablise and trust to develop.
LL
1. Check if it has already been found. Security Focus & the Bugtraq archives are a good place to start.
2. If it is a new vulnerability notify the vendor responsible.
3. Wait an appropriate amount of time (opinions vary on this part). If the vendor fails to respond post the info & the exploit if you have one to Bugtraq or similar list.
4. If the vendor does release a patch/notice release your details as well.
At no point should leaking it to the press to make a fuss be an issue. Full disclosure is a good thing, but in the appropriate forums. Some vendors are very cooperative & release patches (or at least a notification) very rapidly. Others never get around to addressing security holes.
I usually agree completely with everything that BS writes (and I was pleased to see that his first paragraph validated my Slashdot post in the nCipher string), I do think that he is being a little hypocritical about this subject. While the whole nCipher thing was obviously just "hacksationalism", it seems to me that the dividing line between cases where he is and isn't OK with publishing cracks depends competely on where party is making money or not.
Ethics to the side, and as much as we all love being closet-Socialists here, capitalism is what makes our world go round. I wish all research could be funded for altruistic reasons, but in the real world the lure of profit IS often necessary. This is why we stand the fact that medical patents often keep poor people from being able to afford treatment, its for the greater good of having the medicines developed at all.
It might not be perfect to have companies researching for security holes so they can validate the sales of there products, but at least the holes are being found and published, which, IMHO, is a hell of lot better then letting them linger until somebody who would rather use them than publish them finds them. Use Open Source and you can be sure you can patch around before the hackers hit you when the problem hits the press.
I also see no mention in the article about BS own new Internet security company, Counterpane Internet Security, and how he plans to change his behaviour now (though he points fingers at LOFT for doing the same). He might have discussed this before though.
If anything, I think one of the biggest faulty parties here is Slashdot. A lot of journalists read this site, so when the editors post a story like the nCipher one, it does a great deal to spread it further. May I recommend that the
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Scheiner was interviewed for an upcoming documentry (working title is Hackers, Crackers and Lamers) and makes fantastic down-to-earth sense about the subject of ethics in just a few seconds of screen time. I hope he is in the finished product longer, I only saw an 11 min. promo).
Release later this year I hope.
Eve Fairbanks says I drive a hybrid!LOL
There's a critical problem with a general lack of security expertise in the media. It has lead to an unfortunate slant 'on the side of safety', where anyone highlighting an apparent security problem is instantly believed.
This is often regardless of credentials, and I've seen some journalists maintain a tenacious grip on a flawed notion of bad security because bad security makes a good story. Copy gets churned out that all too often recites doomsaying of the original source, without reference to any independent expertise.
It's even worse when there's actually a story in there, but it isn't the story that they're choosing to write.
Sensible, timely reporting of security issues, and pentrating questions aimed at those who seek to deflect them are sensible and useful. Grabbing the latest 'see here security disaster!' hype isn't.
What you should always keep in mind is Follow the Money when reading articles anywhere. Bruce makes this point very clear, but you should not limit this to cryptography. Always wonder who stands to benefit from an article.
Including on Slashdot
-John
The author makes some valid points to the degree of contradicting himself. I would hope that most of the people on slashdot can spot posturing and sensationalizing when they see it.
"I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again."
Yes nCipher didn't really point out anything new, yes it's a blatent attempt to get free publicity and yes it does stink of the whole virus scare thing we went through 10 years ago. However the issue here is where do you draw the line between a publicity stunt and genuine alerting the world to a problem. I feel that just telling those with a responsibility to fix a problem is not the solution, as the writer correctluy points out:
"Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers."
However this causes a problem, if the only way of attacking a true problem is to make it public with all the fuss involvoed how can you expect the public to tell the difference between this and someone grabing for publicity, we maybe able to tell the difference but joe public is usualy a little out of their depth when dealing with cryptography.
What I would like to know is if you (the person reading this post) found a gaping security whole in something large like Explorer or Navigator what would you do:
As always, a great read from Bruce. Others have commented on this phenomenon, which seems very common in security/virus areas. Rob Rosenberger runs a great site called Virus Myths, which deals with all the "Good Times" stuff, as well as investigating other security stories, with the aim of getting rid of the hype and looking at the real story. He also has an article on what he calls False Authority Syndrome, basically the habit loved by certain parts of the media to totally believe someone because they assume them to be an "expert" on the subject. Essential reading...
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I think Bruce should be pointing a huge finger at himself as well. We all know that encryption algorithms aren't considered even remotely secure after a long period of time. Bruce recommends years in his AC (which is the way to go) but 4 MONTHS after releasing his Twofish he's pushing it to be included in all major encryption packages. Can you say OpenPGP for example? And what's the comment "(that's Twofish, the fastest AES submission)" about? He's mixing up his own interest just as must. I don't think Bruce is any better than nCipher or any of the other guys.