Slashdot Mirror
Gov't Vulnerability-Disclosure Program Draws Heat
AndreyF writes " Securityfocus.com reports: 'a long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.' The article discusses both sides of the PCII question, but leaves me wondering why the pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"
Moulton says a more effective approach would compel companies to report vulnerabilities to the government, and give the government the power to enforce reforms, or, alternatively, warn the public.
:-(
Since when do governments of any country inform the public when they don't absolutely have to? when was the last time you thought of your leaders are public *servants*?
No, I think a better alternative would have been to screw PCII and let public scrutiny (and reactions) dictate what the government and the critical facilities should do. But as always since the war-on-terror bullshit, the government passes laws behinds people's back, without any consultation and approval of the people they're meant to represent and serve. F#)(*%&g brilliant
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
One big concern is that the companies can get immunity (and public silence) if they 'fess up to the problems. Leakers of confidentially submitted information will be prosecuted, and the government will be on the hook, not the company. Except since nobody can leak it, the ones really on the hook for the problems are the people who will be depending on it.
Still, that could be the only carrot that might convince the big companies to actually admit to their failures.
Companies should be legally required to disclose vulnerabilities to government, with stiff penalties for failing to do so. It should also be made available via the Freedom of Information Act because we have a right to know that our information is being protected.
What's next? Microsoft doesn't disclose a vulnerability in SQL Server and the IRS database is leaked to hackers?
This is just one more reason why we need Open Source in government. The official in Peru who blasted Microsoft over closed source got it right. The citizen's right of information protection comes first and this can only be achieved through Open Source software, where every citizen has the right to make sure their data is being handled properly.
Closed source products have no business in government (or really anywhere for that matter) and should be outlawed.
Have you read the GNU Manifesto lately?
"Closed source products have no business in government (or really anywhere for that matter) and should be outlawed."
:)
What an amazing quote. So typical of slashdot, but with the well presented arguemnt it makes sense.
The big CEO's tell the government what to do anyway, so any program that appears to put the government in charge merely conceals the truth.
Companies should be legally required to disclose vulnerabilities to government Uhh that's what security lists are for. Just look at the recent securityfocus rantings about MS taking 6 months for a patch, because the vuln was in development. So what can you really blame MS when, sure they did disclose it when their engineers pinpointed it. That would be unfair to any vendor. Just look at private exploits, what would you say about that?
It should also be made available via the Freedom of Information Act because we have a right to know that our information is being protected. Good luck. Hell if non top-secret energy documents are kept from the public, you should know that they'll throw a "We're protecting the infrastructure from terrorists... Even mother nature (sorry I can't get over the mother nature humor)
MoFscker
Yes, I read that link a while ago. I was struck by how much SENSE it made, given the logic presented in the letter published by Toledo's government. This is inline with Israel's policy as of late to stop purchasing closed source software, such as that made by MSFT.
I thought we were supposed to NOT comment on security flaws...
>>Companies should be legally required to disclose vulnerabilities to government
> Uhh that's what security lists are for.
That's what they're for, but the majority of exploits are found first by people *outside* of companies. And Microsoft really wants it that you tell them first, give them 30 days to work on it, then finally tell everyone else about it. While I can understand the want to "minimize damages", the truth is the fastest way to minimize damages is to *stop* using vulnerable software. Waiting 30 days or more to tell people there's a problem isn't helping anyone.
Eurohacker European paranoia, gun rights, and h
Being on the inside, I understand, but I have to say I disagree. Re-electing those two would do enough damage to USA and Europe on it's own. Look where we are now! How long do you honestly think it will be before the squishing foot of the Patriot Act and the Ashcroftian menace causes the people to revolt? I just hope we do it by election and not violence.
You are not the customer.
I see suggestions that corporations should be held responsible for security vulnerabilities.
Apart from offering yet an other US inspired opportunity for a lawyer led sue fest the idea is appalling.
If corpoartions are 'responsible' for security then they will be required to have ' due dilligence'
What does 'due dilligence' entail - perhaps a pre-emptive strike by Mcdonalds against animal liberationists ?
A utility finds that it's IT staff and engineers all live clustered in a particular location. A bio or nuclear incident that affected the cluster location leaving them incapable of operating. How do they respond ? A security directorate for risk evaluation ?
Corporate responsibility for security is a dangerous slippery slope. It provides not just justification but will inevitably lead to the compulsion for corporations to set up the kind of "security/intelligence apparatus" that goverments have trouble keeping in control.
If I have to be spied on because of some "threat analysis" please let it be caused by Clinton/Bush subject to congressional oversight not by the board of Enron.
Frankly I would consider the release of any information to the Government to be a vulnerability in itself.
If it happens on my premises or to a computer or system under my care I consider my priorities to be to my company, my employer, and to my employer's/company's clients to as quickly as possible resolve, repair, and restore systems to regular operation rather than gathering evidence and making reports to the Government.
and yes, I have had a hacked system under my care and control that we discovered, the issue was resolved, the system restored and put back into service. About two months later our network provider did forward an email from an FBI office stating that that computer's IP number had turned up in the logs of a computer system they had seized from some suspected hacker. We were able to respond that we had discovered this activity and had erased, reformatted, and reinstalled the system in question and that the breach, if any, had been secured.
I can't imagine if I had to report this, hold the system in reserve and not have it in service for our clients for several months or longer for the Government. I understand this has already happened to another isp hosting an IRC server where the FBI has seized all the computers in the facility so they can copy data.
I just hope we do it by election and not violence.
The problem is that the guy most likely to run against Bush is "Bush Lite". The stagnation and misery will continue unabated(?), but people won't react because they'll think that with Bush out of office things will eventually get better, but it won't, and the anger cycle will continue. In my lifetime this has been going on since Kennedy died.(he wasn't in office long enough to prove that he, too was probably a corporate stooge)
What?
No, they would have to include source or information for all the services they are running.
Most of the exploits to Linux-based systems happen at the application level rather than kernel.
The unofficial
Take, choosing a company totally at random, say... Diebold.
Think they would "do the right thing?"
Those companies with the biggest vulnerabilities and the most depending on their security would have the least incentive to report their issues, and probably are the least likely to have to ethical fortitude to do it, given the choice.
(Yes, there is an assumption hidden in there: critical sw with major security flaws, which linger for years without being resolved, is a certain indication of ethical laxness.)
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
It'll be funny when someone hacks in and steals a massive list of vulnerabilities.
I wouldn't trust the government to secure anything. It's actually kinda scary to think these people would have a massive collection of vulnerabilities nicely indexed with the targets - ripe and ready for malicious hackers to slurp up.
BTW, to those cooperating CEO's, I got a BARGAIN deal on the Brooklyn Bridge for ya! Gimme a shout!
So, they put the e-mail address for
submission on the webpage: pcii-info@dhs.gov
No doubt, some spam bots are now gathering it,
and some anti-Homeland wrong-thinkers are going
to make sure that address gets a double dose of
spam (and more).
This will effectively make their e-mail submission
system unusuable. This leaves only mail and
'controlled' mail submission (commercial carrier,
UPS, FedEx, etc.)
How will this delay affect the program?
For an organisation intent on doing some kind of harm, this system makes a very good target. Rather than having to try and "find" all these security flaws in the critical infrastructure I can go to one place and they are all served up on a silver platter. So who looks after this?
I know it's kind of trite, but who is going to guard the guards and ensure they are taking care of this ultra sensitive information? Who is going to audit the government infrastructure to ensure that it is secure and not vulnerable?
I know risk management strategies are generally based around the choices of accept, transfer or mitigate risk but this really seems to be purely blind transferance of risk with no understanding as to the capabilities of the receipient to properly manage or account for that risk.
First of all, make no mistake that to the corporations and government, the average person is little more than a veal calf. You are merely a by-product of what they desire, and of course managing that takes time and energy away from them, so naturally they will regard the common citizen with a certain degree of contempt. After all, don't you feel a little ripped off when you have to pay your taxes? Corporatists feel a little ripped off when they have to share liberty and dignity with you. They regard themselves as the exceptional few, the elite, the have's. And the rest of you? Well... There you are.
This is one of the most amusing posts I've read in a while...;) So, I wanted to respond...
To governments the "average person" is a tax payer and a voter; to corporations, he's a customer. I cannot see that governments which levy taxes by decree, and enforce tax collection at the point of a gun, and routinely spend far more money annually than they collect in taxes by running up huge debts which will be paid by future generations are any better than corporations who compete among themselves to offer the "average person" a wide choice of goods and services, which are available to the average person on a completely voluntary, elective basis. In other words, I don't have to ever buy a GM car if I choose not to--but try that trick with the government where your taxes are concerned...;) The government won't sieze your property and put you in jail if you don't vote, however--that only happens if you decide to "opt out" on your taxes...:)
The other logical fallacy I see in your comment here is that "government" and "corporations" employ hundreds of millions of exactly the kind of "average people" you describe. We use abstract expressions like "government" and "corporations" to describe the *people* who administer them. Without those people the abstractions have no meaning.
Are you saying that we need to abolish governments and corporations? If so, what comes next?..;)
So the corporatists have overtaken the government with layers of lobbyists. They have convinced the "elected" leaders that they have the nations best interests at heart. They use you as a pawn, and they see the nuclear family as their greatest ad campaign. All that remains is to keep this little secret less than obvious.
You might like to think of what it is that these lobbyists use in their "convincing"...;) It's often money, isn't it? The problem for your analogy here, too, is that it overlooks the difference between what is voluntary and what is not. All corporations do not lobby, and all elected officials do not compromise their integrity by improperly capitulating to lobbyists. So in that sense it might be more accurate for you to say that "The government is overrun by greedy politicians who allow themselves to be improperly influenced by lobbyists."
Keep them watching those sports channels, the so-called reality based TV, and the endless parade of entertainment provided by the cable TV and TiVo. It keeps them off the streets, and ensures that the rabble stay out from under their agenda. Turn up the noise, and keep them riveted to the latest episode of "Survivor". If they have a tech fetish, let them watch Star Trek knock-offs, but never again show anything that might force them to think.
You might not be aware of it, but watching TV is entirely voluntary...:) I hate much of it personally, and rarely watch anymore. Unlike the compulsion the government uses to collect taxes, no one who doesn't want one has to own a TV, let alone watch it. What I get from your remarks is that you apparently watch way too much TV yourself--so do what I do--don't watch TV and do something else instead.
This technology we contrived does most of the work for us. But it's ingeniously engineered to have a drone standing over a mind-numbing machine for eight hours or more. This kills two birds with one stone: It keeps our standards artificially high, and keeps that drone occupied
Like the other poster says, the same tires on other SUVs were ok, and Explorers with other tires were ok ... and their internal memos show they knew of the problem and tried to cover it up. Ditto for the engine compartment electronics overheating and causing fires: some bean counter actually wrote a memo saying it was cheaper to get sued a few times than to spend $4 per vehicle to fix the design. And again ditto for the side saddle fuel tanks; more internal memos showing a cover up.
What frustrates me so much is that it really is in their best interest to cover up, since if they disclose the flaw by redsigning it, they get sued anyway. The legal system makes no allowance for honest mistakes. That's what I propose, to provide indemnity if mistakes are admitted publicly and immediately, and throw the book at them for covering up problems.
Infuriate left and right
The other logical fallacy I see in your comment here is that "government" and "corporations" employ hundreds of millions of exactly the kind of "average people" you describe. We use abstract expressions like "government" and "corporations" to describe the *people* who administer them. Without those people the abstractions have no meaning.
True. "Of the people, by the people, for the people". But the same could be said of communist China. Those people are assumed to be living under an extremely oppressive government. It shows no signs of weakening. Are they just a collection of evil people? Or the victims of horrible misguidance? Even if they're being forced at gunpoint, somebody has to be willing to hold that gun.
Are you saying that we need to abolish governments and corporations? If so, what comes next?..;)
No... I would not suggest that governments or corporations should be removed. I'm suggesting that people look deeper into the motivations of their government, and (probably more dangerously) take a stronger stance against corperations that should lobby in self-interest to the detriment of living independently from corporations. It may be hard to comprehend this idea, but a corporation works very hard to make you afraid to think it even possible to live without them. Could you live without Microsoft? What if Boeing didn't exist? GM? Granted, we live in a world where they do, but there's the rub. These are a few of the companies that would prefer if legislators would just take their wise counsel without question, and prescribe new laws to allow them to operate unfettered. People need to realize they can affect real control of these situations in spite of the money involved, but it takes a little incitefulness to get them motivated. ;-)
You might like to think of what it is that these lobbyists use in their "convincing"...;) It's often money, isn't it? The problem for your analogy here, too, is that it overlooks the difference between what is voluntary and what is not.
Voluntary is subjective. A despot with a gun can ask a group of people who wants to "volunteer" to be shot in the head. But I'd like to walk into my local department store and voluntarily buy a pair of leather athletic shoes made in the USA. Certainly if you want to make your point you can still find companies out there that make such shoes in this country (I'm hoping at least...), but most of the time I'm stuck with only the "made in China" option because the American made counterpart doesn't seem to exist in my neighborhood, and no one seems to care. The "shoes" analogy is just a single generic example. There are too many of these types of scenarios.
You might not be aware of it, but watching TV is entirely voluntary...:) I hate much of it personally, and rarely watch anymore. Unlike the compulsion the government uses to collect taxes, no one who doesn't want one has to own a TV, let alone watch it. What I get from your remarks is that you apparently watch way too much TV yourself--so do what I do--don't watch TV and do something else instead.
Actually, I watch very little television. I derive my knowledge about television from conversations I have with the people around me, and the occasional glance when I visit them in their homes. While it is true that TV is completely voluntary, it seems to have the same effect upon the masses as opiates. People get so addicted it's impossible to hold conversations without them mentioning, "Did you see last night's 'Survivor'?" Sadly you can't just tell people not to watch so much TV... You'd sooner talk a crack addict out of their junk.
By way of example: be sure and wake me when Microsoft is able to haul the DOJ into court and break it up...;)
Oh that was precious! I'll do that, and you can wake me when the DOJ can actually manage to break up Microsoft. ;-D
Again, thank you for the response. It was a rare pleasure! :-)
Umm, surveillance isn't necessarily illegal. Of course not, but when you're using ECHELON for profit where do you draw the line? It's nothing new for countries to spy on each other, it's why diplomats are often kicked out of countries for so called 'parking violations', everyone in the intel community knows that. I've read numerous documents on intelligence, and many top ranking officials sum it up as playing chess with your enemy one minute (literally playing chess), the getting back to work to an extent.
On a strictly legal basis, the legality of the war isn't clear. If you're to use the excuse, "to prevent an illegal act" you should be pretty sure it is actually illegal. We wouldn't want to use /. as a forum for this, so let's leave it at what I'm inferring from you, that no one pushed an illegal war. Everyone did all that was possible, and looked at all the ties.
Like many others engaged in civil disobedience. They choose to defy what they think is a bad law by breaking it. In and of itself, civil disobedience doesn't mean you're right. I can gather from your post you know your history, so why didn't it sink in that the world revolutionizes itself via some form of disobedience, whether via anarchy, or civil war. I applaud Ms. Gun (not to leave out she's cute) for coming clean on what she believed in. I argue points politically everyday, and say/do what I believe is right, what morally feels right. Before I say something/post something on my site I think it through thoroughly and add IN YOUR FACE headlines to grab attention. Am I wrong for fighting/saying what's on my mind? For instance I threw together two interesting cases (Downed spy plane) on my about page concerning a situation, with an explanation of my site. I really try to look at things from both sides, hell go through some of my -1 posts and you would swear I worked at MS even though I use solaris. Mrs. Gun acted on her intuition on what she viewed as an illegal act, and you know what, as the s**t is now hitting the fan, what's happening is a media scrub-down, anyone with common sense can see this.
I'm sure that members of the KKK think what they are doing is the right thing to do. Ever occur to you that the majority of klansters are groomed into this? There is a difference here. They're conditioned to be that way (read classical conditioning on any psychology based site) so you're comparing apples and oranges.
MoFscker
Jack: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Single Serving Friend: Are there a lot of these kinds of accidents?
Jack: You wouldn't believe.
Single Serving Friend: Which car company do you work for?
Jack: A major one.
"Sic Semper Tyrannosaurus Rex."
when was the last time you thought of your leaders are public *servants*?
I think a better question is, when was the last time *they* thought of themselves as public servants?
Forget thrust, drag, lift and weight. Airplanes fly because of money.
I don't understand why Schmidt is saying that casual conversations are the only way the government gets information, nor why he seems to imply that the government has to coax them into giving up the information. There's another simple solution to the problem:
"If you are considered "critical infrastructure", failure to report security vulnerabilities to the appropriate agencies is a Federal crime punishable by a prison term of no less than 10 years for the managers responsible for the vulnerable systems and all executives who knew of the failure to report and failed to correct it. Interfering with the reporting process is punishable by a similar prison term for all persons responsible for the interference. Failure to correct the vulnerabilities when correction is possible, or to mitigate them to the greatest extent possible if they cannot be corrected, will result in the government immediately rearranging things so that you are no longer part of the "critical infrastructure"."
If we need to protect the critical infrastructure as much as the politicians say we do then I see no reason to treat the corps with kid gloves, and if we can tolerate those vulnerabilities not being fixed then obviously the threat to that infrastructure can't be that great now can it?
> Are you saying that we need to abolish governments
> and corporations? If so, what comes next?..;)
Maybe he's suggesting that both should be smaller.
http://www.johntaylorgatto.com/underground/
The link above explains what we had before big government/big corporations, and explains how some of the early big corporations designed the school system (yes, the one you send your children to) to create compliant people.