Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gov't Vulnerability-Disclosure Program Draws Heat

Posted by timothy on from the skeletons-in-closet dept.

AndreyF writes " Securityfocus.com reports: 'a long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.' The article discusses both sides of the PCII question, but leaves me wondering why the pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"

12 of 101 comments (clear)

  1. Gotta love the government by segment · · Score: 4, Interesting
    to submit details about their physical and cyber vulnerabilities to a newly-formed office within the Department of Homeland Security, with legally-binding assurances that the information will not be used against them or released to the public.

    Geez I feel safe already. It's not like any teenager could break into a gov website or anything. Makes me warm and fuzzy inside. And in more "E"lated news... The US government announces the greatest terrorist to walk the planet... Mother Nature, and her Weather of Mass Destruction

    --
    MoFscker
  2. Only useful for gathering statistics by koody · · Score: 5, Interesting
    It seems to me that this will only be useful for statical purpouses. The legislation basically indemnifies the company from liability. Even if the company is asked to fix a problem, they refuse and are later attacked, no one can even point a finger at them if what the article says holds true.

    A key provision of the law bars the government from using the vulnerability information in any enforcement action against the company, or from using it as the basis for proposing new legislation or regulations on industry.[snip]

    Of course, the law wasn't intended as a shield for corporate negligence: information that comes to the government independently of the PCII reporting is still fair game.

    So if a company doesn't want to put any money in to securing their computer infrastructure, they simply report that and the govt can't force them. When an attack occurs, the company will point at the govt and say that the govt new that they "lacked the funds" or something to secure their comps.

    Incredible BS-law Protecting companies and enableing them to assign the blame on others. Is this really what the government wanted to achieve with the law, or was this simply the result of corporate lobbying?

  3. money talks... by segment · · Score: 5, Interesting
    So here's my excerpt for the moment...
    ...

    WASHINGTON (CBS.MW) -- When individual Americans are accused of helping terrorists, they're thrown in jail and their names are dragged through the mud.

    But when major U.S. corporations are caught trading with the enemy, they get just a slap on the wrist from the government.

    In the past two weeks, the government has revealed that 57 companies and organizations have been fined for doing business with terrorists, despots and tyrants.

    ...

    Each year, the government investigates thousands of cases of U.S. individuals or companies for alleged violations of the Trading with the Enemy Act and other statutes and executive orders that restrict free trade. Each year, the government imposes millions of dollars in civil penalties and prosecutes 10 or so criminal cases.

    We know why the companies are silent about what they've done. No one wants to be associated in the public mind with torturers, thugs and murderers, even if it's profitable to be associated with them in private. The companies' explanations, when available, show that even the most enthusiastic supporter of sanctions can run afoul of the law through no malice on their part.

    Source

    You don't want to get into whistleblowers now. Most of the times they're ridiculed even arrested and sent to rot for coming clean.
    --
    MoFscker
  4. Re:Encourage? It should be Mandate by Agent+Smart · · Score: 5, Interesting

    Mandate or not, the most serious vulnerabilities will be those that the company is ignorant of.

    If a company is aware of a serious vulnerability, and decides that it doesn't make business sense to correct, it has the option of making the government aware in order to limit the company's liability. Clever indeed.

  5. Excuse me, but .. by z0ink · · Score: 5, Interesting

    The last I heard funds are being tied up all over the place in the Dep't of Homeland Security. What makes them think they can, on a whim, create an organisation that would affect the security of systems nationwide? We need patches 0-second from the release of exploits at the rate things are going these days. Even though the government wouldn't be the one controling the release of anything, wouldn't involving them and especially the DoHS put a big slowdown on the process? It seems many system admin's patch only when they hear about it on the news. I wonder how long the gov't would wait before acknowledging that something is infact a problem - unless of course somebody releases a Terrorist.B virus?

    --
    Steal This Sig
  6. Better yet, immediate disclosure with immunity by A+nonymous+Coward · · Score: 5, Interesting

    Corporations should be required to disclose all problems with their products and infrastructure as soon as they know about them, and given immunity for doing so. Failure to disclose problems immediately would drop the immunity. I am all for suing the pants off the bastards when they hide defects and cover up and it is only found out after deaths and accidents. Remember Ford Explorers and Bridgestone tires? Remember Ford overheating electronics causing fires in the engine compartment? Remember GM side saddle fuel tanks? etc etc. I have no problem with companies making mistakes, but they better disclose them as soon as they find out, not try to cover up.

    --
    Infuriate left and right
    1. Re:Better yet, immediate disclosure with immunity by Skater · · Score: 4, Interesting

      At least two of the three examples you cited just reminded me of the media being out of control: they took a relatively minor problem and blasted it way out of proportion to whip up a frenzy.

      Explorers w/Bridgestone tires - have you ever seen how people drive SUVs? They drive them like they're sports cars. Except they aren't sports cars - they have a higher center of gravity. If you lose a tire at 80 mph, even in a sports car you're going to have problems; a vehicle with a higher center of gravity just makes it that much easier to roll it. Also, how many people do you know that religiously check their air pressure? Finally, I still haven't seen proof that those tires were actually systematically defective; please point me to evidence if you have some, because I like to follow these issues. (I'd really like to see rollover/death statistics for other SUVs compared to the Explorers, but I haven't seen that information yet.)

      GM Side Saddle fuel tanks - all I really remember about this issue is one of the networks rigging a demo with a small charge rather than having it explode on its own. That kind of detracted from the seriousness of the problem for me. Also, like the Corvair, those fuel tanks met the crash-safety standards in effect as of the time the vehicles with them were manufactured.

      --RJ

    2. Re:Better yet, immediate disclosure with immunity by bmwm3nut · · Score: 3, Interesting

      i know we're getting way off topic here, but i wanted to answer your bridgestone tire question:

      i don't have the sources right now - i'm to lazy to google. but i do remember from the time of the incident they looked at the same model year explorers that were sold with goodyear tires, they didn't have any problems. also i remember some jeeps were sold with the same bridgestones and didn't have any blowout issues.

      if i remember correcly the problem was due to a couple of factors. for the batches of tires used firestone/bridgestone had used a faulty "glue" to attach the tread to the tire, and in comibnation with ford specifying a lower pressure (to make a more comfortable ride) the tires overheated and caused the glue to fail.

      but of course you're right, people don't know how to drive their SUVs right.

  7. Why you are to trust corporatists by no+longer+myself · · Score: 4, Interesting
    First of all, make no mistake that to the corporations and government, the average person is little more than a veal calf. You are merely a by-product of what they desire, and of course managing that takes time and energy away from them, so naturally they will regard the common citizen with a certain degree of contempt. After all, don't you feel a little ripped off when you have to pay your taxes? Corporatists feel a little ripped off when they have to share liberty and dignity with you. They regard themselves as the exceptional few, the elite, the have's. And the rest of you? Well... There you are.

    They keep you busy with jobs that require more time than brains. They keep you running on a treadmill for as many hours as possible. It disorients and distracts. It keeps your mind off the fact that you are slowly slipping and sliding down that slope. But keep breeding- They are going to need that population to stay high so they will have a never ending resource of willing subjects.

    They rely on having large numbers of people, because when people become a scarce resource, the value of humanity increases. It's harder to control a person who has value, so the more idiots they can create, the less value the average, or even slightly above average person will have. It's only the privileged few that should enjoy life to the fullest, and a few token morons just for show, "See? Anyone can live like a king in America. So the problem is yours."

    So the corporatists have overtaken the government with layers of lobbyists. They have convinced the "elected" leaders that they have the nations best interests at heart. They use you as a pawn, and they see the nuclear family as their greatest ad campaign. All that remains is to keep this little secret less than obvious.

    Keep them watching those sports channels, the so-called reality based TV, and the endless parade of entertainment provided by the cable TV and TiVo. It keeps them off the streets, and ensures that the rabble stay out from under their agenda. Turn up the noise, and keep them riveted to the latest episode of "Survivor". If they have a tech fetish, let them watch Star Trek knock-offs, but never again show anything that might force them to think.

    This technology we contrived does most of the work for us. But it's ingeniously engineered to have a drone standing over a mind-numbing machine for eight hours or more. This kills two birds with one stone: It keeps our standards artificially high, and keeps that drone occupied and out of our hair. If they don't like it, we'll start accusing them of being Luddites, and since the Luddites were destructive we can automatically associate and brand them with being vandals, and terrorists.

    Nice, neat, and easy to justify.

    OH LOOK! A TERROR THREAT! QUICK! BURY YOUR HEAD IN THE SAND! That's right... The big friendly corporate brother will take good care of you.

    That ought to shut them up for a while...

    Big business made this country what it is today. What will it turn this country into tomorrow.

    OK, I'm done. Burn my karma and send in the flaming AC trolls.

  8. Re:when doing the "right thing".... by Llyr · · Score: 4, Interesting
    Still want to run a piece of software that needs to be patched every so often ?

    Well, no. And according to the article, they may not have a choice; the agreement comes "with legally-binding assurances that the information will not be used against them". Presumably this would prevent not giving them future contracts on the basis of knowing that their previous work was crap, since at least they owned up to it. How anti-merit of them.

    So yes, multifold problems; the system maintainers are going to be very unhappy if they get frequent information about problems for them to deal with, and won't be able to do a thing about it. Sounds like a killer for whatever morale might be left.

    And of course, these systems could be in general public use as well, but the public couldn't be informed.

  9. Forget Vulnerability. by darkonc · · Score: 3, Interesting
    If this law is written right, it shouldn't give them any sort of vulnerability against prosecution. The burden of proof should be on the company to prove that the only way the information could have come to public / enforcement attention would have been a leak of PCII submissions.

    Even the PCII papers that a company compiles should not be subject to any sort of immunity... This is, generally, information that the company already has. The fact that this information has been compiled and/or submitted to the government doesn't provide any sort of real immunity -- especially if it is being used internally by the company for any other sort of purpose.

    The second that a PCII document is used for any sort of internal company purpose, whatsoever, then there should be absolutely no reason why the company copies should have any sort of special immunity on account of a copy having been sent to PCII.

    Some of the above will depend on how the law is written. the rest will depend on the first plaintifs who come against a PCII wall having really good lawyers.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  10. Re:Which computer language? by cshark · · Score: 3, Interesting
    This post is probably going to get modded down for redundancy but according to the article:

    "The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."

    Aren't viruses and worms created by hackers? Don't viruses and worms account for the vast majority of attacks against windows servers?

    Sure, if you discount the majority of attacks against Windows systems, it suddenly becomes the most secure thing in the world.

    That exception makes me question the credibility of this study.

    But what do I know?

    --

    This signature has Super Cow Powers