Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gov't Vulnerability-Disclosure Program Draws Heat

Posted by timothy on from the skeletons-in-closet dept.

AndreyF writes " Securityfocus.com reports: 'a long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.' The article discusses both sides of the PCII question, but leaves me wondering why the pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"

19 of 101 comments (clear)

  1. Microsoft by b0lt · · Score: 5, Funny

    Does pretty much running all of the computers in the US count as being critical infrastructure? ;)

    --
    got sig?
  2. Fat chance by Rosco+P.+Coltrane · · Score: 5, Insightful

    Moulton says a more effective approach would compel companies to report vulnerabilities to the government, and give the government the power to enforce reforms, or, alternatively, warn the public.

    Since when do governments of any country inform the public when they don't absolutely have to? when was the last time you thought of your leaders are public *servants*?

    No, I think a better alternative would have been to screw PCII and let public scrutiny (and reactions) dictate what the government and the critical facilities should do. But as always since the war-on-terror bullshit, the government passes laws behinds people's back, without any consultation and approval of the people they're meant to represent and serve. F#)(*%&g brilliant :-(

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. when doing the "right thing".... by Llyr · · Score: 5, Insightful
    .... actually covers their asses.

    One big concern is that the companies can get immunity (and public silence) if they 'fess up to the problems. Leakers of confidentially submitted information will be prosecuted, and the government will be on the hook, not the company. Except since nobody can leak it, the ones really on the hook for the problems are the people who will be depending on it.

    Still, that could be the only carrot that might convince the big companies to actually admit to their failures.

    1. Re:when doing the "right thing".... by psycho_tinman · · Score: 5, Insightful

      But the problems are twofold.. If you're in charge of a large installation of servers, and you get this public confessional type "mea culpa" every few weeks or months from your vendor, how easy would you feel ? Still want to run a piece of software that needs to be patched every so often ? Shades of Sendmail, anyone ?

      Secondly, the whole point of accountability comes up. If your vendor isn't responsible for how your infrastructure runs and how timely security updates are made available, what's the point having a vendor anyway ? I'm not advocating a lawsuit, but you can either sue or you can take your business elsewhere. This sounds like "confess your sins and they will be absolved" sort of scenario.

      And for added benefit, imagine the delight of a black hat who manages to break into one of this top secret archives. A whole list of vulnerabilities that haven't been publicly disclosed. A motherlode of h4xorz potential, if there ever was any..

    2. Re:when doing the "right thing".... by dnoyeb · · Score: 5, Insightful

      Yep Yep. Its an old auto industry trick.

      Auto industry wanted to add passenger airbag cut off switches so they can blame the driver if a child gets injured and he failed to turn off the bag.

      If the driver mismanages the switch he can forget suing the OEMs since they had no choice in the matter...

      So often when the government is regulating an industry at the request of that industry, it is to the detriment of public protection.

  4. Encourage? It should be Mandate by Open+$ource+Advocate · · Score: 5, Insightful

    Companies should be legally required to disclose vulnerabilities to government, with stiff penalties for failing to do so. It should also be made available via the Freedom of Information Act because we have a right to know that our information is being protected.

    What's next? Microsoft doesn't disclose a vulnerability in SQL Server and the IRS database is leaked to hackers?

    This is just one more reason why we need Open Source in government. The official in Peru who blasted Microsoft over closed source got it right. The citizen's right of information protection comes first and this can only be achieved through Open Source software, where every citizen has the right to make sure their data is being handled properly.

    Closed source products have no business in government (or really anywhere for that matter) and should be outlawed.

    --
    Have you read the GNU Manifesto lately?
  5. Vulnerabilities by psifishdot · · Score: 5, Funny

    [A] long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems...

    You can find the vulnerabilities in my systems at http://www.debian.org/security/.

    apt-get update
    apt-get upgrade

    --

    Long live Schrodinger's cat...
  6. Re:Encourage? It should be Mandate by AndreyF · · Score: 5, Insightful

    "Closed source products have no business in government (or really anywhere for that matter) and should be outlawed."

    What an amazing quote. So typical of slashdot, but with the well presented arguemnt it makes sense. :)

  7. Only useful for gathering statistics by koody · · Score: 5, Interesting
    It seems to me that this will only be useful for statical purpouses. The legislation basically indemnifies the company from liability. Even if the company is asked to fix a problem, they refuse and are later attacked, no one can even point a finger at them if what the article says holds true.

    A key provision of the law bars the government from using the vulnerability information in any enforcement action against the company, or from using it as the basis for proposing new legislation or regulations on industry.[snip]

    Of course, the law wasn't intended as a shield for corporate negligence: information that comes to the government independently of the PCII reporting is still fair game.

    So if a company doesn't want to put any money in to securing their computer infrastructure, they simply report that and the govt can't force them. When an attack occurs, the company will point at the govt and say that the govt new that they "lacked the funds" or something to secure their comps.

    Incredible BS-law Protecting companies and enableing them to assign the blame on others. Is this really what the government wanted to achieve with the law, or was this simply the result of corporate lobbying?

  8. money talks... by segment · · Score: 5, Interesting
    So here's my excerpt for the moment...
    ...

    WASHINGTON (CBS.MW) -- When individual Americans are accused of helping terrorists, they're thrown in jail and their names are dragged through the mud.

    But when major U.S. corporations are caught trading with the enemy, they get just a slap on the wrist from the government.

    In the past two weeks, the government has revealed that 57 companies and organizations have been fined for doing business with terrorists, despots and tyrants.

    ...

    Each year, the government investigates thousands of cases of U.S. individuals or companies for alleged violations of the Trading with the Enemy Act and other statutes and executive orders that restrict free trade. Each year, the government imposes millions of dollars in civil penalties and prosecutes 10 or so criminal cases.

    We know why the companies are silent about what they've done. No one wants to be associated in the public mind with torturers, thugs and murderers, even if it's profitable to be associated with them in private. The companies' explanations, when available, show that even the most enthusiastic supporter of sanctions can run afoul of the law through no malice on their part.

    Source

    You don't want to get into whistleblowers now. Most of the times they're ridiculed even arrested and sent to rot for coming clean.
    --
    MoFscker
  9. Re:Encourage? It should be Mandate by Agent+Smart · · Score: 5, Interesting

    Mandate or not, the most serious vulnerabilities will be those that the company is ignorant of.

    If a company is aware of a serious vulnerability, and decides that it doesn't make business sense to correct, it has the option of making the government aware in order to limit the company's liability. Clever indeed.

  10. Excuse me, but .. by z0ink · · Score: 5, Interesting

    The last I heard funds are being tied up all over the place in the Dep't of Homeland Security. What makes them think they can, on a whim, create an organisation that would affect the security of systems nationwide? We need patches 0-second from the release of exploits at the rate things are going these days. Even though the government wouldn't be the one controling the release of anything, wouldn't involving them and especially the DoHS put a big slowdown on the process? It seems many system admin's patch only when they hear about it on the news. I wonder how long the gov't would wait before acknowledging that something is infact a problem - unless of course somebody releases a Terrorist.B virus?

    --
    Steal This Sig
  11. Better yet, immediate disclosure with immunity by A+nonymous+Coward · · Score: 5, Interesting

    Corporations should be required to disclose all problems with their products and infrastructure as soon as they know about them, and given immunity for doing so. Failure to disclose problems immediately would drop the immunity. I am all for suing the pants off the bastards when they hide defects and cover up and it is only found out after deaths and accidents. Remember Ford Explorers and Bridgestone tires? Remember Ford overheating electronics causing fires in the engine compartment? Remember GM side saddle fuel tanks? etc etc. I have no problem with companies making mistakes, but they better disclose them as soon as they find out, not try to cover up.

    --
    Infuriate left and right
  12. And what about the DMCA? by rmsousa · · Score: 5, Insightful

    I thought we were supposed to NOT comment on security flaws...

  13. Re:Encourage? It should be Mandate by 10101001+10101001 · · Score: 5, Insightful

    >>Companies should be legally required to disclose vulnerabilities to government

    > Uhh that's what security lists are for.

    That's what they're for, but the majority of exploits are found first by people *outside* of companies. And Microsoft really wants it that you tell them first, give them 30 days to work on it, then finally tell everyone else about it. While I can understand the want to "minimize damages", the truth is the fastest way to minimize damages is to *stop* using vulnerable software. Waiting 30 days or more to tell people there's a problem isn't helping anyone.

    --
    Eurohacker European paranoia, gun rights, and h
  14. Large corporate CEOs by binkless · · Score: 5, Funny

    Do you think that small corporate CEOs are more honest? What do you have against fat people anyway!?

  15. release of info to Government is a vulnerability. by Anonymous Coward · · Score: 5, Insightful

    Frankly I would consider the release of any information to the Government to be a vulnerability in itself.

    If it happens on my premises or to a computer or system under my care I consider my priorities to be to my company, my employer, and to my employer's/company's clients to as quickly as possible resolve, repair, and restore systems to regular operation rather than gathering evidence and making reports to the Government.

    and yes, I have had a hacked system under my care and control that we discovered, the issue was resolved, the system restored and put back into service. About two months later our network provider did forward an email from an FBI office stating that that computer's IP number had turned up in the logs of a computer system they had seized from some suspected hacker. We were able to respond that we had discovered this activity and had erased, reformatted, and reinstalled the system in question and that the breach, if any, had been secured.

    I can't imagine if I had to report this, hold the system in reserve and not have it in service for our clients for several months or longer for the Government. I understand this has already happened to another isp hosting an IRC server where the FBI has seized all the computers in the facility so they can copy data.

  16. Sounds like a jackpot to me... by GoMMiX · · Score: 5, Insightful

    It'll be funny when someone hacks in and steals a massive list of vulnerabilities.

    I wouldn't trust the government to secure anything. It's actually kinda scary to think these people would have a massive collection of vulnerabilities nicely indexed with the targets - ripe and ready for malicious hackers to slurp up.

    BTW, to those cooperating CEO's, I got a BARGAIN deal on the Brooklyn Bridge for ya! Gimme a shout!

  17. Who guards the guards? by erf007 · · Score: 5, Insightful
    So let's assume that Corporation X involved in the say the electricity system does turn around and say "yes I am running xyz system that has the following security flaws". What checks and balances are then in place to ensure the security of that information?

    For an organisation intent on doing some kind of harm, this system makes a very good target. Rather than having to try and "find" all these security flaws in the critical infrastructure I can go to one place and they are all served up on a silver platter. So who looks after this?

    I know it's kind of trite, but who is going to guard the guards and ensure they are taking care of this ultra sensitive information? Who is going to audit the government infrastructure to ensure that it is secure and not vulnerable?

    I know risk management strategies are generally based around the choices of accept, transfer or mitigate risk but this really seems to be purely blind transferance of risk with no understanding as to the capabilities of the receipient to properly manage or account for that risk.