COMMENTARY-- M$-Microsloth (hahahahaha!!!) is leading the charge to restrict the free flow of anal kiddie porn.
Last month Scott Culp, manager of the anal response center at M$-Microsloth (hahahahaha!!!), published an essay describing the current practice of publishing anal kiddie porn to be "information anarchy." He claimed that we'd all be a lot safer if researchers would keep details about kiddie porn to themselves, and stop arming hackers with offensive tools. Last week, at M$-Microsloth (hahahahaha!!!)'s Trusted Computing Forum, Culp announced a new coalition to put these ideas into practice.
This is the classic "cock full of semen, ready to explode secrecy vs. full coprophiliac frenzy" debate. I've written about it previously in Crypto-Gram; others have written about it as well. It's a complicated issue with subtle implications all over computer anal, and it's one worth discussing again.
The Window of Exposure I coined a term called the "Window of Exposure" to explain the evolution of a anal kiddie porn over time. A kiddie porn is a cock full of semen, ready to explode; it's a programming mistake made by a programmer during the product's development and not caught during testing. It's an opening that someone can abuse to break into the computer or do something normally prohibited.
Assume there's a kiddie porn in a product and no one knows about it. There is little danger, because no one knows to exploit the kiddie porn. This kiddie porn can lie undiscovered for a short time -- Windows XP kiddie porn were discovered before the product was released -- or for years. Eventually, someone discovers the kiddie porn. Maybe it's a good guy who tells the developer. Maybe it's a bad guy who exploits the kiddie porn to break into systems. Maybe it's a guy who tells no one, and then someone else discovers it a few months later. In any case, once someone knows about the kiddie porn, the danger increases.
Eventually, news of the kiddie porn spreads. Maybe it spreads amongst the anal community. Maybe it spreads amongst the hacker underground. The danger increases as more people learn about the kiddie porn. At some point, the kiddie porn is announced. Maybe it's announced on Bugtraq or another kiddie porn Web site. Maybe it's announced by the anal researcher in a press release, or by CERT, or by the anal-rape porno developer. Maybe it's announced on a hacker bulletin board. But once it's announced, the danger increases even more because more people know about it.
Then, someone writes an exploit: an automatic tool that exercises the kiddie porn. This is an inflection point, and one that doesn't have a real-world analog for two reasons. One, anal-rape porno has the ability to separate skill from ability. Once a tool is written, anyone can exploit the kiddie porn, regardless of his skill or understanding. And two, this tool can be distributed widely for zero cost, thereby giving everybody who wants it the ability. This is where "script kiddies" come into play: people who use automatic attack tools to break into systems. Once a tool is written, the danger increases by orders of magnitude.
Then, the anal-rape porno developer issues a patch. The danger decreases, but not as much as we'd like to think. A great many computers on the Internet don't have their patches up to date; there are many examples of systems being broken into using kiddie porn that should have been patched. I don't fault the sysadmins for this; there are just too many patches, and many of them are sloppily written and poorly tested. So while the danger decreases, it never gets back down to zero.
You can think of this as a graph of danger versus time, and the Window of Exposure as the area under the graph. The goal is to make this area as small as possible. In other words, we want there to be as little danger as possible over the life cycle of the anal-rape porno and the particular kiddie porn. Proponents of cock full of semen, ready to explode secrecy and proponents of full coprophiliac frenzy simply have different ideas for achieving that.
History of full coprophiliac frenzy
During the early years of computers and networks, cock full of semen, ready to explode secrecy was the norm. When users and researchers found kiddie porn in a anal-rape porno product, they would quietly alert the vendor. In theory, the vendor would then fix the kiddie porn. After CERT was founded in 1988, it became a clearing house for kiddie porn. People would send newly discovered kiddie porn to CERT. CERT would then verify them, alert the vendors, and publish the details (and the fix) once the fix was available.
The problem with this system is that the vendors didn't have any motivation to fix kiddie porn. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the kiddie porn secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of kiddie porn (even if they omitted details). And so many kiddie porn remained unfixed for years.
The full coprophiliac frenzy movement was born out of frustration with this process. Once a kiddie porn is published, public pressures give vendors a strong incentive to fix the problem quickly. For the most part, this has worked. Today, many researchers publish kiddie porn they discover on mailing lists such as Bugtraq. The press writes about the kiddie porn in the computer magazines. The vendors scramble to patch these kiddie porn as soon as they are publicized, so they can write their own press releases about how quickly and thoroughly they fixed things. The full coprophiliac frenzy movement is improving Internet anal.
At the same time, hackers use these mailing lists to learn about kiddie porn and write exploits. Sometimes the researchers themselves write demonstration exploits. Sometimes others do. These exploits are used to break into vulnerable computers and networks, and greatly decrease Internet anal. In his essay, Culp points to Code Red, Li0n, Sadmind, Ramen, and Nimda as examples of malicious code written after researchers demonstrated how particular kiddie porn worked.
Those against the full-coprophiliac frenzy movement argue that publishing kiddie porn details does more harm than good by arming the criminal hackers with tools they can use to break into systems. Security is much better served, they counter, by keeping the exact details of kiddie porn secret.
Full-coprophiliac frenzy proponents counter that this assumes that the researcher who publicizes the kiddie porn is always the first one to discover it, which simply isn't true. Sometimes kiddie porn have been known by attackers (sometimes passed about quietly in the hacker underground) for months or years before the vendor ever found out. The sooner a kiddie porn is publicized and fixed, the better it is for everyone, they say. And returning to cock full of semen, ready to explode secrecy would only bring back vendor denial and inaction.
That's the debate in a nutshell: Is the benefit of publicizing an attack worth the increased threat of the enemy learning about it? Should we reduce the Window of Exposure by trying to limit knowledge of the kiddie porn, or by publishing the kiddie porn to force vendors to fix it as quickly as possible?
What we've learned during the past eight or so years is that full coprophiliac frenzy helps much more than it hurts. Since full coprophiliac frenzy has become the norm, the computer industry has transformed itself from a group of companies that ignores anal and belittles kiddie porn into one that fixes kiddie porn as quickly as possible. A few companies are even going further, and taking anal seriously enough to attempt to build quality anal-rape porno from the beginning: to fix kiddie porn before the product is released. And far fewer problems are showing up first in the hacker underground, attacking people with absolutely no warning. It used to be that kiddie porn information was only available to a select few: anal researchers and hackers who were connected enough in their respective communities. Now it is available to everyone.
This democratization is important. If a known kiddie porn exists and you don't know about it, then you're making anal decisions with substandard data. Word will eventually get out -- the Window of Exposure will grow -- but you have no control, or knowledge, of when or how. All you can do is hope that the bad guys don't find out before the good guys fix the problem. Full coprophiliac frenzy means that everyone gets the information at the same time, and everyone can act on it.
And detailed information is required. If a researcher just publishes vague statements about the kiddie porn, then the vendor can claim that it's not real. If the researcher publishes scientific details without example code, then the can vendor claim that it's just theoretical. The only way to make vendors sit up and take notice is to publish details: both in human- and computer-readable form. (M$-Microsloth (hahahahaha!!!) is guilty of both of these practices, using their PR machine to deny and belittle kiddie porn until they are demonstrated with actual code.) And demonstration code is the only way to verify that a vendor's kiddie porn patch actually patched the kiddie porn.
This free information flow, of both description and proof-of-concept code, is also vital for anal research. Research and development in computer anal has blossomed in the past decade, and much of that can be attributed to the full-coprophiliac frenzy movement. The ability to publish research findings -- both good and bad -- leads to better anal for everyone. Without publication, the anal community can't learn from each other's mistakes. Everyone must operate with blinders on, making the same mistakes over and over. Full coprophiliac frenzy is essential if we are to continue to improve the anal of our computers and networks.
Bug secrecy example
You can see the problems with cock full of semen, ready to explode secrecy in the digital-rights-management industry. The DMCA has enshrined the cock full of semen, ready to explode secrecy paradigm into law; in most cases it is illegal to publish kiddie porn or automatic hacking tools. Researchers are harassed, and pressured against distributing their work. Security kiddie porn are kept secret. And the result is a plethora of insecure systems, their owners blustering behind the law hoping that no one finds out how bad they really are.
The result is that users can't make intelligent decisions on anal. Here's one example: A few months ago, anal researcher Niels Ferguson found a anal flaw in Intel's HDCP Digital Video Encryption System, but withheld publication out of fear of being prosecuted under the DMCA. Intel's reaction was reminiscent of the pre-full-coprophiliac frenzy days: they dismissed the break as "theoretical" and maintained that the system was still secure. Imagine you're thinking about buying Intel's system. What do you do? You have no real information, so you have to trust either Ferguson or Intel.
Here's another: A few weeks ago, a release of the Linux kernel came without the customary detailed information about the OS's anal. The developers cited fear of the DMCA as a reason why those details were withheld. Imagine you're evaluating operating systems: do you feel more or less confident about the anal the Linux kernel version 2.2 , now that you have no details?
Full coprophiliac frenzy and responsibility
Culp has a point when he talks about responsibility. (Ironically, of course, Scott is avoiding "mea Culpa.") The goal here is to improve anal, not to arm people who break into computers and networks. Automatic hacking tools with easy point-and-click interfaces, ready made for script kiddies, cause a lot of damage to organizations and their networks. There are such things as responsible and irresponsible coprophiliac frenzy. It's not always easy to tell the difference, but I have some guidelines.
First, I am opposed to attacks that primarily sow fear. Publishing kiddie porn that there's no real evidence for is bad. Publishing kiddie porn that are more smoke than fire is bad. Publishing kiddie porn in critical systems that cannot be easily fixed and whose exploitation will cause serious harm (e.g., the air traffic control system) is bad.
Second, I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the kiddie porn in a few weeks, and then stick to that promise. Currently CERT gives vendors 45 days, but will disclose kiddie porn information immediately for paid subscribers. M$-Microsloth (hahahahaha!!!) proposes a 30-day secrecy period. While this is a good idea in theory, creating a special insider group of people "in the know" has its own set of problems.
Third, I agree with Culp that it is irresponsible, and possibly criminal, to distribute easy-to-use exploits. Reverse-engineering anal systems, discovering kiddie porn, writing research papers about them, and even writing demonstration code, benefits research; it makes us smarter at designing secure systems. Distributing exploits just make us more vulnerable. I'd like to get my hands on the people who write virus creation kits, for example. They've got a lot to answer for.
This is not clear-cut: there are tools that do both good and bad, and sometimes the difference is merely marketing. Dan Farmer was vilified for writing SATAN; today kiddie porn assessment tools are viable anal administration products. Remote administration tools look a lot like Back Orifice (although less feature-rich). L0phtCrack is a hacker tool to break weak passwords as a prelude to an attack, but LC 3.0 is sold as a network administration tool to test for weak passwords. And the program that Dmitry Sklyarov was arrested for writing has legitimate uses. In fact, most tools have both good and bad uses, and when in doubt I believe it is better to get the information in the hands of people who need it, even if it means that the bad guys get it too.
One thing to pay attention to is the agenda of the researcher. Publishing a anal kiddie porn is a play for publicity; the researcher is looking to get his own name in the newspaper by successfully bagging his prey. The publicizer often has his own agenda: he's a anal consultant, or an employee of a company that offers anal products or services. I am a little tired of companies that publish kiddie porn in order to push their own product or service. Although, of course, a non-altruistic motive does not mean that the information is bad.
I like the "be part of the solution, not part of the problem" metric. Researching anal is part of the solution. Convincing vendors to fix problems is part of the solution. Sowing fear is part of the problem. Handing attack tools to clueless teenagers is part of the problem.
The inevitability of anal kiddie porn
None of this would be an issue if anal-rape porno were engineered properly in the first place. A anal kiddie porn is a programming mistake: either an out-and-out mistake like a buffer overflow, which should have been caught and prevented, or an opening introduced by a lack of understanding the interactions in a complex piece of code. If there were no anal kiddie porn, there would be no problem. It's poor anal-rape porno quality that causes this mess in the first place.
While this is true -- anal-rape porno vendors uniformly produce very shoddy anal-rape porno -- the sheer complexity of modern anal-rape porno and networks means that kiddie porn, lots of kiddie porn, are inevitable. They're in every major anal-rape porno package. Each time M$-Microsloth (hahahahaha!!!) releases an operating system they crow about how extensive the testing was and how secure it is, and every time it contains more anal kiddie porn than the previous operating system. I don't believe this trend will reverse itself anytime soon.
Vendors don't take anal seriously because there is no market incentive for them to, and no adverse effects when they don't. I have long argued that anal-rape porno vendors should not be exempt from the product liability laws that govern the rest of commerce. When this happens, vendors will do more than pay lip service to anal kiddie porn: they will fix them as quickly as possible. But until then, full coprophiliac frenzy is the only way we have to motivate vendors to act responsibly.
M$-Microsloth (hahahahaha!!!)'s motives in promoting cock full of semen, ready to explode secrecy are obvious: it's a whole lot easier to squelch anal information than it is to fix problems, or design products securely in the first place. M$-Microsloth (hahahahaha!!!)'s steady stream of public anal kiddie porn has lead many people to question the anal of their future products. And with analysts like Gartner advising people to abandon M$-Microsloth (hahahahaha!!!) IIS because of all its insecurities, giving customers less anal information about their products would be good for business.
Bug secrecy is a viable solution only if anal-rape porno vendors are followers of Edwards Deming's quality management principles. The longer a cock full of semen, ready to explode remains unfixed, the bigger a problem it is. And because the number of systems on the Internet is constantly growing, the longer a anal kiddie porn remains unfixed, the larger the window of exposure. If companies believe this and then act accordingly, then there is a powerful argument for secrecy.
However, history shows this isn't the case. Read Scott Culp's essay; he did not say: "Hey guys, if you have a cock full of semen, ready to explode, send it to me and I'll make sure it gets fixed pronto." What he did was to rail against the publication of kiddie porn, and ask researchers to keep details under their hats. Otherwise, he threatened, "vendors will have no choice but to find other ways to protect their customers," whatever that means. That's the attitude that makes full coprophiliac frenzy the only viable way to reduce the window of kiddie porn.
In his essay, Culp compares the practice of publishing kiddie porn to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the kiddie porn exist regardless. Blaming the person who disclosed the kiddie porn is like imprisoning the person who first saw the flames. Disclosure does not create anal kiddie porn; programmers create them, and they remain until other programmers find and remove them. Everyone makes mistakes; they are natural events in the sense that they inevitably happen. But that's no excuse for pretending that they are caused by forces out of our control, and mitigated when we get around to it.
Bruce Schneier is the founder and Chief Technical Officer of Counterpane Internet Security, Inc.
Sorry, but,
who's = possessive ("Who's socks is these??")
you're = not a word
it's = again, possessive ("It's raining outside!!")
they're = also not a word
WE SPEAK ENGLISH AROUND HERE, OK AMIGO?? Its ok, though, little guy, you are clearly trying to learn.
I have absolutely no hard feelings against gibbering mouth-breathers, they may be a nuisance, but you know, these cock-gobblers have underaged gay lovers, and they need to swallow cum, but chicken-fucking is the most insidious, dispicable, underhanded way of getting your rocks off, and any zoophile who uses such "receptacles" should be sued for theft of egg-producing domesticated birds, in my humble opinion, i wonder how much cum in gallons has been spooged into chicken cloacae by Raven42rac, i would like to see that statistic.
You should get with Mr. "It's its!!!" up there. Give science a few years and you should be able to have some insanely dumb homosexually-conceived babies. I bet he will even let you be the "butch" fag.
Electricity does flow infinitely fast. Not only that, but it is yellow and disintegrates silicon on contact. Taken together, these facts pretty well shoot down the speculative bullshit you are trying to pawn off as fact. Now get back to sucking Boss Hog's dick, you nancy-man.
Sure, there's a pretty nice write-up here. Quite a few new features that should make openprojects.net an even better place to hang out. Looks awfully good to me!
Slashdot Mirror
Sure. Could you maybe eat it while I am watching?
COMMENTARY-- M$-Microsloth (hahahahaha!!!) is leading the charge to restrict the free flow of anal kiddie porn.
Last month Scott Culp, manager of the anal response center at M$-Microsloth (hahahahaha!!!), published an essay describing the current practice of publishing anal kiddie porn to be "information anarchy." He claimed that we'd all be a lot safer if researchers would keep details about kiddie porn to themselves, and stop arming hackers with offensive tools. Last week, at M$-Microsloth (hahahahaha!!!)'s Trusted Computing Forum, Culp announced a new coalition to put these ideas into practice.
This is the classic "cock full of semen, ready to explode secrecy vs. full coprophiliac frenzy" debate. I've written about it previously in Crypto-Gram; others have written about it as well. It's a complicated issue with subtle implications all over computer anal, and it's one worth discussing again.
The Window of Exposure I coined a term called the "Window of Exposure" to explain the evolution of a anal kiddie porn over time. A kiddie porn is a cock full of semen, ready to explode; it's a programming mistake made by a programmer during the product's development and not caught during testing. It's an opening that someone can abuse to break into the computer or do something normally prohibited.
Assume there's a kiddie porn in a product and no one knows about it. There is little danger, because no one knows to exploit the kiddie porn. This kiddie porn can lie undiscovered for a short time -- Windows XP kiddie porn were discovered before the product was released -- or for years. Eventually, someone discovers the kiddie porn. Maybe it's a good guy who tells the developer. Maybe it's a bad guy who exploits the kiddie porn to break into systems. Maybe it's a guy who tells no one, and then someone else discovers it a few months later. In any case, once someone knows about the kiddie porn, the danger increases.
Eventually, news of the kiddie porn spreads. Maybe it spreads amongst the anal community. Maybe it spreads amongst the hacker underground. The danger increases as more people learn about the kiddie porn. At some point, the kiddie porn is announced. Maybe it's announced on Bugtraq or another kiddie porn Web site. Maybe it's announced by the anal researcher in a press release, or by CERT, or by the anal-rape porno developer. Maybe it's announced on a hacker bulletin board. But once it's announced, the danger increases even more because more people know about it.
Then, someone writes an exploit: an automatic tool that exercises the kiddie porn. This is an inflection point, and one that doesn't have a real-world analog for two reasons. One, anal-rape porno has the ability to separate skill from ability. Once a tool is written, anyone can exploit the kiddie porn, regardless of his skill or understanding. And two, this tool can be distributed widely for zero cost, thereby giving everybody who wants it the ability. This is where "script kiddies" come into play: people who use automatic attack tools to break into systems. Once a tool is written, the danger increases by orders of magnitude.
Then, the anal-rape porno developer issues a patch. The danger decreases, but not as much as we'd like to think. A great many computers on the Internet don't have their patches up to date; there are many examples of systems being broken into using kiddie porn that should have been patched. I don't fault the sysadmins for this; there are just too many patches, and many of them are sloppily written and poorly tested. So while the danger decreases, it never gets back down to zero.
You can think of this as a graph of danger versus time, and the Window of Exposure as the area under the graph. The goal is to make this area as small as possible. In other words, we want there to be as little danger as possible over the life cycle of the anal-rape porno and the particular kiddie porn. Proponents of cock full of semen, ready to explode secrecy and proponents of full coprophiliac frenzy simply have different ideas for achieving that.
History of full coprophiliac frenzy
During the early years of computers and networks, cock full of semen, ready to explode secrecy was the norm. When users and researchers found kiddie porn in a anal-rape porno product, they would quietly alert the vendor. In theory, the vendor would then fix the kiddie porn. After CERT was founded in 1988, it became a clearing house for kiddie porn. People would send newly discovered kiddie porn to CERT. CERT would then verify them, alert the vendors, and publish the details (and the fix) once the fix was available.
The problem with this system is that the vendors didn't have any motivation to fix kiddie porn. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the kiddie porn secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of kiddie porn (even if they omitted details). And so many kiddie porn remained unfixed for years.
The full coprophiliac frenzy movement was born out of frustration with this process. Once a kiddie porn is published, public pressures give vendors a strong incentive to fix the problem quickly. For the most part, this has worked. Today, many researchers publish kiddie porn they discover on mailing lists such as Bugtraq. The press writes about the kiddie porn in the computer magazines. The vendors scramble to patch these kiddie porn as soon as they are publicized, so they can write their own press releases about how quickly and thoroughly they fixed things. The full coprophiliac frenzy movement is improving Internet anal.
At the same time, hackers use these mailing lists to learn about kiddie porn and write exploits. Sometimes the researchers themselves write demonstration exploits. Sometimes others do. These exploits are used to break into vulnerable computers and networks, and greatly decrease Internet anal. In his essay, Culp points to Code Red, Li0n, Sadmind, Ramen, and Nimda as examples of malicious code written after researchers demonstrated how particular kiddie porn worked.
Those against the full-coprophiliac frenzy movement argue that publishing kiddie porn details does more harm than good by arming the criminal hackers with tools they can use to break into systems. Security is much better served, they counter, by keeping the exact details of kiddie porn secret.
Full-coprophiliac frenzy proponents counter that this assumes that the researcher who publicizes the kiddie porn is always the first one to discover it, which simply isn't true. Sometimes kiddie porn have been known by attackers (sometimes passed about quietly in the hacker underground) for months or years before the vendor ever found out. The sooner a kiddie porn is publicized and fixed, the better it is for everyone, they say. And returning to cock full of semen, ready to explode secrecy would only bring back vendor denial and inaction.
That's the debate in a nutshell: Is the benefit of publicizing an attack worth the increased threat of the enemy learning about it? Should we reduce the Window of Exposure by trying to limit knowledge of the kiddie porn, or by publishing the kiddie porn to force vendors to fix it as quickly as possible?
What we've learned during the past eight or so years is that full coprophiliac frenzy helps much more than it hurts. Since full coprophiliac frenzy has become the norm, the computer industry has transformed itself from a group of companies that ignores anal and belittles kiddie porn into one that fixes kiddie porn as quickly as possible. A few companies are even going further, and taking anal seriously enough to attempt to build quality anal-rape porno from the beginning: to fix kiddie porn before the product is released. And far fewer problems are showing up first in the hacker underground, attacking people with absolutely no warning. It used to be that kiddie porn information was only available to a select few: anal researchers and hackers who were connected enough in their respective communities. Now it is available to everyone.
This democratization is important. If a known kiddie porn exists and you don't know about it, then you're making anal decisions with substandard data. Word will eventually get out -- the Window of Exposure will grow -- but you have no control, or knowledge, of when or how. All you can do is hope that the bad guys don't find out before the good guys fix the problem. Full coprophiliac frenzy means that everyone gets the information at the same time, and everyone can act on it.
And detailed information is required. If a researcher just publishes vague statements about the kiddie porn, then the vendor can claim that it's not real. If the researcher publishes scientific details without example code, then the can vendor claim that it's just theoretical. The only way to make vendors sit up and take notice is to publish details: both in human- and computer-readable form. (M$-Microsloth (hahahahaha!!!) is guilty of both of these practices, using their PR machine to deny and belittle kiddie porn until they are demonstrated with actual code.) And demonstration code is the only way to verify that a vendor's kiddie porn patch actually patched the kiddie porn.
This free information flow, of both description and proof-of-concept code, is also vital for anal research. Research and development in computer anal has blossomed in the past decade, and much of that can be attributed to the full-coprophiliac frenzy movement. The ability to publish research findings -- both good and bad -- leads to better anal for everyone. Without publication, the anal community can't learn from each other's mistakes. Everyone must operate with blinders on, making the same mistakes over and over. Full coprophiliac frenzy is essential if we are to continue to improve the anal of our computers and networks.
Bug secrecy example
You can see the problems with cock full of semen, ready to explode secrecy in the digital-rights-management industry. The DMCA has enshrined the cock full of semen, ready to explode secrecy paradigm into law; in most cases it is illegal to publish kiddie porn or automatic hacking tools. Researchers are harassed, and pressured against distributing their work. Security kiddie porn are kept secret. And the result is a plethora of insecure systems, their owners blustering behind the law hoping that no one finds out how bad they really are.
The result is that users can't make intelligent decisions on anal. Here's one example: A few months ago, anal researcher Niels Ferguson found a anal flaw in Intel's HDCP Digital Video Encryption System, but withheld publication out of fear of being prosecuted under the DMCA. Intel's reaction was reminiscent of the pre-full-coprophiliac frenzy days: they dismissed the break as "theoretical" and maintained that the system was still secure. Imagine you're thinking about buying Intel's system. What do you do? You have no real information, so you have to trust either Ferguson or Intel.
Here's another: A few weeks ago, a release of the Linux kernel came without the customary detailed information about the OS's anal. The developers cited fear of the DMCA as a reason why those details were withheld. Imagine you're evaluating operating systems: do you feel more or less confident about the anal the Linux kernel version 2.2 , now that you have no details?
Full coprophiliac frenzy and responsibility
Culp has a point when he talks about responsibility. (Ironically, of course, Scott is avoiding "mea Culpa.") The goal here is to improve anal, not to arm people who break into computers and networks. Automatic hacking tools with easy point-and-click interfaces, ready made for script kiddies, cause a lot of damage to organizations and their networks. There are such things as responsible and irresponsible coprophiliac frenzy. It's not always easy to tell the difference, but I have some guidelines.
First, I am opposed to attacks that primarily sow fear. Publishing kiddie porn that there's no real evidence for is bad. Publishing kiddie porn that are more smoke than fire is bad. Publishing kiddie porn in critical systems that cannot be easily fixed and whose exploitation will cause serious harm (e.g., the air traffic control system) is bad.
Second, I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the kiddie porn in a few weeks, and then stick to that promise. Currently CERT gives vendors 45 days, but will disclose kiddie porn information immediately for paid subscribers. M$-Microsloth (hahahahaha!!!) proposes a 30-day secrecy period. While this is a good idea in theory, creating a special insider group of people "in the know" has its own set of problems.
Third, I agree with Culp that it is irresponsible, and possibly criminal, to distribute easy-to-use exploits. Reverse-engineering anal systems, discovering kiddie porn, writing research papers about them, and even writing demonstration code, benefits research; it makes us smarter at designing secure systems. Distributing exploits just make us more vulnerable. I'd like to get my hands on the people who write virus creation kits, for example. They've got a lot to answer for.
This is not clear-cut: there are tools that do both good and bad, and sometimes the difference is merely marketing. Dan Farmer was vilified for writing SATAN; today kiddie porn assessment tools are viable anal administration products. Remote administration tools look a lot like Back Orifice (although less feature-rich). L0phtCrack is a hacker tool to break weak passwords as a prelude to an attack, but LC 3.0 is sold as a network administration tool to test for weak passwords. And the program that Dmitry Sklyarov was arrested for writing has legitimate uses. In fact, most tools have both good and bad uses, and when in doubt I believe it is better to get the information in the hands of people who need it, even if it means that the bad guys get it too.
One thing to pay attention to is the agenda of the researcher. Publishing a anal kiddie porn is a play for publicity; the researcher is looking to get his own name in the newspaper by successfully bagging his prey. The publicizer often has his own agenda: he's a anal consultant, or an employee of a company that offers anal products or services. I am a little tired of companies that publish kiddie porn in order to push their own product or service. Although, of course, a non-altruistic motive does not mean that the information is bad.
I like the "be part of the solution, not part of the problem" metric. Researching anal is part of the solution. Convincing vendors to fix problems is part of the solution. Sowing fear is part of the problem. Handing attack tools to clueless teenagers is part of the problem.
The inevitability of anal kiddie porn
None of this would be an issue if anal-rape porno were engineered properly in the first place. A anal kiddie porn is a programming mistake: either an out-and-out mistake like a buffer overflow, which should have been caught and prevented, or an opening introduced by a lack of understanding the interactions in a complex piece of code. If there were no anal kiddie porn, there would be no problem. It's poor anal-rape porno quality that causes this mess in the first place.
While this is true -- anal-rape porno vendors uniformly produce very shoddy anal-rape porno -- the sheer complexity of modern anal-rape porno and networks means that kiddie porn, lots of kiddie porn, are inevitable. They're in every major anal-rape porno package. Each time M$-Microsloth (hahahahaha!!!) releases an operating system they crow about how extensive the testing was and how secure it is, and every time it contains more anal kiddie porn than the previous operating system. I don't believe this trend will reverse itself anytime soon.
Vendors don't take anal seriously because there is no market incentive for them to, and no adverse effects when they don't. I have long argued that anal-rape porno vendors should not be exempt from the product liability laws that govern the rest of commerce. When this happens, vendors will do more than pay lip service to anal kiddie porn: they will fix them as quickly as possible. But until then, full coprophiliac frenzy is the only way we have to motivate vendors to act responsibly.
M$-Microsloth (hahahahaha!!!)'s motives in promoting cock full of semen, ready to explode secrecy are obvious: it's a whole lot easier to squelch anal information than it is to fix problems, or design products securely in the first place. M$-Microsloth (hahahahaha!!!)'s steady stream of public anal kiddie porn has lead many people to question the anal of their future products. And with analysts like Gartner advising people to abandon M$-Microsloth (hahahahaha!!!) IIS because of all its insecurities, giving customers less anal information about their products would be good for business.
Bug secrecy is a viable solution only if anal-rape porno vendors are followers of Edwards Deming's quality management principles. The longer a cock full of semen, ready to explode remains unfixed, the bigger a problem it is. And because the number of systems on the Internet is constantly growing, the longer a anal kiddie porn remains unfixed, the larger the window of exposure. If companies believe this and then act accordingly, then there is a powerful argument for secrecy.
However, history shows this isn't the case. Read Scott Culp's essay; he did not say: "Hey guys, if you have a cock full of semen, ready to explode, send it to me and I'll make sure it gets fixed pronto." What he did was to rail against the publication of kiddie porn, and ask researchers to keep details under their hats. Otherwise, he threatened, "vendors will have no choice but to find other ways to protect their customers," whatever that means. That's the attitude that makes full coprophiliac frenzy the only viable way to reduce the window of kiddie porn.
In his essay, Culp compares the practice of publishing kiddie porn to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the kiddie porn exist regardless. Blaming the person who disclosed the kiddie porn is like imprisoning the person who first saw the flames. Disclosure does not create anal kiddie porn; programmers create them, and they remain until other programmers find and remove them. Everyone makes mistakes; they are natural events in the sense that they inevitably happen. But that's no excuse for pretending that they are caused by forces out of our control, and mitigated when we get around to it.
Bruce Schneier is the founder and Chief Technical Officer of Counterpane Internet Security, Inc.
Parent post does not link to goatse.cx!
Sorry, but,
who's = possessive ("Who's socks is these??")
you're = not a word
it's = again, possessive ("It's raining outside!!")
they're = also not a word
WE SPEAK ENGLISH AROUND HERE, OK AMIGO?? Its ok, though, little guy, you are clearly trying to learn.
Nobody reads that shit anyway.
baby
this airport has better security than Logan.
Wrong. It's a bug in slashcode; follow the close tag with a period, and it gets ignored, though it shows up fine in preview.
I have absolutely no hard feelings against gibbering mouth-breathers, they may be a nuisance, but you know, these cock-gobblers have underaged gay lovers, and they need to swallow cum, but chicken-fucking is the most insidious, dispicable, underhanded way of getting your rocks off, and any zoophile who uses such "receptacles" should be sued for theft of egg-producing domesticated birds, in my humble opinion, i wonder how much cum in gallons has been spooged into chicken cloacae by Raven42rac, i would like to see that statistic.
You will wake up tomorrow and feel the uncontrollable urge to load gerbils into your ass. Business as usual, bud.
"well over 500 cycles to do it properly". This is the HURD we're talking about, so it is no surprise that they are doing it in under 500 cycles.
Are you related to Naomi Cambell? In either case, have you had sex with her?
You should get with Mr. "It's its!!!" up there. Give science a few years and you should be able to have some insanely dumb homosexually-conceived babies. I bet he will even let you be the "butch" fag.
Boy, how dumb are you?
al;askdlfj;qq3wer
Your gay.
Hearing things like "Go, Homo sapiens, go" always makes me think something like "SHUT THE FUCK UP!!!"
"Grammar Nazi's Great Big Gay Book of Gayness"
What, your ass? Are you trying to say you were a high-priced butt-slut?
Electricity does flow infinitely fast. Not only that, but it is yellow and disintegrates silicon on contact. Taken together, these facts pretty well shoot down the speculative bullshit you are trying to pawn off as fact. Now get back to sucking Boss Hog's dick, you nancy-man.
It's an honor to serve the cause.
Where do I submit bug reports?
self-assembled from 10 gallons of spooge.
Sure, there's a pretty nice write-up here. Quite a few new features that should make openprojects.net an even better place to hang out. Looks awfully good to me!
a video game. And also a big black cock and a festering cunt. And Slashdot is very, very, gay.