You're right, people should not be free to choose which parts of a movie they watch. In fact, we should have someone stand behind them. If they turn away for a moment they should have to turn the movie off altogether.
Obviously it would be wrong if we lost the ability to see certain things, but that's not what's going on here.
People should be able to choose what they want to watch. If they want, they should also be able to delegate the editing of a film to a third party (as in this system).
I know I'd like my kids to be able to watch Forrest Gump without the sex scene. While I'm fine with them knowing about sex, and knowing that characters in the film are "doing it" - I don't think they need to watch it (and this is a much better solution than fast-forward).
Being able to control and choose what you watch seems like "freedom" not "censorship".
Implementation might not be done perfectly here, but it's got the right idea (ie, we should be able to choose our editor and not be stuck with the one the studio provides).
Once again, this is a poor straw man argument. Culp is not suggesting we return to the "bad old days". His plan CALLS FOR publication of security information, but asks for a limit on scope and timing (and if you don't think he's right about scope and timing, feel free to say so). Don't pretend he's advocating "everybody shut up about everything".
Vendors fixing bugs is a critical part of Culp's plan, and MS has demonstrated that it wants to do so (even if it is not very good at it).
I'm sure Culp would agree that, faced with an unresponsive vendor, a researcher would be forced to publish exploit info.
I really think you've misunderstood what the debate is about.
Obviously, people with affected systems need to be informed of information on how to protect their systems - the debate is on what level of extra detail to provide (sample exploit code, more or less tech info, etc..)
In your simple scenario, obviously the solution is simple.
Just yesterday, I discovered a vulnerability on a certain government site. I told them and they fixed it. This isn't the sort of problem we're talking about.
You're right, the problem is that admins and users need to implement patches.
You would also be correct if you said that Culp's plan wouldn't have prevented these worms.
Culp's plan would not have made any difference in these situations - he does not suggest that security vulnerabilities should not be talked about (in the useful manner they were in the case of the vulnerabilities behind Nimda/Code Red), and he doesn't provide a solution that would make admins listen.
What he does say, though, does have some merit - and if it is to be argued against let it be done so fairly.
I believe Culp did suggest a time limit, although I did not include it in the quote. I believe he suggested 30 days. I don't know whether that is an appropriate time frame - but the thought is there.
I believe the real problem is getting the incentive to the admins. In the case of Code Red, the patches were available for a long time, but admins didn't pick them up.
I believe that MS is currently sufficiently motivated (though I don't know how well they'll be able to patch the dam).
The biggest problem is the chain of command. Currently the only one that really works is-
Obviously if your goal is simply to get "First Post" on the exploit, then you aren't going to be concerned with following Culp's security protocols.
If you do want to follow his plan (which is a good starting point, if not perfect), it's fairly clear what his intent is.
Your article points out a poor paradox called "False Start". Basically, a runner charged with starting early claims that obviously the race had started - there was already somebody running.
In the article, the quote serves as reminder that there are times when free speech needs to be curtailed. He is not suggesting it as a metaphor for the entire situation.
The article is riddled with this sort of straw man fallacy.
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
I would hope that by (now-70000 years) man would have been using simple tools. 70000 years is a significant, but not a huge evolutionary interval.
Current human language is a tremendous evolutionary accomplishment, both in terms of mechanics and brain wiring (I believe the brain is wired to learn language - it has a "Language Acquisition Device"). Surely 70000 years ago these structures were developing, and surely they were giving evolutionary advantages to those brutes possessed of them. Evidence: our current level of ability.
I have to work for an extra 53 minutes each day since we switched to Windows XP. My job is to hit the recalc button on my spreadsheet 42,000 times a day.
I've decided to switch all our desktops to multi processor machines too. Small performance increases (and of course, computer performance is THE bottleneck for worker productivity) are well worth raising our hardware expenditure by 50%.
Of course XP is a little slower, but that's neither critical information, nor all that surprising. At least he could have done benchmarks on server software (where performance is a little more of a limiter).
A lot of people think that labor laws are what prevents "sweat shops" from existing here in North America.
In reality, working conditions are good because there is a large number of possible employers (including welfare), and employees are free to choose those that don't make their lives hell.
Hopefully if business continues to grow in developing countries, the economy will create better jobs, and working conditions will get better naturally.
Wait, I know how we can make the lives of Nigerians better, we'll make a minimum wage of $6.00 an hour. No wait, how about $9.00. Then they can afford all the things we do!
I would be very scared if the representatives I elected (by voting), changed their minds on important issues because of a confused crowd of rock throwers.
The current means of doing public/private key encryption (via large primes) seems pretty much universal. Should we be looking for an alternative if/when someone finds a way to break it?
Slashdot Mirror
I felt I had to reply to a lot of these posts. When everyone is on one side of an argument, the debate is not so good.
You're right, people should not be free to choose which parts of a movie they watch. In fact, we should have someone stand behind them. If they turn away for a moment they should have to turn the movie off altogether.
Obviously it would be wrong if we lost the ability to see certain things, but that's not what's going on here.
People should be able to choose what they want to watch. If they want, they should also be able to delegate the editing of a film to a third party (as in this system).
I know I'd like my kids to be able to watch Forrest Gump without the sex scene. While I'm fine with them knowing about sex, and knowing that characters in the film are "doing it" - I don't think they need to watch it (and this is a much better solution than fast-forward).
Being able to control and choose what you watch seems like "freedom" not "censorship".
Implementation might not be done perfectly here, but it's got the right idea (ie, we should be able to choose our editor and not be stuck with the one the studio provides).
He does indeed call it an analogy, but not for the entire situation - only for his appeal to limit speech in this instance.
I could have been more clear in my original post.
Once again, this is a poor straw man argument. Culp is not suggesting we return to the "bad old days". His plan CALLS FOR publication of security information, but asks for a limit on scope and timing (and if you don't think he's right about scope and timing, feel free to say so). Don't pretend he's advocating "everybody shut up about everything".
Vendors fixing bugs is a critical part of Culp's plan, and MS has demonstrated that it wants to do so (even if it is not very good at it).
I'm sure Culp would agree that, faced with an unresponsive vendor, a researcher would be forced to publish exploit info.
I really think you've misunderstood what the debate is about.
Obviously, people with affected systems need to be informed of information on how to protect their systems - the debate is on what level of extra detail to provide (sample exploit code, more or less tech info, etc..)
In your simple scenario, obviously the solution is simple.
Just yesterday, I discovered a vulnerability on a certain government site. I told them and they fixed it. This isn't the sort of problem we're talking about.
You're right, the problem is that admins and users need to implement patches.
You would also be correct if you said that Culp's plan wouldn't have prevented these worms.
Culp's plan would not have made any difference in these situations - he does not suggest that security vulnerabilities should not be talked about (in the useful manner they were in the case of the vulnerabilities behind Nimda/Code Red), and he doesn't provide a solution that would make admins listen.
What he does say, though, does have some merit - and if it is to be argued against let it be done so fairly.
I believe Culp did suggest a time limit, although I did not include it in the quote. I believe he suggested 30 days. I don't know whether that is an appropriate time frame - but the thought is there.
I believe the real problem is getting the incentive to the admins. In the case of Code Red, the patches were available for a long time, but admins didn't pick them up.
I believe that MS is currently sufficiently motivated (though I don't know how well they'll be able to patch the dam).
The biggest problem is the chain of command. Currently the only one that really works is-
1. Exploit -> CNN -> PHB -> Bad techie
and that needs to change.
Obviously if your goal is simply to get "First Post" on the exploit, then you aren't going to be concerned with following Culp's security protocols.
If you do want to follow his plan (which is a good starting point, if not perfect), it's fairly clear what his intent is.
Your article points out a poor paradox called "False Start". Basically, a runner charged with starting early claims that obviously the race had started - there was already somebody running.
The "fire" quote is really taken out of context.
In the article, the quote serves as reminder that there are times when free speech needs to be curtailed. He is not suggesting it as a metaphor for the entire situation.
The article is riddled with this sort of straw man fallacy.
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
I would hope that by (now-70000 years) man would have been using simple tools. 70000 years is a significant, but not a huge evolutionary interval.
Current human language is a tremendous evolutionary accomplishment, both in terms of mechanics and brain wiring (I believe the brain is wired to learn language - it has a "Language Acquisition Device"). Surely 70000 years ago these structures were developing, and surely they were giving evolutionary advantages to those brutes possessed of them. Evidence: our current level of ability.
The analogy to Windows 95 might be more appropriate than you think (unfortunately).
Windows 95 was a HUGE seller.
I have to work for an extra 53 minutes each day since we switched to Windows XP. My job is to hit the recalc button on my spreadsheet 42,000 times a day.
I've decided to switch all our desktops to multi processor machines too. Small performance increases (and of course, computer performance is THE bottleneck for worker productivity) are well worth raising our hardware expenditure by 50%.
Of course XP is a little slower, but that's neither critical information, nor all that surprising. At least he could have done benchmarks on server software (where performance is a little more of a limiter).
Great post. I read it after I wrote my post, and now mine seems very dim. Couldn't agree more.
Thus, I hope my post will serve as nice padding under yours, hopefully drawing attention to it.
A lot of people think that labor laws are what prevents "sweat shops" from existing here in North America.
In reality, working conditions are good because there is a large number of possible employers (including welfare), and employees are free to choose those that don't make their lives hell.
Hopefully if business continues to grow in developing countries, the economy will create better jobs, and working conditions will get better naturally.
Wait, I know how we can make the lives of Nigerians better, we'll make a minimum wage of $6.00 an hour. No wait, how about $9.00. Then they can afford all the things we do!
I would be very scared if the representatives I elected (by voting), changed their minds on important issues because of a confused crowd of rock throwers.
The current means of doing public/private key encryption (via large primes) seems pretty much universal. Should we be looking for an alternative if/when someone finds a way to break it?