It's not necessarily a bad thing. But a better method is to notify the vendor, give them a predetermined amount of time to release a patch, and then publish the details. Say: "Here is a bug, here's how I exploit it, I release the details in 90 days. You might want to have a patch available by then."
If the vendor is responsive and cooperative, then releasing the details early will do more harm than good.
Something that I think is missed in the proposal is accomodation for unique circumstances. There are times when full disclosure is a really bad thing, like when a vulnerability poses significant risk to human life or national security.
I don't think you've gotten the full motivation behind full disclosure.
It's not about 'arming the hackers', or even informing the public. It's about making sure vulnerabilities get fixed.
Simply put, when the public doesn't know about a vulnerability, the vendor won't fix it. History has repeated itself ad nauseum. Crackers themselves don't provide sufficient motivation to companies, because vendors aren't liable when their customers' systems are broken into.
The only effective means to force vendors to make their code more secure has been full disclosure. When people know your product is crap, they will eventually stop buying it.
The full disclosure advocates took great satisfaction in Bill Gates' proclamation of refocusing Microsoft on making secure software. There is no way he would have done that if Microsoft hadn't been embarrassed time and time again by people releasing vulnerability details to encourage accountability.
When you are implementing a system that uses an RFC, it is solely your responsibility to comply with the requirements. The same goes here.
The assumption is that both the Reporter and the Vendor act in good faith.
Think of this as a proposed guideline that researchers and vendors should follow. Vendors are still free not to fix bugs, and researchers are still free to recklessly publish exploits to the world at large.
But if they both followed the instructions, things wouldn't be too bad. Of course if a Vendor persists in denying a bug's existence then the Reporter can, and should, publish the details. This is how things work most of the time already.
You should note an earlier poster who mentioned concern that if this turned into an RFC, it might eventually lead to legislation. Which would be a bad thing.
I've been going through it, and I can't seem to find any points on which this differs from the existing full disclosure model that most of the security community already follows.
There are, of course, people who discover vulnerabilities and immediately publish all the details without notifying the vendor, but an RFC is hardly going to stop.
All the same, guidelines are nice. I'm a little skeptical of vendors sticking to the suggestions. To many SHOULDs and MAYs.
To recap, the proposed RFC suggests 7 stages in fixing a vulnerability:
1. Latent flaw. The flaw exists undiscovered.
2. Discovery. Somebody finds the flaw (the 'Reporter').
3. Notification. The Reporter notifies the Vendor.
4. Validation. The vendor verifies the flaw.
5. Resolution. The vendor fixes the flaw.
6. Release. The vendor publishes the flaw.
7. Follow-up. Analysis of the resolution.
What a nice world this would be.
It usually works like that right up until step 5. Here's what really happens:
5. Denial. The vendor denies the flaw really exists, setting his best PR guys on the job.
6. Demonstration. The Reporter creates exploit code to prove to the vendor that not only does it exist, but it is serious and should be fixed.
7. Diversion. The Vendor changes the subject by publicly attacking the Reporter for creating the demonstration, labeling it a "Hacker Tool".
8. Publication. Third party bug tracking systems and security entities make knowledge of the vulnerability widespread to try to scare the Vendor's customers.
9. Fix. The Vendor repairs the vulnerability, while still denying that it has any real significance.
10. Release. The Vendor shuffles the release into a service pack or update, and puts it on his web site.
Nobody is arguing against copyright protection (well, on Slashdot they are, but nobody in court).
The argument is whether Copyright terms should be extended, and further, retroactively extended for existing works. The extension violates the letter and the spirit of the Constitution.
If the plaintiffs win, copyright will not be eliminated. They will go back to being author's life + 50 years. Possibly the court could rule that future copyrights go life + 70, but existing works revert to life + 50.
Keep in mind the only reason copyright exists is to encourage people to create useful works. That is the only reason.
Why shouldn't I be able to give my possessions away to whomever I desire, whenever I desire?
Of course you should. But a copyright is not really a possession. It is a restriction on other peoples' natural rights.
Comparing copyright to actual property is absurd. Homes, clothing, food etc are actual property. If I steal some bread from you, then you have less food to eat.
A book or a song, however, can be copied without depriving anybody of anything. If you have a book, and I photocopy it and put back the book, what have you lost?
On the other hand, if I buy your bread, do you have the right to tell me that I can't sell it to somebody else? No. Once I own that bread, I can do anything I want with it and you can't stop me.
Copyright means you can restrict other people from doing things that, really, have nothing to do with you. In general our government has found this acceptable because copyright encourages future works. But logically we should have the minimum restriction to provide that encouragement. Minimal copyright.
And the earlier poster is correct. Long term copyrights do inhibit creation of science and useful arts. The sole purpose of copyright is to encourage works, but as it stands now it discourages further creation because the other has disincentive to provide any further value to society.
The make it free to everyone approach is the foundation of communism, not capitalism.
Name one communist system that was based on free dissemination of knowledge.
Your argument relies on the belief as copyright as a natural property right, but this is very difficult to credibly argue. Communism is based on sharing of resources because those resources are scarce.
Knowledge is not scarce. In fact the more you share it, the more of it there is for everybody.
Rarely, if ever, is a great work supressed or lost. Most often the works *ARE* available to any and everyone.
How would you know how many great works have been lost?
What was Lessig's number? Something like 10,000 books were published in 1929, and around 1% are still in print.
shouldn't I be able to enjoy the spoils and decide the future of that great work?
You can if you want. Just don't share it with anybody. Then you have absolute rights over that work. But the second you give it to someone else, they can do what they want with it.
That is how natural rights and natural law work. Our law allows you limited time copyright, designed for the sole reason of encouraging further work. There is no notion of being able to control your work for some 'just' and 'fair' reason. That would you be restricting the rights of others.
Shouldn't I be able to go to my grave, comforted by the fact that my magnum opus will provide for my children's future?
No. They should have to work for themselves. Why should we support a system that encourages laziness?
There is no such "duty", exactly. But if somebody patents your invention, the onus is on you to prove you invented it before the patent application was filed.
If you can't prove it, you're SOL. The patent will stand.
If you can, then either the patent will be rejected (if the PTO is made aware of your invention), or the courts can invalidate the patent after the fact.
Now we'll have to listen to politicians and journalists rant on and on about why surfing the Internet and driving shouldn't be allowed at the same time.
Just when I was hoping those cell phone folks might be shutting up soon.
Alternatively, you could just invent something and not patent it.
As long as you have proof that you invented it first, you can invalidate anyone else's future claim if they try to patent it. Just tell everybody about your idea and say they can do what they like with it.
Copyrights used to mainly effect arts and entertainment. Now they have a profound influence on technology as well. But that is still a fairly limited scope.
Patents are broader. In particular they are critical in the pharmaceutical industry (where there are patent controversies from time to time). Long-term patent granting would be very very dangerous, because it could allow drug companies to put the health care market in a stranglehold. As it stands now, drugs are highly overpriced for the first 20 years of their existence (while patented), and then suddenly become available cheaply. This helps to discourage (but not prevent) abuse.
In the specific case of MPEG4, I'm inclined to agree with you. It probably will be outdated long before the patent expires.
However, it will be outdated because somebody else has patented a new better algorithm (or not patented it, which is also possible, and released it for everybody to use). This is the purpose of patents: to encourage new innovation. If people are perpetually coming up with better ideas, they do have some claim to get money for them. This is acceptable.
But unlike copyright, you can't sit on a patent, do nothing, and receive perpetual income. Copyright law may actually discourage new work, while patent law does the opposite.
It's a grey area in law, actually. While we know you can't patent a mathematical formula, you can in fact patent a specific use of a mathematical formula.
Essentially that is what algorithms are.
Patents were not intended to cover natural phenomena or simple scientific 'knowledge'. It is finding an original use of that knowledge that is intended.
Algorithms can qualify as original use of mathematical knowledge, and hence are patentable.
Example: Gauss discovered an efficient algorithm for computing Fourier transforms a century and a half ago. It was simply a solution to a mathematical problem. He could not have filed for a patent. Many years later, somebody has a great idea and realizes that this algorithm can be used to make digital signal processing possible. That man can get a patent. But note that it does not in any way preclude somebody else from using Gauss' algorithm for a completely different purpose.
The flip side of this is that patents aren't like copyrights. They expire after 20 years or so, and become public domain.
At that point all you have to do is write your own piece of software that implements the algorithm, and you don't have to pay anybody anything.
Presumably by then there will be new and improved patented algorithms, but it's nice to know that you will always have free technology to use, although sometimes a little outdated. (Or not, the RSA patent has expired and it is still the most popular public-key cryptosystem)
Algorithms are patented, not copyrighted, so you can't decide how you license it like that.
The way to patent an algorithm is to first invent it. For fractal compression, you're too late.
You can write a compression program and GPL it, but first you have to be careful not to infringe on anyone else's patents.
Here is a fractal decoder license. I believe Iterated Systems Inc. holds a pretty comprehensive patent on fractal compression, but I don't have much in the way of details.
This is a good post. You are taking the opposing side from one of the replies I posted above.
I pointed out that the weak security characteristic of Microsoft is a direct result of them making everything so damned easy to do. They strip away the limitations of the software architecture, enabling more powerful apps but at the same time opening a great number of security vulnerabilities. You are suggesting it is worth it. Obviously Schneier and Shostak disagree with you.
As someone who works in the security industry, I can't agree. The more we tear down those boundaries the more vulnerable we leave ourselves. If the Internet is ever to live up to its full potential, especially in economic terms, we have to protect ourselves. Unless we start admitting such tight software restrictions are necessary, things like Internet fraud and web worms will keep increasing in frequency and severity.
I think you are right that it is impossible to "go back". You can't turn back the clock, and while I may think Microsoft did it wrong, it is unreasonable to think they will do it over again.
Now if that opinion is prevalent through MS do you really think they will start from scratch??
No, I don't. But I don't think they'll succeed with this security initiative either.
It's easier to say than to do. We all know this already. But I'm not sure Microsoft does. It's not like the sudden Internet shift.
Security is about adding limitations and restrictions. This is converse to the entire corporate direction, which has been stripping those away while trying to apply band-aid solutions to address security issues. It's a fundamental problem.
And you are right. They can't really go back. They can't completely rewrite Windows, IIS, or Office. The new products would be released with glaring omissions from past functionality. It would be missing things Microsoft never should have added in the first place (UPnP, for instance).
Perhaps they'll try to do it right. In fact I believe they will. But when it finally comes down to scrapping products and features with insecure fundamentals, I can't see them carrying through.
It'll be back to band-aids and PR coverups. The temptation is just too great.
It seems to me like MS are doing this just to counteract the recent bad press they have got in the security area.
Well, duh!
It's the timing that gets me. They made the announcement shortly after a major OS release. So whenever somebody points out a bug in existing software (XP or earlier), they can shrug and say "That was the old Microsoft, the new Microsoft no longer makes those mistakes."
And since it'll be sometime before they release another highly-vulnerable product, nobody will be able to contradict them.
Schneier and Shostack say: Separate Data and Control Paths Use Secure Default Configurations Separate Protocols and Products Choose for Security over Features Make it Transparent and Auditable Give advance notice of Protocols and Designs Engage the community
All that stuff sounds great, but I can say the same thing in far fewer words: Start from scratch. Do it right this time.
Now unless you are suggesting that they come up with a different way of putting distinguishing information in the header then I think your idea is fairly moot.
It was just a toy idea, kind of interesting to think about. In reality there are stronger reasons than that why it would be unworkable.
If you tossed out Domain Name Servers, finding another way to implement virtual domains would be the least of your problems.
The fundamental problem with such a scheme would be the introduction of weak central failure points on the Internet: the search engines themselves. If we depend on them for navigation in lieu of DNS, you can bet they'd become the most attacked targets on the Internet in a real hurry.
Slashdot Mirror
If the vendor is responsive and cooperative, then releasing the details early will do more harm than good.
Something that I think is missed in the proposal is accomodation for unique circumstances. There are times when full disclosure is a really bad thing, like when a vulnerability poses significant risk to human life or national security.
It's not about 'arming the hackers', or even informing the public. It's about making sure vulnerabilities get fixed.
Simply put, when the public doesn't know about a vulnerability, the vendor won't fix it. History has repeated itself ad nauseum. Crackers themselves don't provide sufficient motivation to companies, because vendors aren't liable when their customers' systems are broken into.
The only effective means to force vendors to make their code more secure has been full disclosure. When people know your product is crap, they will eventually stop buying it.
The full disclosure advocates took great satisfaction in Bill Gates' proclamation of refocusing Microsoft on making secure software. There is no way he would have done that if Microsoft hadn't been embarrassed time and time again by people releasing vulnerability details to encourage accountability.
For the most part they are opponents of the full disclosure model, and they would love to have rules imposed on people who discover vulnerabilities.
So if you discovered a bug and published it's details without notifying the vendor or going through the correct process, you could go to jail.
And if such legislation was introduced, guess who it would favour, the Customer, the Reporter, or the Vendor?
When you are implementing a system that uses an RFC, it is solely your responsibility to comply with the requirements. The same goes here.
The assumption is that both the Reporter and the Vendor act in good faith.
Think of this as a proposed guideline that researchers and vendors should follow. Vendors are still free not to fix bugs, and researchers are still free to recklessly publish exploits to the world at large.
But if they both followed the instructions, things wouldn't be too bad. Of course if a Vendor persists in denying a bug's existence then the Reporter can, and should, publish the details. This is how things work most of the time already.
You should note an earlier poster who mentioned concern that if this turned into an RFC, it might eventually lead to legislation. Which would be a bad thing.
There are, of course, people who discover vulnerabilities and immediately publish all the details without notifying the vendor, but an RFC is hardly going to stop.
All the same, guidelines are nice. I'm a little skeptical of vendors sticking to the suggestions. To many SHOULDs and MAYs.
To recap, the proposed RFC suggests 7 stages in fixing a vulnerability:
1. Latent flaw. The flaw exists undiscovered.
2. Discovery. Somebody finds the flaw (the 'Reporter').
3. Notification. The Reporter notifies the Vendor.
4. Validation. The vendor verifies the flaw.
5. Resolution. The vendor fixes the flaw.
6. Release. The vendor publishes the flaw.
7. Follow-up. Analysis of the resolution.
What a nice world this would be.
It usually works like that right up until step 5. Here's what really happens:
5. Denial. The vendor denies the flaw really exists, setting his best PR guys on the job.
6. Demonstration. The Reporter creates exploit code to prove to the vendor that not only does it exist, but it is serious and should be fixed.
7. Diversion. The Vendor changes the subject by publicly attacking the Reporter for creating the demonstration, labeling it a "Hacker Tool".
8. Publication. Third party bug tracking systems and security entities make knowledge of the vulnerability widespread to try to scare the Vendor's customers.
9. Fix. The Vendor repairs the vulnerability, while still denying that it has any real significance.
10. Release. The Vendor shuffles the release into a service pack or update, and puts it on his web site.
Nobody is arguing against copyright protection (well, on Slashdot they are, but nobody in court).
The argument is whether Copyright terms should be extended, and further, retroactively extended for existing works. The extension violates the letter and the spirit of the Constitution.
If the plaintiffs win, copyright will not be eliminated. They will go back to being author's life + 50 years. Possibly the court could rule that future copyrights go life + 70, but existing works revert to life + 50.
Keep in mind the only reason copyright exists is to encourage people to create useful works. That is the only reason.
Of course you should. But a copyright is not really a possession. It is a restriction on other peoples' natural rights.
Comparing copyright to actual property is absurd. Homes, clothing, food etc are actual property. If I steal some bread from you, then you have less food to eat.
A book or a song, however, can be copied without depriving anybody of anything. If you have a book, and I photocopy it and put back the book, what have you lost?
On the other hand, if I buy your bread, do you have the right to tell me that I can't sell it to somebody else? No. Once I own that bread, I can do anything I want with it and you can't stop me.
Copyright means you can restrict other people from doing things that, really, have nothing to do with you. In general our government has found this acceptable because copyright encourages future works. But logically we should have the minimum restriction to provide that encouragement. Minimal copyright.
And the earlier poster is correct. Long term copyrights do inhibit creation of science and useful arts. The sole purpose of copyright is to encourage works, but as it stands now it discourages further creation because the other has disincentive to provide any further value to society.
Name one communist system that was based on free dissemination of knowledge.
Your argument relies on the belief as copyright as a natural property right, but this is very difficult to credibly argue. Communism is based on sharing of resources because those resources are scarce.
Knowledge is not scarce. In fact the more you share it, the more of it there is for everybody.
Rarely, if ever, is a great work supressed or lost. Most often the works *ARE* available to any and everyone.
How would you know how many great works have been lost?
What was Lessig's number? Something like 10,000 books were published in 1929, and around 1% are still in print.
shouldn't I be able to enjoy the spoils and decide the future of that great work?
You can if you want. Just don't share it with anybody. Then you have absolute rights over that work. But the second you give it to someone else, they can do what they want with it.
That is how natural rights and natural law work. Our law allows you limited time copyright, designed for the sole reason of encouraging further work. There is no notion of being able to control your work for some 'just' and 'fair' reason. That would you be restricting the rights of others.
Shouldn't I be able to go to my grave, comforted by the fact that my magnum opus will provide for my children's future?
No. They should have to work for themselves. Why should we support a system that encourages laziness?
If you can't prove it, you're SOL. The patent will stand.
If you can, then either the patent will be rejected (if the PTO is made aware of your invention), or the courts can invalidate the patent after the fact.
Just when I was hoping those cell phone folks might be shutting up soon.
As long as you have proof that you invented it first, you can invalidate anyone else's future claim if they try to patent it. Just tell everybody about your idea and say they can do what they like with it.
Copyrights used to mainly effect arts and entertainment. Now they have a profound influence on technology as well. But that is still a fairly limited scope.
Patents are broader. In particular they are critical in the pharmaceutical industry (where there are patent controversies from time to time). Long-term patent granting would be very very dangerous, because it could allow drug companies to put the health care market in a stranglehold. As it stands now, drugs are highly overpriced for the first 20 years of their existence (while patented), and then suddenly become available cheaply. This helps to discourage (but not prevent) abuse.
However, it will be outdated because somebody else has patented a new better algorithm (or not patented it, which is also possible, and released it for everybody to use). This is the purpose of patents: to encourage new innovation. If people are perpetually coming up with better ideas, they do have some claim to get money for them. This is acceptable.
But unlike copyright, you can't sit on a patent, do nothing, and receive perpetual income. Copyright law may actually discourage new work, while patent law does the opposite.
In the US, at least. I don't know much about how patent laws work internationally. It looks like it might still have some protection in England.
Essentially that is what algorithms are.
Patents were not intended to cover natural phenomena or simple scientific 'knowledge'. It is finding an original use of that knowledge that is intended.
Algorithms can qualify as original use of mathematical knowledge, and hence are patentable.
Example: Gauss discovered an efficient algorithm for computing Fourier transforms a century and a half ago. It was simply a solution to a mathematical problem. He could not have filed for a patent. Many years later, somebody has a great idea and realizes that this algorithm can be used to make digital signal processing possible. That man can get a patent. But note that it does not in any way preclude somebody else from using Gauss' algorithm for a completely different purpose.
But I suppose GIFs are ancient technology and nobody has used them years, right?
So I'm sorry man, but your solution or proposal or whatever is really not an option.
It wasn't a solution or a proposal. It was just a statement. MPEG-4 will be exactly the same algorithm in a decade as it is now.
At that point all you have to do is write your own piece of software that implements the algorithm, and you don't have to pay anybody anything.
Presumably by then there will be new and improved patented algorithms, but it's nice to know that you will always have free technology to use, although sometimes a little outdated. (Or not, the RSA patent has expired and it is still the most popular public-key cryptosystem)
The way to patent an algorithm is to first invent it. For fractal compression, you're too late.
You can write a compression program and GPL it, but first you have to be careful not to infringe on anyone else's patents.
Here is a fractal decoder license. I believe Iterated Systems Inc. holds a pretty comprehensive patent on fractal compression, but I don't have much in the way of details.
Well, normally I would be skeptical of this mortgage consolidation plan, but because DoubleClick says it's OK...
They are attacking MS because they collect personal information that could be exposed through security flaws?
How many dozens of e-commerce sites could be shut down on that account? Think about it.
Or are the Attorney Generals being asked to hold Microsoft accountable for their weak security? Bruce Schneier's been trying to go there for years.
Unfortunately, he could tell EPIC exactly how far this is going to go.
This is a good post. You are taking the opposing side from one of the replies I posted above.
I pointed out that the weak security characteristic of Microsoft is a direct result of them making everything so damned easy to do. They strip away the limitations of the software architecture, enabling more powerful apps but at the same time opening a great number of security vulnerabilities. You are suggesting it is worth it. Obviously Schneier and Shostak disagree with you.
As someone who works in the security industry, I can't agree. The more we tear down those boundaries the more vulnerable we leave ourselves. If the Internet is ever to live up to its full potential, especially in economic terms, we have to protect ourselves. Unless we start admitting such tight software restrictions are necessary, things like Internet fraud and web worms will keep increasing in frequency and severity.
I think you are right that it is impossible to "go back". You can't turn back the clock, and while I may think Microsoft did it wrong, it is unreasonable to think they will do it over again.
No, I don't. But I don't think they'll succeed with this security initiative either.
It's easier to say than to do. We all know this already. But I'm not sure Microsoft does. It's not like the sudden Internet shift.
Security is about adding limitations and restrictions. This is converse to the entire corporate direction, which has been stripping those away while trying to apply band-aid solutions to address security issues. It's a fundamental problem.
And you are right. They can't really go back. They can't completely rewrite Windows, IIS, or Office. The new products would be released with glaring omissions from past functionality. It would be missing things Microsoft never should have added in the first place (UPnP, for instance).
Perhaps they'll try to do it right. In fact I believe they will. But when it finally comes down to scrapping products and features with insecure fundamentals, I can't see them carrying through.
It'll be back to band-aids and PR coverups. The temptation is just too great.
Well, duh!
It's the timing that gets me. They made the announcement shortly after a major OS release. So whenever somebody points out a bug in existing software (XP or earlier), they can shrug and say "That was the old Microsoft, the new Microsoft no longer makes those mistakes."
And since it'll be sometime before they release another highly-vulnerable product, nobody will be able to contradict them.
Separate Data and Control Paths
Use Secure Default Configurations
Separate Protocols and Products
Choose for Security over Features
Make it Transparent and Auditable
Give advance notice of Protocols and Designs
Engage the community
All that stuff sounds great, but I can say the same thing in far fewer words:
Start from scratch. Do it right this time.
It was just a toy idea, kind of interesting to think about. In reality there are stronger reasons than that why it would be unworkable.
If you tossed out Domain Name Servers, finding another way to implement virtual domains would be the least of your problems.
The fundamental problem with such a scheme would be the introduction of weak central failure points on the Internet: the search engines themselves. If we depend on them for navigation in lieu of DNS, you can bet they'd become the most attacked targets on the Internet in a real hurry.