It seems to me that this whole area is fraught with problems, and that the proponents of a "free market" are missing some of the history here.
#1 The history of paying for exploits.
This is a relatively new phenomenon, but historically where it has happened vulnerabilities have been purchased on the black market, by security research companies such as iDefense (now a subsidiary of Verisign). The reason that these companies did this is because these were (and are) exploitable, and were being happily used by the criminal community. Thus, in that situation, iDefense and other similar companies were able to acquire information about known and exploited vulnerabilities, and inform software vendors so that remediation could proceed.
While paying money to criminals is not necessarily something that fills anyone with glee, except the criminals of course, it was reasonably clear that the action helped "the greater good". The same is far from true in the case of building a free market in vulnerabilities. The obvious point is that it if a vulnerability applies to some particular product, why should we assume that the legitimate owner of the site or software product will be the highest bidder? It could as easily be a criminal.
#2 Legality - testing.
At least in the US, for downloaded software, the situation is such that the legality of testing software for vulnerabilities is moderately safe. For website on the other hand, the situation is that researchers are on rather thinner ice. Some websites do publish policies which describe the situations under which they would never push for prosecution, although many still do not. (Although, the recent discussions on this subject are clearly spurring more sites to do this.) The net for websites is that whether or not the testing activity is viewed as being criminal or not is in large measure up to the tolerance, or otherwise, of the website operator.
#3 Legality - sale.
For sale of vulnerabilities, if a researcher approaches a company and says "I have information about a vulnerability in your product/service, and I'd like $x for it", the answer is that any competent prosecutor could get a blackmail conviction. If you are a legitimate security researcher, I'd argue that the last thing you want is to be branded as a blackmailer. And, per point #2, I think you will find that as more and more websites release security testing policies, that those policies explicitly will not indemnify researchers when the results of the research have been resold or in any way used for profit.
#4 Business ethics.
Granted that most security researchers are not in fact employed by the companies whose products and services they are researching, why on earth would anyone expect to be compensated by that company? For example, if you show up at the office building of some company with a ladder and bucket and then clean all the windows, the office manager might be grateful, but whether or not you get paid for it is another matter altogether. Why should vulnerabilities be any different? Don't all workers have the right to expect the windows of their offices to be clean and bug free?;-)
People have been wittering for ages that the terrorists might launch an attack shortly before the election, as they did in Spain. With two weeks to go before the election, we're now in the window when that might occur.
Here's the scary thought - what if it's not just blowing stuff up, but screwing with the election itself. The race is close enough that you wouldn't need to mess with that many votes that neither candidate could claim legitimacy. For example, hack the machines in perhaps two or three contested states - give a ridiculous number of votes (say 100,000,000) to Nader, two votes to Bush and one to Kerry. That would completely invalidate those states being able to send delegates to the constitional convention. Result - massive crisis.
I hate to sound like a harpy about this, but basically we have no idea if this will add any real security at all. "The Devil's in the details"TM.
The obvious questions are:
Are they trying to protect against a bad guy who has hacked the database server, and has disk level access to that box, but who has no application level credentials to accessing the data via the database?
Or, are they trying to protect against a bad guy who has hacked an application server? In which case, said BadGuy presumably has a valid userid/password to retrieve data using boring but powerful queries such as "SELECT * FROM CUST-TABLE".
Or, are they doing some nifty code signing thingy so that, unless the query is executed from a previously signed application, the query won't return plain text data.
Of course, there are other interesting questions here. Do they propose to encrypt the data on a row-by-row basis, in which case multi-row operations become exceedingly "interesting"? Do they propose to simply encrypt an entire table? How many keys will there be? Will you be able to rotate keys? If you can rotate keys, what happens to data encrypted under the old keys?
Of course, one of the interesting things about Privacy (and the lack of data privacy rights for US citizens and residents), is that this whole debate is slowly becoming irrelevant.
I work for a large multi-national financial services company, and we have long been aware how much more stringent the laws are in other jurisdictions. (This is not exactly news.) However, the interesting thing is that there has been a clear trend over the last few years towards increasingly stringent regulations in other countries too. So, the net effect is that the US is slowly being surrounded by laws that are more privacy friendly than those in the US. (Hard to be *less* privacy friendly than the US, generally speaking.)
As companies like mine get more and more forced to adopt practices that conform to the most restrictive of these various bits of legislation, we are tending more and more to say "To Hell with what you can do in the US, we'll just go with something much more like Germany's".
Of course, this tendency is only exerting leverage on multi-nationals, but that is a significant chunk of the companies that we all do business with, so who knows?...
Apparently, the author is confused about the nature of the Liberty Alliance. It's not in the business of doing identity federation itself, merely producing specifications, guidelines, best practices, etc. You would no more "trust my personal information" to the Liberty Alliance, than you would to the IETF, OASIS, etc...
It might solve the problem, but the social implications are horrific. I am assuming, despite the lack of an April 1st date, that this is a subtle joke?..
Alternatively, if the poster *is* serious, it is reminiscent of the old joke whose punchline is "you can't get there from here".
One of the main complaints about RFID - that RSA's announcement doesn't address - is that consumers should have the right to have the tags "nuked" at point of sale. That implies that:
The tags themselves have to be designed with fusible links (so that they can be overloaded & die), and
The POS devices have the option of tag nuking, or maybe some area at the POS where tagged goods can be placed that will nuke them. (Many stores already have those pads that wipe out inventory control tags to prevent theft - same kind of notion.)
So, the question at a practical level is - is the industry actually responding to this, or is RSA's announcement just bandwagon hopping?
Oddly enough, my own company is in much the same situation. Our policies have historically forbidden open source software (generally because of the lack of support). However, a few mavericks have been changing the position on this. Here are the salient points from our thinking:
Have your policy/standard give prescriptive guidance about when you feel it is - and is not - appropriate to use open source. I'm not saying there are necessarily cases where you may not want to use open source, but there may be. For example, our shop is a big WebSphere user, and for us that was a strategic choice. We have good operational competence at running it too. So, just because some project came along and said "we'd like to use JBoss", that would be a good example of when not to use open source - for us, anyway.
For cases where you do use open source, make sure that the sponsoring project for some particular open source tool has clearly identified how it will be supported in production. This may be the team itself, it may have chosen to outsource, who cares... But, make sure they do identify a source of support. Otherwise, when stuff breaks a 2AM, the ops folks will just call *everyone* in......probably including you.
Make sure that your General Counsel's Office is thoroughly briefed on the various kinds of open source license agreements, and that they are ok with the license for the particular open source tool when it is "acquired". Some licenses may not be compatible with all commercial usage (LGPL is probably the worst offender from this perspective), and thus careful review is appropriate. In any case, if you don't get your GCO on your side, they'll shoot you down in flames...
Make sure that your policy/standards differentiate between where it's appropriate to *use* open source, vs. where it's appropriate for you to *contribute* to it. There are at least two reasons for this: a) if no one gives back, the quality of open source software will suffer; and b) there are often cases where it's better to give up both work (as well as "intellectual property") rather than doing something proprietary. For example, three or four years ago my own company had decided that we needed an MVC-based front-servlet design. It proved very handy, and as projects like struts came along, we just dumped some of the core ideas into that project. Over the long-haul it is much better for us to have our needs supported directly by open source products, than it is for us to have to build a bunch of proprietary goo.
You will likely have another fight on your hands with the aforementioned lawyers on the idea of contributing to open source, but it's worth fighting for. (Our own GCO just didn't get this, and I'm not sure whether they fully do yet. They have a distinct feeling that our IP rights are such that we should own the universe.)
Expect a fight. There will be a certain number of folks "from the Dark Side" who view open source as a threat to Civilization As We Know It. Take no prisoners with these types...
Good luck!
Have you ever heard the words "anti-trust"?
on
United Linux Dead
·
· Score: 3, Insightful
In one of the extracurricular activities associated with my real job, I represent my company on the Management Board of an open standards consortium, where many of the same questions have been discussed. There are two issues:
What are the rules of the organization WRT to initiating new work? Popular choices are typically: majority vote, super-majority vote (usually 75%), n-1 (one can vote against), or unanimity. All of these models have been used by different organizations. If their model (like WSI's, I believe) opts for unanimity, then SCO could indefinitely block anything new going on.
What are the rules for kicking members out? The usual provisions are for non-payment of dues only. Generally, there are no other options, as anti-trust law forbids more or less any discrimination against a company just because they are being generally obnoxious. So, if the UL board voted to kick SCO out (on any basis other than non-payment of dues), it would be a wonderful opportunity for Darl to sue someone else (both UL itself, and most likely the individual Directors), and as an anti-trust issue, conceivably the DOJ could investigate.
Based on that, UL very likely had no choice but to shut down.
I work for one of the large Financial Services companies. In the late nineties, we spent a great deal of effort working on micropayments, trying to determine: a) was there a heavy suppressed demand for micropayments capability, b) was there a business model wherein a reasonable profit could be made, and, if the answer to the previous questions were both yes, c) what was the best technology that could supply the solution. Suffice it to say that we eventually concluded that the answers to the first two questions were No, and No, respectively.
The interesting thing is that I believe that the survival rate of the late nineties companies that offered such services bears out this hypothesis. They are basically all dead. There are a couple of notable exceptions. QPass re-invigorated itself by becoming a wireless services company. (And, it had a model remarkably similar to Peppercoin's, so it will be interesting to see what happens to them...) Seattle-based eCharge died, but was recently re-floated by the VC community as eCharge2 - I wish them luck, but the odds are against them. All the rest seem to have sunk without trace...
Paypal - fine company, but not a micropayments company; instead a P2P payments company. They may be able to make micropayments work, but if they do, it will be on the basis of operating the service as a loss leader...
In the late nineties, I supported the Strategic Investment group of my employer (a large financial services company), by doing Technical Due Diligence on the various companies that they were thinking of investing in. I have also witnessed what's happened to our own investment portfolio since then.
It seems to me that there are a few things going on here, that some of the other posters seem to be muddling together:
The companies with obviously daft business models, who managed to get funded on the late nineties, have all faded away. Good riddance to bad rubbish, largely.
The companies with solid business models are making money quite nicely. They will presumably do even better as the economy continues to improve.
There are however, a number of companies in an intermediate state. They are hanging on (sometimes by the skin of their teeth), in the hopes that as the economy improves, so will their sales. If that doesn't occur, then these companies will be continued grist to the shutdown mill...
While the main point of the article is interesting, the rather depressing part - about the politics of the ITU, ICANN, etc. - is that unless we can get these oafs to work together, we are totally hosed. Having witnessed some of the machinations that goes on in at least a couple of these groups, I despair of whether we will get anything rational out of all of this. (I would much, much rather see sausages being made, than see these groups "working' again...)
Speaking as someone who works in the Financial Services space (and has done for a couple of decades), a couple of points are worth mentioning:
The stock market is notorious for both over-valuing, as well as undervaluing, especially towards the start of an investment cycle. It does seem as though the "run up" phase of SCO's price is about over - the market has now valued the stock on the assumption that SCO will win. For those of us (me included) who believe that SCO's case is baseless, this is now an excellent time to short the stock. As soon as SCO starts losing aspects of their case, their stock price will plummet through the floorboards.
IANAL, *but* I think many of us have forgotten quite how slowly - but inexorably - the legal wheels grind. None of us should be particularly surprised that not much, legally speaking, has happened yet. This series of cases (remember there are multiple cases involved), could literally take years before the dust has all settled...
Well, my problem is that the search results I am getting from Google these days is less & less relevant to what I tend to be looking for. I can see four reasons:
The Internet has changed in such a way that Google's methodology doesn't work as well - i.e. the original "linked most" philosophy simply doesn't work as well on today's web as it used to.
Google have been optimising their search rules towards other searchers & those rules that used to work for me, no longer do so.
Google have got lazy (a variant of #3), and are falling into the Altavista trap.
My queries have got more complex.
Overall, I don't know which of the above is true. All I do know is that if a better mousetrap came along, I'd stop using Google in a heartbeat...
One of the difficulties I personally have with RMS is that there are niggling little inconsistencies between what he says and what he does.
Specifically, while he says that he is fine with software being for "fee", his actions, especially as measured against the LGPL, make that quite hard. This thinly disguised dislike of commercial software bleeds over into his general worldview. He clearly is very binary about whether something is "open" or not, and uses the wonderful "non-free Invidious video driver" example. (Am I the only one who found that particular spoonerism amusing, BTW?)
So, because he can only see the world as "free" or "non-free", he is unwilling to admit that things like video drivers, which are not published as open source, may nonetheless be of significant value to the OSS community. Another way of looking at this is that he simply does not believe in the notion of Intellectual Property, and therefore is unwilling to accept that there are reasonable commercial cases where it should be protected.
I'm probably being to quick to criticize as (Heaven knows!), we all owe him a lot, but I never trust a man that has a simple world view...
For example, "black people are better dancers than white people". Yes, there will always be some pedant showing an example of a given white person who is a better dancer than a given white person, but that does not affect the usefulness of the generalisation.
I've never personally understood this mania that the POTS folks have for dragging all of the old telephone system baggage into VOIP. Why on earth should we perpetuate the same old nonsense of "area codes" & "country codes"? (They are completely artificial & capricious anyway.) What's wrong with dialing someone by their IP address, that's what I want to know?
Slashdot Mirror
#1 The history of paying for exploits.
This is a relatively new phenomenon, but historically where it has happened vulnerabilities have been purchased on the black market, by security research companies such as iDefense (now a subsidiary of Verisign). The reason that these companies did this is because these were (and are) exploitable, and were being happily used by the criminal community. Thus, in that situation, iDefense and other similar companies were able to acquire information about known and exploited vulnerabilities, and inform software vendors so that remediation could proceed.
While paying money to criminals is not necessarily something that fills anyone with glee, except the criminals of course, it was reasonably clear that the action helped "the greater good". The same is far from true in the case of building a free market in vulnerabilities. The obvious point is that it if a vulnerability applies to some particular product, why should we assume that the legitimate owner of the site or software product will be the highest bidder? It could as easily be a criminal.
#2 Legality - testing.
At least in the US, for downloaded software, the situation is such that the legality of testing software for vulnerabilities is moderately safe. For website on the other hand, the situation is that researchers are on rather thinner ice. Some websites do publish policies which describe the situations under which they would never push for prosecution, although many still do not. (Although, the recent discussions on this subject are clearly spurring more sites to do this.) The net for websites is that whether or not the testing activity is viewed as being criminal or not is in large measure up to the tolerance, or otherwise, of the website operator.
#3 Legality - sale.
For sale of vulnerabilities, if a researcher approaches a company and says "I have information about a vulnerability in your product/service, and I'd like $x for it", the answer is that any competent prosecutor could get a blackmail conviction. If you are a legitimate security researcher, I'd argue that the last thing you want is to be branded as a blackmailer. And, per point #2, I think you will find that as more and more websites release security testing policies, that those policies explicitly will not indemnify researchers when the results of the research have been resold or in any way used for profit.
#4 Business ethics. ;-)
Granted that most security researchers are not in fact employed by the companies whose products and services they are researching, why on earth would anyone expect to be compensated by that company? For example, if you show up at the office building of some company with a ladder and bucket and then clean all the windows, the office manager might be grateful, but whether or not you get paid for it is another matter altogether. Why should vulnerabilities be any different? Don't all workers have the right to expect the windows of their offices to be clean and bug free?
I would like to hear more about this. Please can you e-mail me your contact info? (You are fully cloaked currently...)
Here's the scary thought - what if it's not just blowing stuff up, but screwing with the election itself. The race is close enough that you wouldn't need to mess with that many votes that neither candidate could claim legitimacy. For example, hack the machines in perhaps two or three contested states - give a ridiculous number of votes (say 100,000,000) to Nader, two votes to Bush and one to Kerry. That would completely invalidate those states being able to send delegates to the constitional convention. Result - massive crisis.
The obvious questions are:
- Are they trying to protect against a bad guy who has hacked the database server, and has disk level access to that box, but who has no application level credentials to accessing the data via the database?
- Or, are they trying to protect against a bad guy who has hacked an application server? In which case, said BadGuy presumably has a valid userid/password to retrieve data using boring but powerful queries such as "SELECT * FROM CUST-TABLE".
- Or, are they doing some nifty code signing thingy so that, unless the query is executed from a previously signed application, the query won't return plain text data.
Of course, there are other interesting questions here. Do they propose to encrypt the data on a row-by-row basis, in which case multi-row operations become exceedingly "interesting"? Do they propose to simply encrypt an entire table? How many keys will there be? Will you be able to rotate keys? If you can rotate keys, what happens to data encrypted under the old keys?So many questions, so few answers!
I work for a large multi-national financial services company, and we have long been aware how much more stringent the laws are in other jurisdictions. (This is not exactly news.) However, the interesting thing is that there has been a clear trend over the last few years towards increasingly stringent regulations in other countries too. So, the net effect is that the US is slowly being surrounded by laws that are more privacy friendly than those in the US. (Hard to be *less* privacy friendly than the US, generally speaking.)
As companies like mine get more and more forced to adopt practices that conform to the most restrictive of these various bits of legislation, we are tending more and more to say "To Hell with what you can do in the US, we'll just go with something much more like Germany's". Of course, this tendency is only exerting leverage on multi-nationals, but that is a significant chunk of the companies that we all do business with, so who knows?...
Apparently, the author is confused about the nature of the Liberty Alliance. It's not in the business of doing identity federation itself, merely producing specifications, guidelines, best practices, etc. You would no more "trust my personal information" to the Liberty Alliance, than you would to the IETF, OASIS, etc...
It might solve the problem, but the social implications are horrific. I am assuming, despite the lack of an April 1st date, that this is a subtle joke?..
Alternatively, if the poster *is* serious, it is reminiscent of the old joke whose punchline is "you can't get there from here".
- The tags themselves have to be designed with fusible links (so that they can be overloaded & die), and
- The POS devices have the option of tag nuking, or maybe some area at the POS where tagged goods can be placed that will nuke them. (Many stores already have those pads that wipe out inventory control tags to prevent theft - same kind of notion.)
So, the question at a practical level is - is the industry actually responding to this, or is RSA's announcement just bandwagon hopping?- Have your policy/standard give prescriptive guidance about when you feel it is - and is not - appropriate to use open source. I'm not saying there are necessarily cases where you may not want to use open source, but there may be. For example, our shop is a big WebSphere user, and for us that was a strategic choice. We have good operational competence at running it too. So, just because some project came along and said "we'd like to use JBoss", that would be a good example of when not to use open source - for us, anyway.
- For cases where you do use open source, make sure that the sponsoring project for some particular open source tool has clearly identified how it will be supported in production. This may be the team itself, it may have chosen to outsource, who cares... But, make sure they do identify a source of support. Otherwise, when stuff breaks a 2AM, the ops folks will just call *everyone* in...
...probably including you.
- Make sure that your General Counsel's Office is thoroughly briefed on the various kinds of open source license agreements, and that they are ok with the license for the particular open source tool when it is "acquired". Some licenses may not be compatible with all commercial usage (LGPL is probably the worst offender from this perspective), and thus careful review is appropriate. In any case, if you don't get your GCO on your side, they'll shoot you down in flames...
- Make sure that your policy/standards differentiate between where it's appropriate to *use* open source, vs. where it's appropriate for you to *contribute* to it. There are at least two reasons for this: a) if no one gives back, the quality of open source software will suffer; and b) there are often cases where it's better to give up both work (as well as "intellectual property") rather than doing something proprietary. For example, three or four years ago my own company had decided that we needed an MVC-based front-servlet design. It proved very handy, and as projects like struts came along, we just dumped some of the core ideas into that project. Over the long-haul it is much better for us to have our needs supported directly by open source products, than it is for us to have to build a bunch of proprietary goo.
- You will likely have another fight on your hands with the aforementioned lawyers on the idea of contributing to open source, but it's worth fighting for. (Our own GCO just didn't get this, and I'm not sure whether they fully do yet. They have a distinct feeling that our IP rights are such that we should own the universe.)
- Expect a fight. There will be a certain number of folks "from the Dark Side" who view open source as a threat to Civilization As We Know It. Take no prisoners with these types...
Good luck!Based on that, UL very likely had no choice but to shut down.
As an organization, you could - if you had capitalized the development costs. As an individual, you may very well not be able to.
The interesting thing is that I believe that the survival rate of the late nineties companies that offered such services bears out this hypothesis. They are basically all dead. There are a couple of notable exceptions. QPass re-invigorated itself by becoming a wireless services company. (And, it had a model remarkably similar to Peppercoin's, so it will be interesting to see what happens to them...) Seattle-based eCharge died, but was recently re-floated by the VC community as eCharge2 - I wish them luck, but the odds are against them. All the rest seem to have sunk without trace...
Paypal - fine company, but not a micropayments company; instead a P2P payments company. They may be able to make micropayments work, but if they do, it will be on the basis of operating the service as a loss leader...
While the main point of the article is interesting, the rather depressing part - about the politics of the ITU, ICANN, etc. - is that unless we can get these oafs to work together, we are totally hosed. Having witnessed some of the machinations that goes on in at least a couple of these groups, I despair of whether we will get anything rational out of all of this. (I would much, much rather see sausages being made, than see these groups "working' again...)
Overall, I don't know which of the above is true. All I do know is that if a better mousetrap came along, I'd stop using Google in a heartbeat...
Specifically, while he says that he is fine with software being for "fee", his actions, especially as measured against the LGPL, make that quite hard. This thinly disguised dislike of commercial software bleeds over into his general worldview. He clearly is very binary about whether something is "open" or not, and uses the wonderful "non-free Invidious video driver" example. (Am I the only one who found that particular spoonerism amusing, BTW?)
So, because he can only see the world as "free" or "non-free", he is unwilling to admit that things like video drivers, which are not published as open source, may nonetheless be of significant value to the OSS community. Another way of looking at this is that he simply does not believe in the notion of Intellectual Property, and therefore is unwilling to accept that there are reasonable commercial cases where it should be protected.
I'm probably being to quick to criticize as (Heaven knows!), we all owe him a lot, but I never trust a man that has a simple world view...
No generalization is true, not even this one...
I've never personally understood this mania that the POTS folks have for dragging all of the old telephone system baggage into VOIP. Why on earth should we perpetuate the same old nonsense of "area codes" & "country codes"? (They are completely artificial & capricious anyway.) What's wrong with dialing someone by their IP address, that's what I want to know?