A Politics of Vulnerability Reporting Black Hat Briefings, Europe 2001 Scott Blake Director of...
-
Upload
naomi-tamsin-morris -
Category
Documents
-
view
224 -
download
3
Transcript of A Politics of Vulnerability Reporting Black Hat Briefings, Europe 2001 Scott Blake Director of...
A Politics ofVulnerability Reporting
Black Hat Briefings, Europe 2001
Scott BlakeDirector of Security Strategy
BindView Corporation/RAZOR Research
April 19, 2023
Agenda
• Introduction– What is Politics?
• The Past and Present– Ideologies, Actors, and Initiatives
• The Future– Trends and Probabilites
April 19, 2023
What is Politics?
• The study of power– Power is the ability to make one do what
one would not otherwise do.
• Important Terms– Actor: One who uses or is subject to
power– Ideology: A set of beliefs or ideas– Legitimacy: In accordance with
established standards or patterns– Authority: Legitimate power
April 19, 2023
Ideologies
• Full disclosure• Zero disclosure• Responsible Disclosure
April 19, 2023
Full Disclosure
• Tenets– Information wants to be free– Use the power of public opinion to
make vendors improve code– Exploit code is more useful than
destructive
• Adherents– Most non-profit researchers– Very few commercial researchers
April 19, 2023
Zero Disclosure
• Tenets– Responsibility for fixing vulnerabilities lies
with software vendor– Authors of software should control
information relating to that software– There is no public good in broad availability
of vulnerability information
• Adherents– Many software vendors– Many government actors– Much of the Public
April 19, 2023
Responsible Disclosure
• Tenets– Exploit code causes more problems than it
solves– Broad dissemination of vulnerability
information is required to improve security awareness
– Use the power of public opinion to make vendors improve code
• Adherents– Most commercial researchers– Some notable software vendors
April 19, 2023
The Actors
• Vendors• Researchers• Governments• Media• The Public
April 19, 2023
Vendors
• Motivators– Shareholder value
• Financing– Software Sales
• Interests– Limit damage to brand value– Limit vulnerability of customers– Sell more software
• Power Relations– Often try to prevent public disclosure of
vulnerability information through legal action, market leverage, lobbying
April 19, 2023
Researchers
• Motivators– Advance state of the art– Build more security– Build name recognition/peer respect
• Financing– Day Job– Customers (Grant, Contract)– Software sales
April 19, 2023
Researchers (2)
• Interests– Continue financing source– Maintain/extend reputation
• Power Relations– Hobbyists are largely free from external
influence providing the day job does not interfere
– Academic and consultative researchers are largely beholden to their funding source, but different funders set different restrictions
– Commercially-sponsored researchers are beholden to the parent company’s interests
April 19, 2023
Governments
• Motivators– Technocratic perception of public good
• Financing– Taxes– Campaign Contributions
• Interests– Economic growth– Public Safety
• Power Relations– Prosecution of criminal or negligent behavior– Large purchaser of information technology
April 19, 2023
The Media
• Motivators– “All the news that’s fit to print”
• Financing– Advertisements– Subscribers
• Interests– More readers
• Power Relations– Very powerful creators of brand, image– Influencers of public perception
April 19, 2023
The Public
• Motivators– Too chaotic to be relevant
• Financing– Too chaotic to be relevant
• Interests– Stable, secure software
• Power Relations– Wields tremendous power, but very
difficult to direct in any specific direction
April 19, 2023
Initiatives
• Council of Europe Cybercrime Treaty
• US Anti-terrorism legislation• Disclosure Forums• Coalition for Internet Safety
April 19, 2023
Council of Europe’s Cybercrime Treaty
• Intended Outcomes– Harmonize and update European
computer crime laws• Unintended Outcomes
– Potential for mis-implementation of tools provisions may have chilling effect on research
– Language pertaining to intent may lead to certification requirements for security practitioners
April 19, 2023
USA’s PATRIOT Act
• Intended Outcomes– Adds cybercrime to list of terrorist acts– Strengthens provisions against aiding
and abetting terrorists
• Unintended Outcomes– Since hackers are now terrorists, is
publishing vulnerability information aiding and abetting?
April 19, 2023
Disclosure Forums
• Intended Outcomes– Get information to those who need it
• Unintended Outcomes– Puts information in the hands of the
“bad guys”
April 19, 2023
Coalition for Internet Safety
• Intended Outcomes– Limit availability of information to “bad
guys”
• Unintended Outcomes– Limit availability of information to
everyone
April 19, 2023
Trends
• Increasing legislation• Improving communication channels• More and more research being done• More vicious attacks• Continuing penetration of Internet
access
April 19, 2023
Probabilities
• Will the public demand security?• Who will pay for security?• A war on hackers/cyberterrorists?• Lessons from recent events• Security for the people?