Create an Account
username: password:
 
  MemeStreams Logo

The Public Opinion on Lynn's Disclosure
search
Home Agent Weblogs Social Network Post Help About

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
The Public Opinion on Lynn's Disclosure
Topic: Computer Security 11:32 pm EDT, Aug  1, 2005

Technorati has been a great tool for surfing public opinion over CiscoGate (which I actually prefer to call the Ciscopocalypse..).

Here are a few blog posts worth parsing. The best of the crop is from John S. Quarterman, the CEO of InternetPerils, who rounds up a number of articles and comments on them:

As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn't even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn't give the presentation, and it's pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.

That part I did not agree with. Integrity is best served real.

This isn't really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn't work, no matter how big you are, and even if you have the law backing you up.

Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?

Bruce Schneier, CTO of Counterpane Internet Security, chimed in very early on:

The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe.

Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.

The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.

I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea.

And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.

And of course, its been noted that Cisco is going after any place that has posts Mike's presentation...

The Public Opinion on Lynn's Disclosure

Thread [1]


  
 
Powered By Industrial Memetics		RSS2.0