[Dailydave] [Regs] Did the list just Die?
k8ek8e at gmail.com
Wed Sep 9 12:15:30 EDT 2015
Those who don't know history are doomed to repeat it.
There have been multiple attempts at gathering all the stakeholders and
trying to gain consensus on vulnerability disclosure principles, even when
This was just one example. There are many others.
Vulnerability disclosure is something where reasonable people will continue
to disagree on the best way to minimize risk.
This fundamental disagreement and source of tension will not shift very
much until organizations have better and more consistent responses to
There are plenty of open problems in vulnerability coordination that are
solely vendor ecosystem issues, like the complexity in coordinating across
a hardware and software supply chain (e.g. a mobile phone has hardware,
software, users, and service providers as stakeholders that play a role in
the security level of that device at any given time). Another open problem
in vendor to vendor vulnerability coordination is illustrated by
Heartbleed, when a widely deployed library is affected and a coordinated
public disclosure and simultaneous patch rollout is warranted.
Both of the above, as well as driving the adoption of the existing ISO
standards (29147, 30111) aimed at improving vendor vulnerability response,
are ways that vendors and coordinators, can improve the current state of
vulnerability coordination and disclosure in a multistakeholder meetup
whose goal it is to agree on principles.
Security researchers are not the biggest problem in the realm of
vulnerability disclosure. Vendors wrote the buggy software. Vendors are the
ones who need to figure out better ways of dealing with that fact, with all
the stakeholders including secure researchers, their partners, and their
We should be working on improving true multistakeholder vulnerability
coordination, that has much more to do with vendor capabilities and
willingness to coordinate than it does with hacker behavior, as illustrated
in the examples above, not redoing the basic vulnerability disclosure
principles that have been described and agreed upon (or not) multiple times
Ok, so here's what I get from talking to Allan about it briefly last week.
It reminds me a whole lot of the 2003 Loya Jirga
<https://en.wikipedia.org/wiki/2003_loya_jirga> convened in Afghanistan,
for ALL THE RIGHT REASONS.
I mean, if you ask the question "Does the status quo work for you?" enough,
then people will want to come to the table, because no, clearly it is not
And in theory, you can then force some sort of "consensus" from whoever
shows up, either by excluding the most contentious defenders of their
positions or by simply finding a middle ground that is so banal that is is
palatable. "Everyone is for cute puppies, right? As a principle?"
Then in theory you can take this statement of principles to the people who
are trying to rework the CFAA and related bills and say "Look, people are
FOR PUPPIES, so maybe we shouldn't throw everyone in jail all the time for
incrementing numbers in the URL bar?"
There are two major problems with this extremely expensive Vulnerability
Management Loya Jirga:
The first is that clearly you only get a veneer of respectability for any
statement of principles. Oracle is NOT an outlier with their opinions
on how copyright allows them to deal with vulnerability researchers. And
researchers are of many many minds, but pretty much rightfully wary of any
attempt to put an official imprint on what way is "responsible" when it
comes to releasing or handling vulnerabilities, even at its most watered
down way. We JUST got over Microsoft trying to enforce the rules of
responsible disclosure, and I don't think anyone wants to go backwards on
that. One day is maybe enough to discuss an introduction to the problems
involved, assuming nobody sleeps or eats or uses the bathroom, even though
only .01% of the interested stakeholders will be in the room or watching
the video feed.
The second major issue is of course the stick. The current stick for a lot
of this is "Congress is going to make a law. It is inevitable. Don't you
want to help them do it right?" The natives hear this and are perfectly
willing to play stupid even though they know for a fact that this is by no
means inevitable. We have an administration on the way out and Congress's
basic policy is lockjam. Much like in Afghanistan, where everyone knows
that you can wait out the occupation, any time a stakeholder feels it is
losing their position, they're going to ask a few thousand pertinent
questions and push the issue back about 16 months.
And of course there's no talk of a backup plan. What happens if there's NO
consensus? This is what worries me the most. When failure is not an option,
then it is unfortunately guaranteed.
Here's what will happen: A consensus will be forced. SOME documented set of
"principles" will be taken to people writing bills. That is not necessarily
Mission Accomplished, but it's sometimes close enough to write a Washington
Post article about...
On Mon, Aug 31, 2015 at 4:09 PM Claus C. Houmann <cch at improveit.dk> wrote:
> I'm not from the U.S. and my POV might be both irrelevant to you and
> wrong, but it seems to me that if all US interest groups could work
> together on this, you might have a chance at avoiding further, future
> legislation that would hamper even more than any compromise now
> Claus Cramon Houmann
> > On 31 Aug 2015, at 21:55, Jason <jason at brvenik.com> wrote:
> > My $.02 - If the only output is an agreement that mutual respect
> > coupled with an understanding that one of N possible paths is the
> > typical outcome for the un agreed term "vulnerability" I would
> > consider it a net positive.
> > It is clear something is going to be done and we need to involve if
> > only to minimize the potential negative outcomes of that something.
> >> On Mon, Aug 31, 2015 at 2:44 PM, Dave Aitel <dave.aitel at gmail.com>
> >> I'm watching his BSides talk now. Lots of times people disagree because
> >> have valid opposing views and interests.
> >> Vulnerability disclosure is one of those times. What do they do if they
> >> can't come to a "consensus"? Just give up, or propose a standard that
> >> pleases nobody?
> >> I haven't spoken to him yet, but I don't think you can come to a
> >> on defining what a vulnerability is, let alone what to do about them,
> >> assuming something must be done.
> >> -dave
> >>> On Mon, Aug 31, 2015 at 3:41 PM Jason <jason at brvenik.com> wrote:
> >>> I spoke with him and my take is that there is a sincere desire to
> >>> better understand the various constituencies and differing needs and
> >>> that through a collaborative effort perhaps we can find a normative
> >>> set of principals that everyone agrees on and from there begin to
> >>> address the differing needs. To me it seems a lofty goal but one
> >>> worthy of pursuit in a forum more conducive than a mailing list.
> >>> On Mon, Aug 31, 2015 at 2:13 PM, Jennifer Granick
> >>> <jennifer at law.stanford.edu> wrote:
> >>>> I'll be attending this meeting on 9/29.
> >>>> Via Twitter I asked Allen Friedman who is organizing this meeting why
> >>>> this is on Commerce's agenda and I was told that they want to "expand
> >>>> norms:
> >>>> awareness, adoption, adaptation, innovation of practices &
> standards". I
> >>>> asked what the problem was they were trying to solve, but no answer.
> >>>> invited me and others to contact him further, but I'm not sure a
> >>>> conversation is anything but a waste of time. I think NTIA should
> >>>> publicly
> >>>> justify its efforts and interest here. My guess from Twitter chat is
> >>>> that
> >>>> Friedman has heard a number of complaints and thinks it would be a
> >>>> idea for all the "stakeholders" to get in a room and compromise. My
> >>>> is
> >>>> that the fact that people complain is not necessarily a good reason to
> >>>> do
> >>>> anything about their complaints.
> >>>> J
> >>>> Jennifer Stisa Granick
> >>>> Director of Civil Liberties
> >>>> Stanford Center for Internet and Society
> >>>> 559 Nathan Abbott Way
> >>>> Stanford, CA 94305
> >>>> 650.736.8675
> >>>> jennifer at law.stanford.edu
> >>>>> On Mon, Aug 31, 2015 at 12:01 PM, Jason <jason at brvenik.com> wrote:
> >>>>> Surprised to not see follow on conversations and no commentary
> >>>>> regarding the NTIA announcement.
> >>>>> "NTIA will convene meetings of a multistakeholder process concerning
> >>>>> the collaboration between security researchers and software and
> >>>>> developers and owners to address security vulnerability disclosure."
> >>>>> _______________________________________________
> >>>>> Regs mailing list
> >>>>> Regs at alchemistowl.org
> >>>>> https://lists.alchemistowl.org/mailman/listinfo/regs
> >>> _______________________________________________
> >>> Regs mailing list
> >>> Regs at alchemistowl.org
> >>> https://lists.alchemistowl.org/mailman/listinfo/regs
> > _______________________________________________
> > Regs mailing list
> > Regs at alchemistowl.org
> > https://lists.alchemistowl.org/mailman/listinfo/regs
Regs mailing list
Regs at alchemistowl.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave