Full Disclosure Food for Thought
My personal jury is still out on disclosure policies ... I've had really good results performing private disclosures although recently I found a gaping hole in a very important application was told that their official policy is to not response to disclosures at all, like not even return the email or phone call. Personally I think that is very very bad and will take up seperately.
Despite there being arguments for and against full disclosure, the industry generally accepts the standard of performing a private disclosure then waiting a reasonable (which is as of yet undetermined) amount of time before announcing the vulnerability publicly.
My latest food for thought comes from an issue regarding the latest "security researcher" to get arrested. Note that the term "security researcher" is applied really loosely these days; it seems like people think that simply calling themselves a researcher provides carte blanche to do whatever they want ... a trend that is thankfully not apparent in other industries such as nuclear physics, micro-biology and other areas where rogue "researchers" are not wanted.
This week's rogue researcher was a very young PhD candidate whom realized that you could print your own falsified travel documents right at home. He created a site that would let you print a false boarding pass that, while not actually in the computer system and therefore wouldn't let you pass the gate check (where they scan the docs and validate them) would indeed let you bypass the TSA's No-Fly checks (which apparently occur strictly in the computer system). The TSA agents never authenticate a boarding pass; they simply authenticate those who present them by checking their ID.
This guy's already feeling the long arm of the law, namely the Justice Department for his ridiculous indiscretions, but a recent note was posted: a US Senator had already completely disclosed the vulnerability it detail via a Press Release. Now, while it's generally accepted that all politicians are high priced whores, particularly when it comes to such money-topics as Terrorism the act of detailing a national physical vulnerability through the most visible means they have (a press release) is certainly extremely controversial. So while this 24 year old kid - who's a criminal and an idiot - is getting busted and will probably be hit with the full NotAPatriot Act, an older, presumably more mature, more responsible Senator is just as complicit.
Link to Schumer's own Press Release on Senate.Gov: http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html
And the official letter he sent to the TSA, dated at approximately the same time as the Press Release, resulting in zero response time allowed:
http://www.senate.gov/~schumer/SchumerWebsite/pressroom/Letters/TSA%20STONE%202-13-05.pdf
This story has been slashdotted, so don't expect those docs to stay online long. I'll try to mirror them.
Despite there being arguments for and against full disclosure, the industry generally accepts the standard of performing a private disclosure then waiting a reasonable (which is as of yet undetermined) amount of time before announcing the vulnerability publicly.
My latest food for thought comes from an issue regarding the latest "security researcher" to get arrested. Note that the term "security researcher" is applied really loosely these days; it seems like people think that simply calling themselves a researcher provides carte blanche to do whatever they want ... a trend that is thankfully not apparent in other industries such as nuclear physics, micro-biology and other areas where rogue "researchers" are not wanted.
This week's rogue researcher was a very young PhD candidate whom realized that you could print your own falsified travel documents right at home. He created a site that would let you print a false boarding pass that, while not actually in the computer system and therefore wouldn't let you pass the gate check (where they scan the docs and validate them) would indeed let you bypass the TSA's No-Fly checks (which apparently occur strictly in the computer system). The TSA agents never authenticate a boarding pass; they simply authenticate those who present them by checking their ID.
This guy's already feeling the long arm of the law, namely the Justice Department for his ridiculous indiscretions, but a recent note was posted: a US Senator had already completely disclosed the vulnerability it detail via a Press Release. Now, while it's generally accepted that all politicians are high priced whores, particularly when it comes to such money-topics as Terrorism the act of detailing a national physical vulnerability through the most visible means they have (a press release) is certainly extremely controversial. So while this 24 year old kid - who's a criminal and an idiot - is getting busted and will probably be hit with the full NotAPatriot Act, an older, presumably more mature, more responsible Senator is just as complicit.
Link to Schumer's own Press Release on Senate.Gov: http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html
And the official letter he sent to the TSA, dated at approximately the same time as the Press Release, resulting in zero response time allowed:
http://www.senate.gov/~schumer/SchumerWebsite/pressroom/Letters/TSA%20STONE%202-13-05.pdf
This story has been slashdotted, so don't expect those docs to stay online long. I'll try to mirror them.
0 Comments:
Post a Comment
<< Home