A Politics of

Vulnerability Reporting

Black Hat Briefings, Europe 2001

Scott Blake
Director of Security Strategy
BindView Corporation/RAZOR Research
Agenda

• Introduction
– What is Politics?
• The Past and Present
– Ideologies, Actors, and Initiatives
• The Future
– Trends and Probabilites

November 10, 2009

What is Politics?

• The study of power

– Power is the ability to make one do what
one would not otherwise do.
• Important Terms
– Actor: One who uses or is subject to power
– Ideology: A set of beliefs or ideas
– Legitimacy: In accordance with established
standards or patterns
– Authority: Legitimate power
November 10, 2009
Ideologies

• Full disclosure
• Zero disclosure
• Responsible Disclosure

November 10, 2009

Full Disclosure

• Tenets
– Information wants to be free
– Use the power of public opinion to make
vendors improve code
– Exploit code is more useful than destructive
• Adherents
– Most non-profit researchers
– Very few commercial researchers

November 10, 2009

Zero Disclosure

• Tenets
– Responsibility for fixing vulnerabilities lies with
software vendor
– Authors of software should control information
relating to that software
– There is no public good in broad availability of
vulnerability information
• Adherents
– Many software vendors
– Many government actors
– Much of the Public

November 10, 2009

Responsible Disclosure

• Tenets
– Exploit code causes more problems than it solves
– Broad dissemination of vulnerability information is
required to improve security awareness
– Use the power of public opinion to make vendors
improve code
• Adherents
– Most commercial researchers
– Some notable software vendors

November 10, 2009

The Actors

• Vendors
• Researchers
• Governments
• Media
• The Public

November 10, 2009

Vendors

• Motivators
– Shareholder value
• Financing
– Software Sales
• Interests
– Limit damage to brand value
– Limit vulnerability of customers
– Sell more software
• Power Relations
– Often try to prevent public disclosure of vulnerability
information through legal action, market leverage,
lobbying
November 10, 2009
Researchers

• Motivators
– Advance state of the art
– Build more security
– Build name recognition/peer respect
• Financing
– Day Job
– Customers (Grant, Contract)
– Software sales

November 10, 2009

Researchers (2)

• Interests
– Continue financing source
– Maintain/extend reputation
• Power Relations
– Hobbyists are largely free from external influence
providing the day job does not interfere
– Academic and consultative researchers are largely
beholden to their funding source, but different
funders set different restrictions
– Commercially-sponsored researchers are beholden
to the parent company’s interests

November 10, 2009

Governments

• Motivators
– Technocratic perception of public good
• Financing
– Taxes
– Campaign Contributions
• Interests
– Economic growth
– Public Safety
• Power Relations
– Prosecution of criminal or negligent behavior
– Large purchaser of information technology
November 10, 2009
The Media

• Motivators
– “All the news that’s fit to print”
• Financing
– Advertisements
– Subscribers
• Interests
– More readers
• Power Relations
– Very powerful creators of brand, image
– Influencers of public perception

November 10, 2009

The Public

• Motivators
– Too chaotic to be relevant
• Financing
– Too chaotic to be relevant
• Interests
– Stable, secure software
• Power Relations
– Wields tremendous power, but very difficult
to direct in any specific direction

November 10, 2009

Initiatives

• Council of Europe Cybercrime Treaty

• US Anti-terrorism legislation
• Disclosure Forums
• Coalition for Internet Safety

November 10, 2009

Council of Europe’s
Cybercrime Treaty

• Intended Outcomes
– Harmonize and update European computer
crime laws
• Unintended Outcomes
– Potential for mis-implementation of tools
provisions may have chilling effect on
research
– Language pertaining to intent may lead to
certification requirements for security
practitioners

November 10, 2009

USA’s PATRIOT Act

• Intended Outcomes
– Adds cybercrime to list of terrorist acts
– Strengthens provisions against aiding and
abetting terrorists
• Unintended Outcomes
– Since hackers are now terrorists, is
publishing vulnerability information aiding
and abetting?

November 10, 2009

Disclosure Forums

• Intended Outcomes
– Get information to those who need it
• Unintended Outcomes
– Puts information in the hands of the “bad
guys”

November 10, 2009

Coalition for Internet Safety

• Intended Outcomes
– Limit availability of information to “bad
guys”
• Unintended Outcomes
– Limit availability of information to everyone

November 10, 2009

Trends

• Increasing legislation
• Improving communication channels
• More and more research being done
• More vicious attacks
• Continuing penetration of Internet
access

November 10, 2009

Probabilities

• Will the public demand security?

• Who will pay for security?
• A war on hackers/cyberterrorists?
• Lessons from recent events
• Security for the people?

November 10, 2009