Return-Path: <sentto-279987-5102-1028206411-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 01 Aug 2002 05:58:08 -0700 (PDT) Received: (qmail 6025 invoked by uid 510); 1 Aug 2002 12:52:24 -0000 Received: from n28.grp.scd.yahoo.com (66.218.66.84) by all.net with SMTP; 1 Aug 2002 12:52:24 -0000 X-eGroups-Return: sentto-279987-5102-1028206411-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.198] by n28.grp.scd.yahoo.com with NNFMP; 01 Aug 2002 12:53:31 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 1 Aug 2002 12:53:30 -0000 Received: (qmail 84842 invoked from network); 1 Aug 2002 12:53:30 -0000 Received: from unknown (66.218.66.218) by m5.grp.scd.yahoo.com with QMQP; 1 Aug 2002 12:53:30 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 1 Aug 2002 12:53:30 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g71Cu5v09001; Thu, 1 Aug 2002 05:56:05 -0700 Message-Id: <200208011256.g71Cu5v09001@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 1 Aug 2002 05:56:05 -0700 (PDT) Subject: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd) Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: Rick's comments are sensible, and yet I find myself in disagreement on several points. I manage risks, which come from threats, vulnerabilities, and consequences. In my view, the time to reveal information on a vulnerability to me is when this combination becomes important enough to me that the risk of not revealing it is higher then the risk of revealing it. Since there are different people in different situations, they need the information at different points. I have what I consider to be a legitimate need for the information a soon as it is known to the first person who knows it. As a result, the ideal situation for me would be to get full disclosure as the originator of the information thinks it up - before they even get it in their mind to try to build a sample exploit. Unfortunately, you cannot readily reveal it to me and not reveal it to others because we don't have a good way to deal with the trust associated with different people. The CERT model is an example of this poorly done, in my view, because I don't get any of their information until long after I already know it and because it is designed to create an elite from those who pay to play. Naturally, my strongest enemies can afford to pay and can probably get the information without paying if they want to because they are willing to break laws to do it. The notion of prosecution for what I consider to be free speech is another issue we seem to be missing. I understand that crying 'fire' in a crowded theater is not permitted under the constitution, but it seems to me that revealing computer weaknesses is no different than revealing any other information of a similar sort. For example, information on locksmithing is perfectly legal. Possession of lock picks is generally a misdemeanor, but there is an affirmative defense against prosecution for anyone who is a locksmith or even a security consultant with some legitimate need for it. This might be a good model for exploits. It is legal to reveal information, but possession is illegal with an affirmative defense in that I am a professional engaged in protection of information systems. I do not agree that confidentiality of information is mutually exclusive from integrity of systems that hold the information. I do, however, think that there is a difference between mechanisms that are active in that they 'do something' as opposed to content that is passive in that it is presented to people. I understand well the notions underlying this and I am of the belief that mechanisms, like engines, should not be subject to protection under copyright, but rather revealed under patent protection so that all can learn from them and discuss them. Content, like movies and songs, are content that is presented and not really active in the sense of having Turing capability. If I were to make a rule today, it would be that: - Information on vulnerabilities is legal under free speech. - Specific mechanisms (including software) for breaking into systems is illegal to possess (a misdemeanor) but there is an affirmative defense for anyone whose job it is to defend systems. - Anything that is active is not subject to copyright protection, may be patented if it meets the necessary standard of patents, and must be revealed OR kept as trade secret. - Anything that is passive is not subject to patent protection, may be copyrighted, and must be revealed as part of the process of copyright OR kept as a trade secret. Trade secret protection can be applied to any intellectual property, but requires that the owner protect it from being revealed. As soon as someone finds it out (i.e., by disassembling the binary if it is widely distributed) and publishes it, it is no longer trade secret, so this is not viable for software. This would then mean that full disclosure of vulnerability information would be widely available, that the responsibility for possession would lie in the hands of the person possessing it, and free speech would remain in tact. FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT