[iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)

• Next message: Fred Cohen: "[iwar] He can put the words inside your head from 100 yards away"
• Previous message: Fred Cohen: "[iwar] [fc:Comment.on.DMCA,.Security,.and.Vuln.Reporting]"
• Next in thread: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Reply: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Reply: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <sentto-279987-5102-1028206411-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 01 Aug 2002 05:58:08 -0700 (PDT)
Received: (qmail 6025 invoked by uid 510); 1 Aug 2002 12:52:24 -0000
Received: from n28.grp.scd.yahoo.com (66.218.66.84) by all.net with SMTP; 1 Aug 2002 12:52:24 -0000
X-eGroups-Return: sentto-279987-5102-1028206411-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.198] by n28.grp.scd.yahoo.com with NNFMP; 01 Aug 2002 12:53:31 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 1 Aug 2002 12:53:30 -0000
Received: (qmail 84842 invoked from network); 1 Aug 2002 12:53:30 -0000
Received: from unknown (66.218.66.218) by m5.grp.scd.yahoo.com with QMQP; 1 Aug 2002 12:53:30 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 1 Aug 2002 12:53:30 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g71Cu5v09001; Thu, 1 Aug 2002 05:56:05 -0700
Message-Id: <200208011256.g71Cu5v09001@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 1 Aug 2002 05:56:05 -0700 (PDT)
Subject: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Rick's comments are sensible, and yet I find myself in disagreement on
several points. 

I manage risks, which come from threats, vulnerabilities, and
consequences.  In my view, the time to reveal information on a
vulnerability to me is when this combination becomes important enough to
me that the risk of not revealing it is higher then the risk of
revealing it.  Since there are different people in different situations,
they need the information at different points.  I have what I consider
to be a legitimate need for the information a soon as it is known to the
first person who knows it.  As a result, the ideal situation for me
would be to get full disclosure as the originator of the information
thinks it up - before they even get it in their mind to try to build a
sample exploit.

Unfortunately, you cannot readily reveal it to me and not reveal it to
others because we don't have a good way to deal with the trust
associated with different people.  The CERT model is an example of this
poorly done, in my view, because I don't get any of their information
until long after I already know it and because it is designed to create
an elite from those who pay to play.  Naturally, my strongest enemies
can afford to pay and can probably get the information without paying if
they want to because they are willing to break laws to do it.

The notion of prosecution for what I consider to be free speech is
another issue we seem to be missing.  I understand that crying 'fire' in
a crowded theater is not permitted under the constitution, but it seems
to me that revealing computer weaknesses is no different than revealing
any other information of a similar sort.  For example, information on
locksmithing is perfectly legal.  Possession of lock picks is generally
a misdemeanor, but there is an affirmative defense against prosecution
for anyone who is a locksmith or even a security consultant with some
legitimate need for it.  This might be a good model for exploits.  It is
legal to reveal information, but possession is illegal with an
affirmative defense in that I am a professional engaged in protection of
information systems.

I do not agree that confidentiality of information is mutually exclusive
from integrity of systems that hold the information.  I do, however,
think that there is a difference between mechanisms that are active in
that they 'do something' as opposed to content that is passive in that
it is presented to people.  I understand well the notions underlying
this and I am of the belief that mechanisms, like engines, should not be
subject to protection under copyright, but rather revealed under patent
protection so that all can learn from them and discuss them.  Content,
like movies and songs, are content that is presented and not really
active in the sense of having Turing capability.

If I were to make a rule today, it would be that:

	- Information on vulnerabilities is legal under free speech.

	- Specific mechanisms (including software) for breaking into
	systems is illegal to possess (a misdemeanor) but there is an
	affirmative defense for anyone whose job it is to defend systems.

	- Anything that is active is not subject to copyright protection,
	may be patented if it meets the necessary standard of patents,
	and must be revealed OR kept as trade secret.

	- Anything that is passive is not subject to patent protection,
	may be copyrighted, and must be revealed as part of the process
	of copyright OR kept as a trade secret.

Trade secret protection can be applied to any intellectual property, but
requires that the owner protect it from being revealed.  As soon as
someone finds it out (i.e., by disassembling the binary if it is widely
distributed) and publishes it, it is no longer trade secret, so this is
not viable for software.

This would then mean that full disclosure of vulnerability information
would be widely available, that the responsibility for possession would
lie in the hands of the person possessing it, and free speech would
remain in tact.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

• Next message: Fred Cohen: "[iwar] He can put the words inside your head from 100 yards away"
• Previous message: Fred Cohen: "[iwar] [fc:Comment.on.DMCA,.Security,.and.Vuln.Reporting]"
• Next in thread: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Reply: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Reply: Tim Kramer: "Re: [iwar] Comment on DMCA, Security, and Vuln Reporting - a different view (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT