Forwarded from: Emerson Tan <etat_private> Under normal circumstances I don't post much to the ISN list. I hope people will forgive this indulgence. It occours to me that there a number of fundamental problems and conflicts of interest here most of which arise from the structure of the internet community and it's relationship with real world organisations and their own internal imperatives. I have attempted to list some of them here in bullet form, and at the end suggest one or two ideas for solutions. a) In the real world functions like security and emergency response and alerting are handled by the state or state mandated bodies like the police or the fire service. They are paid for by peoples taxes, and they are pretty universal, as they deal with public safety. However there is no equivalent to any functions of the state for the internet community. Those organisations with global responsibility such as ICANN seem to be quite fractious, which is good for a democracy, but no good if you need a rapid co-ordinated structured response. Corporates have the organisational structures needed for rapid structured response, but have problems that make them unsuited to providing universal services. b) The profit imperative will always drive corporate entities to ration out information if there is nothing to stop them doing so in the way of regulation or compelling business case. It should come as no suprise if Bugtraq and the like now coming under the Symantec umbrella should go first to paying customers. The general internet community has no stake in Symantec and therefore symantec has no responsibility to the internet commuity at large. Rather Symantec's shareholders call the shots and it should come as no suprise that they want to maximise their investment. Same logic goes for Secunia, they might be small and Danish, but they are still bound by the same imperative. c) Bodies like CERT although nominally academic and non corporate, are closed bodies. They are not subject to audit of their methods or their procedures. Furthermore there is no way of imposing these on these bodies as once again they are not accountable to the commuity at large, their funding coming from a slection of bodies with only limited oversight. Some ideas regarding potential solutions. a) In the very recent past, a number of governments have started programs deisgned to protect their critical national infrastructures. These organisations however are local in scope and really focused on national needs. However, information technology threats are geography independent, a vulnerability discovered in spain is as likely to be used in an attack there as in the United States. Therefore if these bodies are to have any role they must be internationally focused as well as being nationally based. If this criterion can be met, these organisations may provide the basis of a an international network of infrastructure protection organisations capable of digesting vulnerability information and distributing alerts in some meaningful way in the absence of any global, accountable, not for profit body in the internet community. There sould be an issue of transparency of course, but this can be addressed, if only civil servants in participant countries will let it be so. b) If these organisations are not up to the task, then an independent not for profit organisation should be founded. It would be subject to the following controls: -Public audit of accounts. -Public disclosure of donations over a minimum amount. -Publication of methodology. -Periodic published audit of methodology and performance. -Published list of directors and executives -An oversight comission elected by affected and interested parties (everyone effectively) Transparency might inspire the kind of trust which seems to be missing from both corporate and governmental bodies, and oversight elections might give the body the legitimacy required to bring recalcitrant vendors and others who play badly into the system. c) If this doesn't work, then there is always the option of everyone buying shares of symantec stock. This gives the possibility of influencing corporate policy, in whichever direction one thinks is right with regard to this issue. It's not ideal, as I suspect the majority of institutional investors are less interested in global issue and with huge bloc votes could easily block any initative that might hurt a profit margin. But it is better than no oversight at all. These issues are going to come up repeatedly. The explosion in software development and the economic slowdown mean more vulnerabilities and a driving commercial imperative to squeeze revenue growth from an market that is no longer growing. At the same time attempts to structure the release of security information for commercial reasons is obviously not a good idea, as it's no good being protected if your clients, business partners, and anyone with a machine capable of propagating a worm such as SQL slammer or a DDoS attack aren't. Security in the on-line world is both global and collaborative. We forget this at our peril. Emerson Tan InfoSec News wrote: > http://www.eweek.com/article2/0,3959,974781,00.asp > > By Dennis Fisher > March 25, 2003 > > A Danish security company, angry over what it perceives as > censorship on several popular mailing lists, is launching "a > revolution to remove SecurityFocus and CERT from power." > > At present, the revolution consists of a new mailing list that will > aggregate vulnerability advisories and other security-related > reports from a variety of sources. Employees of Secunia Ltd. will > take advisories from these sources, research and verify them and > then submit them to the new list. > > The list, known as the Secunia Security Advisories List, is designed > to compete with lists such as SecurityFocus' BugTraq and to > complement more open lists, including VulnWatch and Full-Disclosure, > Secunia executives say. Company executives are upset with the > direction that BugTraq has taken since Symantec Corp. acquired > SecurityFocus last year. > > "The problem with SecurityFocus is not that they moderate the lists, > but the fact that they deliberately delay and partially censor the > information," said Thomas Kristensen, chief technology officer of > Secunia, based in Copenhagen, Denmark. "Since they were acquired by > Symantec, they changed their policy regarding BugTraq. Before they > used to post everything to everybody at the same time. Now they > protect the interests of Symantec, delay information and inform > their customers in advance. This is a problem as only companies who > pay over $30,000 can get access to this information." > > Unlike some other security lists, BugTraq is actively moderated and > therefore not every submission makes it onto the list. > > Full-Disclosure, for instance, is only lightly moderated, meaning > that virtually all posts are approved and immediately sent to > subscribers. > > SecurityFocus officials did not respond to a request for comment on > this story. > > Secunia officials also take the CERT Coordination Center to task for > its policy of providing some organizations with advance notice of > vulnerability reports as part of a fee-based program in cooperation > with the Internet Security Alliance. > > "At Secunia we feel that SecurityFocus has betrayed the community it > used to serve so loyally, that's why we started Secunia," said > Kristensen. "I believe that security information should be free, so > that administrators can patch their systems and software developers > can learn from the mistakes made by others." > > Secunia is a provider of security services and tools. -- "None are more hopelessly enslaved than those who falsely believe they are free." - Goethe Emerson Tan: Occasional freelance purveyor of ideas. etat_private : PGP public key on request or from http://pgpkeys.mit.edu PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5 BB3D 09D4 0B6E 2734 DC72 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 04:22:38 PST