Stanford CIS

Commercialization Panel

By Stanford Center for Internet and Society on

1058

Commercialization panel with Sunil James of iDEFENSE, Simple Nomad of NMRC, and Shawn Hernan of CERT.  Chris Sprigman, Stanford CIS Fellow, is moderating again.

CS: Discuss whether commercialization provides motivation sufficient to facilitate discovery, disclosure and security, or does it have the opposite effect?

[Graham:  Suddenly realizing just how easy it is for all of these issues to get muddled together.  Probably a big factor in why it seems like progress takes a very long time to occur.]

Shawn Hernan:  Believes in capitalism and free speech.  However, societal considerations such as public safety must be considered.  What happens when a problem is discovered that threatens infrastructure such as hospitals, power plants, etc.?  How does and should academia structure curriculae such that students are taught to act responsibly?

[Graham:  Distracted because I just received final confirmation that I'll be a delegate for CPSR to the Geneva Phase of the UN's World Summit on the Information Society.]

SH:  Commercialization of security/vulnerability can dramatically complicate the process of identifying and fixing security problems.  Certain amount of hubris in computer/network security community.  CERT mailing list is ~150,000 people; Bugtraq has ~50,000 subscribers, but episodes of "Friends" draw ~30,000,000 viewers!  Everything is relative, but security applies to everyone.

SH:  Would object to any model which restricts ability of vendors and/or public from knowing about security problems.

[ANNOYING CELL PHONE RINGS.  Jeez, people.  Make it vibrate or turn it off, eh?  It ain't tough.]

Chris Sprigman:  Pointed out that in recent episode of Friends, Joey discovers a vulnerability and Chandler exploits it.  [laughter]

Sunil James:  Voluntary contribution program brought to light serious discussion about commoditization of security information.

How do you trust information that is given to you, especially when said information is provided voluntarily?  Asserts that a company such as iDEFENSE can provide a heightened level of trust in such an environment by acting as a reliable intermediary [and presumeably fact-checker -GF].

Simple Nomad:  Coming from a completely different perspective.  Actually has a small speech which may sound like (but is not intended to be) a rant.

Members of security research community are beginning to close ranks.  WIPO treaty signing and implementation (e.g. DMCA) is a big eye-opener, and scary.  Also, knee-jerk legislation such as USA PATRIOT act makes port-scanning into a potential terrorist act.  For example, as a security research project, SN might want to portscan entire IP address space of China.  However, doing so is now illegal as it could be construed as a precursor to an attack of a nation state and thus potential precursor to war.

This creates an environment which heightens the fundamental risk to researchers, which quickly stifles research which would otherwise be beneficial.  [Major paraphrasing on my part -GF]

[This guy is great.  Totally frank without being confrontational.  And I agree 95%. -GF]

Points out that spammers have been known to pay mid-4-figures for exploit code.  Met a couple of guys in Seattle who make 6-figure incomes making exploit code for spammers, but who won't work for Microsoft because they're evil.

Well, I guess it's past the statute of limitations...  Well, let's just say I used to do bad things.  How many people here are completely 100% law-abiding citizens? (one hand is raised out of a room of at least 100)
[GF: I admit to sharing my UNIX account with my friend in 1994.  It wasn't illegal, but it was against the AUP.]

As a result of this commercialization and harsher legal climate, security vulnerability disclosure is suffering, and consequently computer and network security as a whole suffers.  [Paraphrased.  -GF]  Less information is being made publicly available in favour of a commercialization, commoditization, and compartmentalization of security information.

Computer/network security is improving overall - e.g. firewalls, antivirus, etc.  However, research should be conducted in more of an academic style even within for-profit entities.  Information should be free.  Right on, man.

[Let me just reiterate my appreciation for Simple Nomad.  Smart, effective, but doesn't take himself too seriously. -GF]

SH:  No one reporting model fits everyone.  A mandate of one single reporting vehicle for everyone simply won't work.

Simple Nomad:  Concur.  Not much to add.

Chris Sprigman:  Are there situations where it makes sense to just disclose to the vendor, and not to anyone else?

Sunil:  Took that into account when creating disclosure model.  We notify the vendor first every time.  Customer is notified shortly thereafter.  Correct balance is tough to keep - vendor, customer, and public are all owed some degree of notification, but each situation differs from the last or the next.

Audience:  Q to iDEFENSE:  Who is your customer?  How do you know they're not terrorists/mobsters/etc.?

Sunil:  Haven't yet had reason to worry.  Investigation of customers such a banks and other well-known established companies is fairly easy.  Haven't yet had to deal with other types of (more risky) entities.

Audience:  As a faculty member of an Ivy League school which is fairly well known, am I eligible to be an iDEFENSE customer?

Sunil:  If you had an explicit need for such a service and could explain it, then the chances are reasonable.  [Very paraphased. -GF]

Simple Nomad:  What if a law were passed which required software publishers to write and release a worm/virus/exploit for each vulnerability?  Actively propagating worms/viruses/etc. are highly motivational when it comes to encouraging folks to fix their systems.

Published in: Blog