dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
701

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

3 recommendations

antdude

Premium Member

Petition: make it safe to report security flaws in computers

»petitions.whitehouse.gov ··· DHzwhzLD from
»boingboing.net/2014/10/0 ··· epo.html

"Software now runs consumer products and critical systems that we trust with our safety and security. For example, cars, medical devices, voting machines, power grids, weapons systems, and stock markets all rely on code. While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. Chilling research puts us all at risk. Protect the public from unsafe code and help us to protect ourselves. Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software."

Will this work? :P

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

1 recommendation

jaykaykay

MVM


This is totally sad!!!

Signatures needed by November 02, 2014 to reach goal of 100,000

99,347

653 Total signatures on this petition

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer

Premium Member

said by jaykaykay:

This is totally sad!!!

Signatures needed by November 02, 2014 to reach goal of 100,000

99,347

653 Total signatures on this petition

I suspect that many people who understand the issue, also understand that nothing is going to change just because of an on-line petition. They understand who actually owns and runs this country (and also understand that by just signing the petition, they may become targets).
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to antdude

Premium Member

to antdude
antdude See Profile - thank you for bringing our attention to this issue. I've signed the petition.

I think both DMCA and CFAA should be modified to facilitate and even encourage security related researches for the sake of all Internet users and not just only for some big corporations, who think they own this media.

I'm living in the country, where people are not afraid to say who owns and runs this country and want to participate in the process to make it better without being afraid that if they express their voices, they become targets...

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

1 recommendation

DrStrange to antdude

Premium Member

to antdude
I signed the petition. I'd really rather see DMCA repealed, but we need to choose our battles.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to OZO

MVM

to OZO
said by OZO:

I think both DMCA and CFAA should be modified

How would you modify them?

I wouldn't sign petition this as it says nothing about what changes are needed and why, so its pointless at best and dangerous at worse.
said by OZO:

who think they own this media

???

Blake

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

DownTheShore to antdude

Premium Member

to antdude
Signed.
OZO
Premium Member
join:2003-01-17

2 recommendations

OZO to Link Logger

Premium Member

to Link Logger
Have you read the petition? It actually says what should be reformed/changed in DMCA and CFAA:

They (corporations) instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act.

(text in italic is mine)

We need to encourage security researchers, not to threaten them with criminal and civil actions. That will benefit all of us, Internet users.

And BTW, I agree with DrStrange See Profile. I'd really rather see DMCA repealed as it serves mostly corporations trying to turn the Internet into their own cash machine...

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

said by OZO:

We need to encourage security researchers, not to threaten them with criminal and civil actions. That will benefit all of us, Internet users.

Who has been threatened? I've never had any problems for example.

As far as DMCA goes, lets start simple here and work our way up, first do you believe in copyrights in general or ownership of intellectual property?

Blake
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

This tread is about Internet security and researches in that field, not about copyright or intellectual property. So, don't try to divert us from focusing on the main topic... I believe that Internet security is important for all Internet users, not only for copyright owners...

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

said by OZO:

This tread is about Internet security and researches in that field, not about copyright or intellectual property.

So you are saying for the sake of 'security' copyrights and intellectual property rights can be ignored? In the context of this petition copyright and intellectual property are very much the topic otherwise why does this petition exist?

Blake
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

This petition exists because of the reasons already mentioned in my previous post. Again, please read the petition...

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger

MVM

I've read the petition repeatedly all it says about what it wants to do is
quote:
Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software.
What the hell does that mean? Do I have to get a license to be a registered researcher so I'm able to have special DMCA and CFAA privileges or what? What reforms do they want to make?

Blake

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates to antdude

Premium Member

to antdude
said by antdude:

Will this work? :P

Doubt it.

It's not that the concerns aren't valid (they are), but the White House has been known to reject / ignore petitions. Signing them makes everybody feel like they're "doing something," but I'm not convinced they're effective.

ashrc4
Premium Member
join:2009-02-06
australia

1 recommendation

ashrc4 to antdude

Premium Member

to antdude
Swapping frustration from responsible research to allowing the general public (including exlpoiters) to freely trade significant Intel on exploits/software on the face of it sounds totally irresponsible.
The more hands make light work sales pitch does not make much of a nescesity. Infact the counter auguments of controlling exploit info and protecting intellectual property have far more merit.
Why these departments exist in the first place.
If change is needed for them I don't think this petition knows how to solve it.
James_C
join:2007-08-03
Florence, KY

James_C to antdude

Member

to antdude
The problem is the pretend white-hat hackers want to publish the vulnerability to the world at large to gain fame, essentially doing the opposite of making a product more secure by immediately jeopardizing everyone using it by pointing out the flaw to those who would like some exploits served up to them as far as where and how.

To put it another way, if I were a burglar your home is not more secure from me by someone telling everyone that your doors are unlocked. If I were a burglar I'd immediately go there so your odds of being robbed go up exponentially.

I think it should be a requirement that any exploits or bugs be made known to the developer exclusively for a certain period of time before they should be allowed to be disclosed to anyone else, and that time also being long enough to allow the developer to deploy the fix to all customers.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by James_C:

The problem is the pretend white-hat hackers want to publish the vulnerability to the world at large to gain fame, essentially doing the opposite of making a product more secure by immediately jeopardizing everyone using it by pointing out the flaw to those who would like some exploits served up to them as far as where and how.

I agree with that because that's how it often happens.
said by James_C:

I think it should be a requirement that any exploits or bugs be made known to the developer exclusively for a certain period of time before they should be allowed to be disclosed to anyone else, and that time also being long enough to allow the developer to deploy the fix to all customers.

I disagree with that because it removes incentive.
James_C
join:2007-08-03
Florence, KY

James_C

Member

I don't think incentive is a good thing if what it is doing is causing a constant state of exploits so insecurity is higher than ever. Some code flaws go on for years never to be discovered so nobody is ever exploited through them.

I refer back to my notion about someone's door being unlocked. I don't want someone to have incentive to go around checking whether my door is unlocked then announce it to the world when they find out. I'd much prefer they either didn't know or came to me and told me first so I had a chance to go lock it.

We really shouldn't give incentive to people who seek to profit from making us less secure.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by James_C:

We really shouldn't give incentive to people who seek to profit from making us less secure.

The incentive for the bad guys is always going to be present.
Remove financial incentive from everyone else & you'd have a field of research dominated by the bad guys, IMO.
I wouldn't feel more secure in that scenario.
James_C
join:2007-08-03
Florence, KY

1 recommendation

James_C

Member

Not really. The incentive for the bad guys isn't there until some tool decides to announce a way to exploit a flaw. That makes it 1000X less work for the bad guys. It hands them a way to breech security when most are too lazy to make an effort or else they'd have a normal life, earning a living and using their earnings for legit leisure activities.

Remove financial incentive and most of the flaws are never found so instead of constant insecurity, nobody knows how to do an exploit that they don't know even exists.

Remember something. There is no such thing as being truly secure. There is only how hard you make it to exploit something. By not revealing any way to exploit something you make it much much MUCH harder than pretending to be noble by announcing how to do it.

Again I revert back to the example I posed that you seem to keep refusing to acknowledge as common sense. If you leave your home door unlocked, which is less secure. Is it less secure if nobody knows you did it, or is it less secure if someone announces to the public that you left the door unlocked? Do you really want someone to have incentive to announce to the public that your door is unlocked? IMO you have no common sense.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy

Premium Member

said by James_C:

Again I revert back to the example I posed that you seem to keep refusing to acknowledge as common sense.

Your analogy cuts corners to fit.
It omits the fact that not only does it announce to the world that my front door is unlocked but it also announces every unlocked front door in the entire world!
said by James_C:

IMO you have no common sense.

OK, some things we can agree on.

btw, I'm curious how a ban on public disclosure in the US will effect researchers abroad?
Is extradition doable or would this be a one world order type of thing where the United Network Command for Law and Enforcement (U.N.C.L.E.) would deploy enforcement agents such as Kuryakin & Solo to dispense sure justice on the miscreants that break world order law?
James_C
join:2007-08-03
Florence, KY

James_C

Member

You win due to my apathy.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by James_C:

You win due to my apathy.

Yeah, I'm sure my brilliant insight, coupled with a mastery of the language didn't factor in because it went >>>>Vrooom>>>> as it flew unnoticed over your head. LOL

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

1 recommendation

DrStrange to Snowy

Premium Member

to Snowy
+1 for The Man from U.N.C.L.E..

That was one of my favorite shows as a kid.