antdudeMatrix Ant Premium Member join:2001-03-25 US
3 recommendations |
antdude
Premium Member
2014-Oct-8 11:18 am
Petition: make it safe to report security flaws in computers» petitions.whitehouse.gov ··· DHzwhzLD from » boingboing.net/2014/10/0 ··· epo.html"Software now runs consumer products and critical systems that we trust with our safety and security. For example, cars, medical devices, voting machines, power grids, weapons systems, and stock markets all rely on code. While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. Chilling research puts us all at risk. Protect the public from unsafe code and help us to protect ourselves. Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software." Will this work? :P |
|
1 recommendation |
This is totally sad!!!
Signatures needed by November 02, 2014 to reach goal of 100,000
99,347
653 Total signatures on this petition
|
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 recommendation |
NetFixer
Premium Member
2014-Oct-8 9:34 pm
said by jaykaykay:This is totally sad!!!
Signatures needed by November 02, 2014 to reach goal of 100,000
99,347
653 Total signatures on this petition I suspect that many people who understand the issue, also understand that nothing is going to change just because of an on-line petition. They understand who actually owns and runs this country (and also understand that by just signing the petition, they may become targets). |
|
OZO Premium Member join:2003-01-17
1 recommendation |
to antdude
antdude - thank you for bringing our attention to this issue. I've signed the petition. I think both DMCA and CFAA should be modified to facilitate and even encourage security related researches for the sake of all Internet users and not just only for some big corporations, who think they own this media. I'm living in the country, where people are not afraid to say who owns and runs this country and want to participate in the process to make it better without being afraid that if they express their voices, they become targets... |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT
1 recommendation |
to antdude
I signed the petition. I'd really rather see DMCA repealed, but we need to choose our battles. |
|
|
to OZO
said by OZO:I think both DMCA and CFAA should be modified How would you modify them? I wouldn't sign petition this as it says nothing about what changes are needed and why, so its pointless at best and dangerous at worse. said by OZO:who think they own this media ??? Blake |
|
DownTheShorePray for Ukraine Premium Member join:2003-12-02 Beautiful NJ |
to antdude
Signed. |
|
|
OZO Premium Member join:2003-01-17
2 recommendations |
to Link Logger
Have you read the petition? It actually says what should be reformed/changed in DMCA and CFAA: They (corporations) instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. (text in italic is mine) We need to encourage security researchers, not to threaten them with criminal and civil actions. That will benefit all of us, Internet users. And BTW, I agree with DrStrange . I'd really rather see DMCA repealed as it serves mostly corporations trying to turn the Internet into their own cash machine... |
|
|
said by OZO:We need to encourage security researchers, not to threaten them with criminal and civil actions. That will benefit all of us, Internet users. Who has been threatened? I've never had any problems for example. As far as DMCA goes, lets start simple here and work our way up, first do you believe in copyrights in general or ownership of intellectual property? Blake |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2014-Oct-9 12:08 am
This tread is about Internet security and researches in that field, not about copyright or intellectual property. So, don't try to divert us from focusing on the main topic... I believe that Internet security is important for all Internet users, not only for copyright owners... |
|
|
said by OZO:This tread is about Internet security and researches in that field, not about copyright or intellectual property. So you are saying for the sake of 'security' copyrights and intellectual property rights can be ignored? In the context of this petition copyright and intellectual property are very much the topic otherwise why does this petition exist? Blake |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2014-Oct-9 3:19 am
This petition exists because of the reasons already mentioned in my previous post. Again, please read the petition... |
|
1 recommendation |
I've read the petition repeatedly all it says about what it wants to do is quote: Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software.
What the hell does that mean? Do I have to get a license to be a registered researcher so I'm able to have special DMCA and CFAA privileges or what? What reforms do they want to make? Blake |
|
|
to antdude
Doubt it. It's not that the concerns aren't valid (they are), but the White House has been known to reject / ignore petitions. Signing them makes everybody feel like they're "doing something," but I'm not convinced they're effective. |
|
ashrc4 Premium Member join:2009-02-06 australia
1 recommendation |
to antdude
Swapping frustration from responsible research to allowing the general public (including exlpoiters) to freely trade significant Intel on exploits/software on the face of it sounds totally irresponsible. The more hands make light work sales pitch does not make much of a nescesity. Infact the counter auguments of controlling exploit info and protecting intellectual property have far more merit. Why these departments exist in the first place. If change is needed for them I don't think this petition knows how to solve it. |
|
|
to antdude
The problem is the pretend white-hat hackers want to publish the vulnerability to the world at large to gain fame, essentially doing the opposite of making a product more secure by immediately jeopardizing everyone using it by pointing out the flaw to those who would like some exploits served up to them as far as where and how.
To put it another way, if I were a burglar your home is not more secure from me by someone telling everyone that your doors are unlocked. If I were a burglar I'd immediately go there so your odds of being robbed go up exponentially.
I think it should be a requirement that any exploits or bugs be made known to the developer exclusively for a certain period of time before they should be allowed to be disclosed to anyone else, and that time also being long enough to allow the developer to deploy the fix to all customers. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Oct-9 10:54 pm
said by James_C:The problem is the pretend white-hat hackers want to publish the vulnerability to the world at large to gain fame, essentially doing the opposite of making a product more secure by immediately jeopardizing everyone using it by pointing out the flaw to those who would like some exploits served up to them as far as where and how. I agree with that because that's how it often happens. said by James_C:I think it should be a requirement that any exploits or bugs be made known to the developer exclusively for a certain period of time before they should be allowed to be disclosed to anyone else, and that time also being long enough to allow the developer to deploy the fix to all customers. I disagree with that because it removes incentive. |
|
|
I don't think incentive is a good thing if what it is doing is causing a constant state of exploits so insecurity is higher than ever. Some code flaws go on for years never to be discovered so nobody is ever exploited through them.
I refer back to my notion about someone's door being unlocked. I don't want someone to have incentive to go around checking whether my door is unlocked then announce it to the world when they find out. I'd much prefer they either didn't know or came to me and told me first so I had a chance to go lock it.
We really shouldn't give incentive to people who seek to profit from making us less secure. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Oct-9 11:42 pm
said by James_C:We really shouldn't give incentive to people who seek to profit from making us less secure. The incentive for the bad guys is always going to be present. Remove financial incentive from everyone else & you'd have a field of research dominated by the bad guys, IMO. I wouldn't feel more secure in that scenario. |
|
1 recommendation |
Not really. The incentive for the bad guys isn't there until some tool decides to announce a way to exploit a flaw. That makes it 1000X less work for the bad guys. It hands them a way to breech security when most are too lazy to make an effort or else they'd have a normal life, earning a living and using their earnings for legit leisure activities.
Remove financial incentive and most of the flaws are never found so instead of constant insecurity, nobody knows how to do an exploit that they don't know even exists.
Remember something. There is no such thing as being truly secure. There is only how hard you make it to exploit something. By not revealing any way to exploit something you make it much much MUCH harder than pretending to be noble by announcing how to do it.
Again I revert back to the example I posed that you seem to keep refusing to acknowledge as common sense. If you leave your home door unlocked, which is less secure. Is it less secure if nobody knows you did it, or is it less secure if someone announces to the public that you left the door unlocked? Do you really want someone to have incentive to announce to the public that your door is unlocked? IMO you have no common sense. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI
1 recommendation |
Snowy
Premium Member
2014-Oct-10 5:13 pm
said by James_C:Again I revert back to the example I posed that you seem to keep refusing to acknowledge as common sense. Your analogy cuts corners to fit. It omits the fact that not only does it announce to the world that my front door is unlocked but it also announces every unlocked front door in the entire world! said by James_C:IMO you have no common sense. OK, some things we can agree on. btw, I'm curious how a ban on public disclosure in the US will effect researchers abroad? Is extradition doable or would this be a one world order type of thing where the United Network Command for Law and Enforcement (U.N.C.L.E.) would deploy enforcement agents such as Kuryakin & Solo to dispense sure justice on the miscreants that break world order law? |
|
|
You win due to my apathy. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Oct-10 6:45 pm
said by James_C:You win due to my apathy. Yeah, I'm sure my brilliant insight, coupled with a mastery of the language didn't factor in because it went >>>>Vrooom>>>> as it flew unnoticed over your head. LOL |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT
1 recommendation |
to Snowy
+1 for The Man from U.N.C.L.E.. That was one of my favorite shows as a kid. |
|