Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Businesses United States

Gov't Vulnerability-Disclosure Program Draws Heat 101

AndreyF writes " Securityfocus.com reports: 'a long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.' The article discusses both sides of the PCII question, but leaves me wondering why the pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"
This discussion has been archived. No new comments can be posted.

Gov't Vulnerability-Disclosure Program Draws Heat

Comments Filter:
  • I for one (Score:3, Funny)

    by whackco ( 599646 ) on Saturday February 21, 2004 @09:15PM (#8353193) Journal
    welcome our ... oh, wait, I guess it would be old Bush overlords
  • Microsoft (Score:5, Funny)

    by b0lt ( 729408 ) on Saturday February 21, 2004 @09:16PM (#8353198)
    Does pretty much running all of the computers in the US count as being critical infrastructure? ;)
  • Fat chance (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Saturday February 21, 2004 @09:21PM (#8353224)
    Moulton says a more effective approach would compel companies to report vulnerabilities to the government, and give the government the power to enforce reforms, or, alternatively, warn the public.

    Since when do governments of any country inform the public when they don't absolutely have to? when was the last time you thought of your leaders are public *servants*?

    No, I think a better alternative would have been to screw PCII and let public scrutiny (and reactions) dictate what the government and the critical facilities should do. But as always since the war-on-terror bullshit, the government passes laws behinds people's back, without any consultation and approval of the people they're meant to represent and serve. F#)(*%&g brilliant :-(
    • by BiggerIsBetter ( 682164 ) on Sunday February 22, 2004 @02:10AM (#8354436)

      when was the last time you thought of your leaders are public *servants*?

      I think a better question is, when was the last time *they* thought of themselves as public servants?

  • by Llyr ( 561935 ) on Saturday February 21, 2004 @09:21PM (#8353225)
    .... actually covers their asses.

    One big concern is that the companies can get immunity (and public silence) if they 'fess up to the problems. Leakers of confidentially submitted information will be prosecuted, and the government will be on the hook, not the company. Except since nobody can leak it, the ones really on the hook for the problems are the people who will be depending on it.

    Still, that could be the only carrot that might convince the big companies to actually admit to their failures.

    • money talks... (Score:5, Interesting)

      by segment ( 695309 ) <sil@noSpaM.politrix.org> on Saturday February 21, 2004 @09:45PM (#8353349) Homepage Journal
      So here's my excerpt for the moment...
      ...

      WASHINGTON (CBS.MW) -- When individual Americans are accused of helping terrorists, they're thrown in jail and their names are dragged through the mud.

      But when major U.S. corporations are caught trading with the enemy, they get just a slap on the wrist from the government.

      In the past two weeks, the government has revealed that 57 companies and organizations have been fined for doing business with terrorists, despots and tyrants.

      ...

      Each year, the government investigates thousands of cases of U.S. individuals or companies for alleged violations of the Trading with the Enemy Act and other statutes and executive orders that restrict free trade. Each year, the government imposes millions of dollars in civil penalties and prosecutes 10 or so criminal cases.

      We know why the companies are silent about what they've done. No one wants to be associated in the public mind with torturers, thugs and murderers, even if it's profitable to be associated with them in private. The companies' explanations, when available, show that even the most enthusiastic supporter of sanctions can run afoul of the law through no malice on their part.

      Source [marketwatch.com]

      You don't want to get into whistleblowers now. Most of the times they're ridiculed even arrested and sent to rot for coming clean [politrix.org].
    • by psycho_tinman ( 313601 ) on Saturday February 21, 2004 @09:49PM (#8353373) Journal

      But the problems are twofold.. If you're in charge of a large installation of servers, and you get this public confessional type "mea culpa" every few weeks or months from your vendor, how easy would you feel ? Still want to run a piece of software that needs to be patched every so often ? Shades of Sendmail, anyone ?

      Secondly, the whole point of accountability comes up. If your vendor isn't responsible for how your infrastructure runs and how timely security updates are made available, what's the point having a vendor anyway ? I'm not advocating a lawsuit, but you can either sue or you can take your business elsewhere. This sounds like "confess your sins and they will be absolved" sort of scenario.

      And for added benefit, imagine the delight of a black hat who manages to break into one of this top secret archives. A whole list of vulnerabilities that haven't been publicly disclosed. A motherlode of h4xorz potential, if there ever was any..

      • by Llyr ( 561935 ) on Saturday February 21, 2004 @10:16PM (#8353477)
        Still want to run a piece of software that needs to be patched every so often ?

        Well, no. And according to the article, they may not have a choice; the agreement comes "with legally-binding assurances that the information will not be used against them". Presumably this would prevent not giving them future contracts on the basis of knowing that their previous work was crap, since at least they owned up to it. How anti-merit of them.

        So yes, multifold problems; the system maintainers are going to be very unhappy if they get frequent information about problems for them to deal with, and won't be able to do a thing about it. Sounds like a killer for whatever morale might be left.

        And of course, these systems could be in general public use as well, but the public couldn't be informed.

    • by dnoyeb ( 547705 ) on Saturday February 21, 2004 @10:42PM (#8353579) Homepage Journal
      Yep Yep. Its an old auto industry trick.

      Auto industry wanted to add passenger airbag cut off switches so they can blame the driver if a child gets injured and he failed to turn off the bag.

      If the driver mismanages the switch he can forget suing the OEMs since they had no choice in the matter...

      So often when the government is regulating an industry at the request of that industry, it is to the detriment of public protection.
  • by Open $ource Advocate ( 754298 ) on Saturday February 21, 2004 @09:26PM (#8353244)
    Companies should be legally required to disclose vulnerabilities to government, with stiff penalties for failing to do so. It should also be made available via the Freedom of Information Act because we have a right to know that our information is being protected.

    What's next? Microsoft doesn't disclose a vulnerability in SQL Server and the IRS database is leaked to hackers?

    This is just one more reason why we need Open Source in government. The official in Peru who blasted Microsoft over closed source [opensource.org] got it right. The citizen's right of information protection comes first and this can only be achieved through Open Source software, where every citizen has the right to make sure their data is being handled properly.

    Closed source products have no business in government (or really anywhere for that matter) and should be outlawed.
    • by AndreyF ( 701606 ) on Saturday February 21, 2004 @09:33PM (#8353282)
      "Closed source products have no business in government (or really anywhere for that matter) and should be outlawed."

      What an amazing quote. So typical of slashdot, but with the well presented arguemnt it makes sense. :)
    • corrected link (Score:4, Informative)

      by Open $ource Advocate ( 754298 ) on Saturday February 21, 2004 @09:36PM (#8353303)
      Oops, I linked to the Microsoft letter. Here is the Peru congressman's reply [opensource.org]. Specifically, here's a good summary:

      "To guarantee the free access of citizens to public information, it is indispensable that the encoding of data is not tied to a single provider. The use of standard and open formats gives a guarantee of this free access, if necessary through the creation of compatible free software.

      To guarantee the permanence of public data, it is necessary that the usability and maintenance of the software does not depend on the goodwill of the suppliers, or on the monopoly conditions imposed by them. For this reason the State needs systems the development of which can be guaranteed due to the availability of the source code.

      To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*."

      • Re:corrected link (Score:1, Insightful)

        by Belzu ( 735378 )
        Yes, I read that link a while ago. I was struck by how much SENSE it made, given the logic presented in the letter published by Toledo's government. This is inline with Israel's policy as of late to stop purchasing closed source software, such as that made by MSFT.
    • by Agent Smart ( 204871 ) on Saturday February 21, 2004 @09:50PM (#8353377)
      Mandate or not, the most serious vulnerabilities will be those that the company is ignorant of.

      If a company is aware of a serious vulnerability, and decides that it doesn't make business sense to correct, it has the option of making the government aware in order to limit the company's liability. Clever indeed.
    • by segment ( 695309 ) <sil@noSpaM.politrix.org> on Saturday February 21, 2004 @09:51PM (#8353383) Homepage Journal

      Companies should be legally required to disclose vulnerabilities to government Uhh that's what security lists are for. Just look at the recent securityfocus rantings about MS taking 6 months for a patch, because the vuln was in development. So what can you really blame MS when, sure they did disclose it when their engineers pinpointed it. That would be unfair to any vendor. Just look at private exploits, what would you say about that?

      It should also be made available via the Freedom of Information Act because we have a right to know that our information is being protected. Good luck. Hell if non top-secret energy documents [missouri.edu] are kept from the public, you should know that they'll throw a "We're protecting the infrastructure from terrorists... Even mother nature [guardian.co.uk] (sorry I can't get over the mother nature humor)

      • by 10101001 10101001 ( 732688 ) on Saturday February 21, 2004 @10:00PM (#8353416) Journal
        >>Companies should be legally required to disclose vulnerabilities to government

        > Uhh that's what security lists are for.

        That's what they're for, but the majority of exploits are found first by people *outside* of companies. And Microsoft really wants it that you tell them first, give them 30 days to work on it, then finally tell everyone else about it. While I can understand the want to "minimize damages", the truth is the fastest way to minimize damages is to *stop* using vulnerable software. Waiting 30 days or more to tell people there's a problem isn't helping anyone.
    • by A nonymous Coward ( 7548 ) * on Saturday February 21, 2004 @09:53PM (#8353386)
      Corporations should be required to disclose all problems with their products and infrastructure as soon as they know about them, and given immunity for doing so. Failure to disclose problems immediately would drop the immunity. I am all for suing the pants off the bastards when they hide defects and cover up and it is only found out after deaths and accidents. Remember Ford Explorers and Bridgestone tires? Remember Ford overheating electronics causing fires in the engine compartment? Remember GM side saddle fuel tanks? etc etc. I have no problem with companies making mistakes, but they better disclose them as soon as they find out, not try to cover up.
      • by Skater ( 41976 ) on Saturday February 21, 2004 @10:15PM (#8353470) Homepage Journal
        At least two of the three examples you cited just reminded me of the media being out of control: they took a relatively minor problem and blasted it way out of proportion to whip up a frenzy.

        Explorers w/Bridgestone tires - have you ever seen how people drive SUVs? They drive them like they're sports cars. Except they aren't sports cars - they have a higher center of gravity. If you lose a tire at 80 mph, even in a sports car you're going to have problems; a vehicle with a higher center of gravity just makes it that much easier to roll it. Also, how many people do you know that religiously check their air pressure? Finally, I still haven't seen proof that those tires were actually systematically defective; please point me to evidence if you have some, because I like to follow these issues. (I'd really like to see rollover/death statistics for other SUVs compared to the Explorers, but I haven't seen that information yet.)

        GM Side Saddle fuel tanks - all I really remember about this issue is one of the networks rigging a demo with a small charge rather than having it explode on its own. That kind of detracted from the seriousness of the problem for me. Also, like the Corvair, those fuel tanks met the crash-safety standards in effect as of the time the vehicles with them were manufactured.

        --RJ
        • by bmwm3nut ( 556681 ) on Saturday February 21, 2004 @11:02PM (#8353675)
          i know we're getting way off topic here, but i wanted to answer your bridgestone tire question:

          i don't have the sources right now - i'm to lazy to google. but i do remember from the time of the incident they looked at the same model year explorers that were sold with goodyear tires, they didn't have any problems. also i remember some jeeps were sold with the same bridgestones and didn't have any blowout issues.

          if i remember correcly the problem was due to a couple of factors. for the batches of tires used firestone/bridgestone had used a faulty "glue" to attach the tread to the tire, and in comibnation with ford specifying a lower pressure (to make a more comfortable ride) the tires overheated and caused the glue to fail.

          but of course you're right, people don't know how to drive their SUVs right.
          • Thanks for the corrections (you and the other posters).

            All I can say about SUVs is this: I have a sporty (not a sports car, but sporty) 1999 Mercury Cougar. These things were meant to be a relatively fast car for the price point at which they were sold. I'll be doing 80 mph on the DC beltway in my Cougar...and someone in an SUV will still pass me, maybe even weaving in and out of traffic.

            Totally insane. What's really amazing is that more people haven't died as a result of this type of driving.

            --RJ
        • Well ... (Score:3, Insightful)

          Like the other poster says, the same tires on other SUVs were ok, and Explorers with other tires were ok ... and their internal memos show they knew of the problem and tried to cover it up. Ditto for the engine compartment electronics overheating and causing fires: some bean counter actually wrote a memo saying it was cheaper to get sued a few times than to spend $4 per vehicle to fix the design. And again ditto for the side saddle fuel tanks; more internal memos showing a cover up.

          What frustrates me so
          • by Cyno01 ( 573917 )

            Jack: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

            Single Serving Friend: Are there a lot of these kinds of accidents?

            Jack: You wouldn't b

            • Jack: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

              Single Serving Friend: Are there a lot of these kinds of accidents?

              Jack: You wouldn't b
        • Explorers w/Bridgestone tires - have you ever seen how people drive SUVs? They drive them like they're sports cars. Except they aren't sports cars - they have a higher center of gravity. If you lose a tire at 80 mph, even in a sports car you're going to have problems; a vehicle with a higher center of gravity just makes it that much easier to roll it.

          The problem is all the commercials that show that you can drive them as you would a sports car.
          I once lost a front tire at 75 mph on the freeway. Scared the
  • by psifishdot ( 699920 ) on Saturday February 21, 2004 @09:28PM (#8353254) Homepage
    [A] long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems...

    You can find the vulnerabilities in my systems at http://www.debian.org/security/ [debian.org].

    apt-get update
    apt-get upgrade
  • by segment ( 695309 ) <sil@noSpaM.politrix.org> on Saturday February 21, 2004 @09:31PM (#8353274) Homepage Journal
    to submit details about their physical and cyber vulnerabilities to a newly-formed office within the Department of Homeland Security, with legally-binding assurances that the information will not be used against them or released to the public.

    Geez I feel safe already. It's not like any teenager could break into a gov website [techweb.com] or anything. Makes me warm and fuzzy inside. And in more "E"lated news... The US government announces the greatest terrorist to walk the planet... Mother Nature [guardian.co.uk], and her Weather of Mass Destruction

  • by koody ( 575863 ) on Saturday February 21, 2004 @09:34PM (#8353290)
    It seems to me that this will only be useful for statical purpouses. The legislation basically indemnifies the company from liability. Even if the company is asked to fix a problem, they refuse and are later attacked, no one can even point a finger at them if what the article says holds true.

    A key provision of the law bars the government from using the vulnerability information in any enforcement action against the company, or from using it as the basis for proposing new legislation or regulations on industry.[snip]

    Of course, the law wasn't intended as a shield for corporate negligence: information that comes to the government independently of the PCII reporting is still fair game.

    So if a company doesn't want to put any money in to securing their computer infrastructure, they simply report that and the govt can't force them. When an attack occurs, the company will point at the govt and say that the govt new that they "lacked the funds" or something to secure their comps.

    Incredible BS-law Protecting companies and enableing them to assign the blame on others. Is this really what the government wanted to achieve with the law, or was this simply the result of corporate lobbying?

  • by Dunark ( 621237 ) on Saturday February 21, 2004 @09:39PM (#8353319)
    ...if you say you're "trusting" the big company CEO's or not.

    The big CEO's tell the government what to do anyway, so any program that appears to put the government in charge merely conceals the truth.

  • "...pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"

    Campaign contributions and old-school business-think anyone? FSVO "right thing", of course.

    Naahh...

  • Excuse me, but .. (Score:5, Interesting)

    by z0ink ( 572154 ) on Saturday February 21, 2004 @09:51PM (#8353379)
    The last I heard funds are being tied up all over the place in the Dep't of Homeland Security. What makes them think they can, on a whim, create an organisation that would affect the security of systems nationwide? We need patches 0-second from the release of exploits at the rate things are going these days. Even though the government wouldn't be the one controling the release of anything, wouldn't involving them and especially the DoHS put a big slowdown on the process? It seems many system admin's patch only when they hear about it on the news. I wonder how long the gov't would wait before acknowledging that something is infact a problem - unless of course somebody releases a Terrorist.B virus?
    • Good point. How about open disclosure of all the screw-ups by that department. People are getting past incredibly lax security in many airports, and all the "color alerts" seem to do is create media buzzwords and hype.

      "Fuscia alert, Bob! Run that clip of the dead babies ..."
  • Another (Score:3, Flamebait)

    by iminplaya ( 723125 ) on Saturday February 21, 2004 @09:58PM (#8353408) Journal
    "feel good" paper tiger that does nothing but further gut the FOIA. Being on the outside, I almost want to see Bush and Blair get re-elected, possibly forcing the rest of the world to make a real attempt to effectively deal with what is becoming the american/european menace.
    • Re:Another (Score:4, Insightful)

      by Limburgher ( 523006 ) on Saturday February 21, 2004 @10:11PM (#8353458) Homepage Journal
      Being on the inside, I understand, but I have to say I disagree. Re-electing those two would do enough damage to USA and Europe on it's own. Look where we are now! How long do you honestly think it will be before the squishing foot of the Patriot Act and the Ashcroftian menace causes the people to revolt? I just hope we do it by election and not violence.
      • Re:Another (Score:4, Insightful)

        by iminplaya ( 723125 ) on Saturday February 21, 2004 @10:25PM (#8353517) Journal
        I just hope we do it by election and not violence.

        The problem is that the guy most likely to run against Bush is "Bush Lite". The stagnation and misery will continue unabated(?), but people won't react because they'll think that with Bush out of office things will eventually get better, but it won't, and the anger cycle will continue. In my lifetime this has been going on since Kennedy died.(he wasn't in office long enough to prove that he, too was probably a corporate stooge)
        • Sounds about a decent analogy, presidents are like diet food... Half the stupidity, but having him in government still leaves a bad taste in one's mouth?
          • It appears that with Nader running, it won't matter now. The anti Bush vote will be divided up like last time. So expect "four more years".
  • by rmsousa ( 614388 ) on Saturday February 21, 2004 @10:00PM (#8353415) Homepage
    I thought we were supposed to NOT comment on security flaws...
  • by no longer myself ( 741142 ) on Saturday February 21, 2004 @10:05PM (#8353432)
    First of all, make no mistake that to the corporations and government, the average person is little more than a veal calf. You are merely a by-product of what they desire, and of course managing that takes time and energy away from them, so naturally they will regard the common citizen with a certain degree of contempt. After all, don't you feel a little ripped off when you have to pay your taxes? Corporatists feel a little ripped off when they have to share liberty and dignity with you. They regard themselves as the exceptional few, the elite, the have's. And the rest of you? Well... There you are.

    They keep you busy with jobs that require more time than brains. They keep you running on a treadmill for as many hours as possible. It disorients and distracts. It keeps your mind off the fact that you are slowly slipping and sliding down that slope. But keep breeding- They are going to need that population to stay high so they will have a never ending resource of willing subjects.

    They rely on having large numbers of people, because when people become a scarce resource, the value of humanity increases. It's harder to control a person who has value, so the more idiots they can create, the less value the average, or even slightly above average person will have. It's only the privileged few that should enjoy life to the fullest, and a few token morons just for show, "See? Anyone can live like a king in America. So the problem is yours."

    So the corporatists have overtaken the government with layers of lobbyists. They have convinced the "elected" leaders that they have the nations best interests at heart. They use you as a pawn, and they see the nuclear family as their greatest ad campaign. All that remains is to keep this little secret less than obvious.

    Keep them watching those sports channels, the so-called reality based TV, and the endless parade of entertainment provided by the cable TV and TiVo. It keeps them off the streets, and ensures that the rabble stay out from under their agenda. Turn up the noise, and keep them riveted to the latest episode of "Survivor". If they have a tech fetish, let them watch Star Trek knock-offs, but never again show anything that might force them to think.

    This technology we contrived does most of the work for us. But it's ingeniously engineered to have a drone standing over a mind-numbing machine for eight hours or more. This kills two birds with one stone: It keeps our standards artificially high, and keeps that drone occupied and out of our hair. If they don't like it, we'll start accusing them of being Luddites, and since the Luddites were destructive we can automatically associate and brand them with being vandals, and terrorists.

    Nice, neat, and easy to justify.

    OH LOOK! A TERROR THREAT! QUICK! BURY YOUR HEAD IN THE SAND! That's right... The big friendly corporate brother will take good care of you.

    That ought to shut them up for a while...

    Big business made this country what it is today. What will it turn this country into tomorrow.

    OK, I'm done. Burn my karma and send in the flaming AC trolls.

    • by waltc ( 546961 ) on Saturday February 21, 2004 @11:14PM (#8353730)
      First of all, make no mistake that to the corporations and government, the average person is little more than a veal calf. You are merely a by-product of what they desire, and of course managing that takes time and energy away from them, so naturally they will regard the common citizen with a certain degree of contempt. After all, don't you feel a little ripped off when you have to pay your taxes? Corporatists feel a little ripped off when they have to share liberty and dignity with you. They regard themselves as the exceptional few, the elite, the have's. And the rest of you? Well... There you are.

      This is one of the most amusing posts I've read in a while...;) So, I wanted to respond...

      To governments the "average person" is a tax payer and a voter; to corporations, he's a customer. I cannot see that governments which levy taxes by decree, and enforce tax collection at the point of a gun, and routinely spend far more money annually than they collect in taxes by running up huge debts which will be paid by future generations are any better than corporations who compete among themselves to offer the "average person" a wide choice of goods and services, which are available to the average person on a completely voluntary, elective basis. In other words, I don't have to ever buy a GM car if I choose not to--but try that trick with the government where your taxes are concerned...;) The government won't sieze your property and put you in jail if you don't vote, however--that only happens if you decide to "opt out" on your taxes...:)

      The other logical fallacy I see in your comment here is that "government" and "corporations" employ hundreds of millions of exactly the kind of "average people" you describe. We use abstract expressions like "government" and "corporations" to describe the *people* who administer them. Without those people the abstractions have no meaning.

      Are you saying that we need to abolish governments and corporations? If so, what comes next?..;)

      So the corporatists have overtaken the government with layers of lobbyists. They have convinced the "elected" leaders that they have the nations best interests at heart. They use you as a pawn, and they see the nuclear family as their greatest ad campaign. All that remains is to keep this little secret less than obvious.

      You might like to think of what it is that these lobbyists use in their "convincing"...;) It's often money, isn't it? The problem for your analogy here, too, is that it overlooks the difference between what is voluntary and what is not. All corporations do not lobby, and all elected officials do not compromise their integrity by improperly capitulating to lobbyists. So in that sense it might be more accurate for you to say that "The government is overrun by greedy politicians who allow themselves to be improperly influenced by lobbyists."

      Keep them watching those sports channels, the so-called reality based TV, and the endless parade of entertainment provided by the cable TV and TiVo. It keeps them off the streets, and ensures that the rabble stay out from under their agenda. Turn up the noise, and keep them riveted to the latest episode of "Survivor". If they have a tech fetish, let them watch Star Trek knock-offs, but never again show anything that might force them to think.

      You might not be aware of it, but watching TV is entirely voluntary...:) I hate much of it personally, and rarely watch anymore. Unlike the compulsion the government uses to collect taxes, no one who doesn't want one has to own a TV, let alone watch it. What I get from your remarks is that you apparently watch way too much TV yourself--so do what I do--don't watch TV and do something else instead.

      This technology we contrived does most of the work for us. But it's ingeniously engineered to have a drone standing over a mind-numbing machine for eight hours or more. This kills two birds with one stone: It keeps our standards artificially high, and keeps that drone occupied
      • Firstly, thank you for the thoughtful response. Although replying to each point would get horribly long winded I'll try to address some of your comments. I assure you it's not because I don't appreciate everything you said. :-)

        The other logical fallacy I see in your comment here is that "government" and "corporations" employ hundreds of millions of exactly the kind of "average people" you describe. We use abstract expressions like "government" and "corporations" to describe the *people* who administer the

        • The other logical fallacy I see in your comment here is that "government" and "corporations" employ hundreds of millions of exactly the kind of "average people" you describe.

          True. "Of the people, by the people, for the people". But the same could be said of communist China.

          Actually, the same can not be said of communist China. In contrast to more democratic countries, like the US, one must be a Party member to even be considered for a spot on a ballot. Those who control the Party, in a very real sens

      • This technology we contrived does most of the work for us. But it's ingeniously engineered to have a drone standing over a mind-numbing machine for eight hours or more. This kills two birds with one stone: It keeps our standards artificially high, and keeps that drone occupied and out of our hair. If they don't like it, we'll start accusing them of being Luddites, and since the Luddites were destructive we can automatically associate and brand them with being vandals, and terrorists.

        I found this comment
      • > Are you saying that we need to abolish governments
        > and corporations? If so, what comes next?..;)

        Maybe he's suggesting that both should be smaller.

        http://www.johntaylorgatto.com/underground/

        The link above explains what we had before big government/big corporations, and explains how some of the early big corporations designed the school system (yes, the one you send your children to) to create compliant people.
      • which are available to the average person on a completely voluntary, elective basis

        You think you have choice..., but the problem is that big companies often either misuse a monopolistic position to crush competing companies, or big amount of $$$ to enact laws limiting customer choice.

        Look at the writable-media tax in Canada. Every CDR you buy puts $$$ in the pockets of a corporation that in many instances has very little to do with the product being purchased (I generally buy my CD's for data, or faili
    • Oh god. Cut the melodrama. Corporations and the government are not the ones to blame. It is the people. We are a free country. We elect our leaders, and nobody can claim that these elections are somehow fraudulent.

      We the people put these guys into power, and we can choose to put them out of power. We don't, because we don't want to. We like the status quo. Our Constitution gives corporations the power to sell us what we want to buy, nothing more. The fact that we buy it is our fault, and ours alone.

      Person
  • by binkless ( 131541 ) on Saturday February 21, 2004 @10:07PM (#8353438)
    Do you think that small corporate CEOs are more honest? What do you have against fat people anyway!?
  • by Crypto Gnome ( 651401 ) on Saturday February 21, 2004 @10:18PM (#8353487) Homepage Journal
    A key provision of the law bars the government from using the vulnerability information in any enforcement action against the company, or from using it as the basis for proposing new legislation or regulations on industry.

    Looks like Bill Gates just bought himself a get-out-of-jail-free card.
  • by Anonymous Coward on Saturday February 21, 2004 @10:22PM (#8353502)
    I see suggestions that corporations should be held responsible for security vulnerabilities.

    Apart from offering yet an other US inspired opportunity for a lawyer led sue fest the idea is appalling.

    If corpoartions are 'responsible' for security then they will be required to have ' due dilligence'

    What does 'due dilligence' entail - perhaps a pre-emptive strike by Mcdonalds against animal liberationists ?

    A utility finds that it's IT staff and engineers all live clustered in a particular location. A bio or nuclear incident that affected the cluster location leaving them incapable of operating. How do they respond ? A security directorate for risk evaluation ?

    Corporate responsibility for security is a dangerous slippery slope. It provides not just justification but will inevitably lead to the compulsion for corporations to set up the kind of "security/intelligence apparatus" that goverments have trouble keeping in control.

    If I have to be spied on because of some "threat analysis" please let it be caused by Clinton/Bush subject to congressional oversight not by the board of Enron.
  • by darkonc ( 47285 ) <stephen_samuel&bcgreen,com> on Saturday February 21, 2004 @10:23PM (#8353505) Homepage Journal
    If this law is written right, it shouldn't give them any sort of vulnerability against prosecution. The burden of proof should be on the company to prove that the only way the information could have come to public / enforcement attention would have been a leak of PCII submissions.

    Even the PCII papers that a company compiles should not be subject to any sort of immunity... This is, generally, information that the company already has. The fact that this information has been compiled and/or submitted to the government doesn't provide any sort of real immunity -- especially if it is being used internally by the company for any other sort of purpose.

    The second that a PCII document is used for any sort of internal company purpose, whatsoever, then there should be absolutely no reason why the company copies should have any sort of special immunity on account of a copy having been sent to PCII.

    Some of the above will depend on how the law is written. the rest will depend on the first plaintifs who come against a PCII wall having really good lawyers.

  • by Anonymous Coward on Saturday February 21, 2004 @10:24PM (#8353509)
    Frankly I would consider the release of any information to the Government to be a vulnerability in itself.

    If it happens on my premises or to a computer or system under my care I consider my priorities to be to my company, my employer, and to my employer's/company's clients to as quickly as possible resolve, repair, and restore systems to regular operation rather than gathering evidence and making reports to the Government.

    and yes, I have had a hacked system under my care and control that we discovered, the issue was resolved, the system restored and put back into service. About two months later our network provider did forward an email from an FBI office stating that that computer's IP number had turned up in the logs of a computer system they had seized from some suspected hacker. We were able to respond that we had discovered this activity and had erased, reformatted, and reinstalled the system in question and that the breach, if any, had been secured.

    I can't imagine if I had to report this, hold the system in reserve and not have it in service for our clients for several months or longer for the Government. I understand this has already happened to another isp hosting an IRC server where the FBI has seized all the computers in the facility so they can copy data.
    • "hold the system in reserve?"

      Why?

      When you reinstalled the machine, you should have:
      - installed a new disk
      - installed the system on the new disk
      - keep the hacked disk for evaluation purposes, including passing it to the FBI when necessary.

      I don't see how this would have hold your system on reserve.

      And I doubt that the FBI would seize machines in that way. There are ways to retrieve the information from the machines without taking them. But I just doubt and I cannot prove was the FBI's operative mode is.
  • by kryzx ( 178628 ) * on Saturday February 21, 2004 @10:39PM (#8353568) Homepage Journal
    Take, choosing a company totally at random, say... Diebold.
    Think they would "do the right thing?"

    Those companies with the biggest vulnerabilities and the most depending on their security would have the least incentive to report their issues, and probably are the least likely to have to ethical fortitude to do it, given the choice.

    (Yes, there is an assumption hidden in there: critical sw with major security flaws, which linger for years without being resolved, is a certain indication of ethical laxness.)
  • by GoMMiX ( 748510 ) on Saturday February 21, 2004 @10:53PM (#8353633)
    It'll be funny when someone hacks in and steals a massive list of vulnerabilities.

    I wouldn't trust the government to secure anything. It's actually kinda scary to think these people would have a massive collection of vulnerabilities nicely indexed with the targets - ripe and ready for malicious hackers to slurp up.

    BTW, to those cooperating CEO's, I got a BARGAIN deal on the Brooklyn Bridge for ya! Gimme a shout!
  • by Anonymous Coward
    So, they put the e-mail address for
    submission on the webpage: pcii-info@dhs.gov

    No doubt, some spam bots are now gathering it,
    and some anti-Homeland wrong-thinkers are going
    to make sure that address gets a double dose of
    spam (and more).

    This will effectively make their e-mail submission
    system unusuable. This leaves only mail and
    'controlled' mail submission (commercial carrier,
    UPS, FedEx, etc.)

    How will this delay affect the program?
  • by erf007 ( 649029 ) <`moc.0067cimsoc' `ta' `0067cimsoc'> on Saturday February 21, 2004 @11:10PM (#8353704) Homepage
    So let's assume that Corporation X involved in the say the electricity system does turn around and say "yes I am running xyz system that has the following security flaws". What checks and balances are then in place to ensure the security of that information?

    For an organisation intent on doing some kind of harm, this system makes a very good target. Rather than having to try and "find" all these security flaws in the critical infrastructure I can go to one place and they are all served up on a silver platter. So who looks after this?

    I know it's kind of trite, but who is going to guard the guards and ensure they are taking care of this ultra sensitive information? Who is going to audit the government infrastructure to ensure that it is secure and not vulnerable?

    I know risk management strategies are generally based around the choices of accept, transfer or mitigate risk but this really seems to be purely blind transferance of risk with no understanding as to the capabilities of the receipient to properly manage or account for that risk.

  • by Todd Knarr ( 15451 ) on Sunday February 22, 2004 @04:27AM (#8354737) Homepage

    I don't understand why Schmidt is saying that casual conversations are the only way the government gets information, nor why he seems to imply that the government has to coax them into giving up the information. There's another simple solution to the problem:

    "If you are considered "critical infrastructure", failure to report security vulnerabilities to the appropriate agencies is a Federal crime punishable by a prison term of no less than 10 years for the managers responsible for the vulnerable systems and all executives who knew of the failure to report and failed to correct it. Interfering with the reporting process is punishable by a similar prison term for all persons responsible for the interference. Failure to correct the vulnerabilities when correction is possible, or to mitigate them to the greatest extent possible if they cannot be corrected, will result in the government immediately rearranging things so that you are no longer part of the "critical infrastructure"."

    If we need to protect the critical infrastructure as much as the politicians say we do then I see no reason to treat the corps with kid gloves, and if we can tolerate those vulnerabilities not being fixed then obviously the threat to that infrastructure can't be that great now can it?

  • "Basically, the information goes into government, and that's the dead end," says Sean Moulton, a senior policy analyst at OMB Watch. "Aside from encouraging the companies to do something, as far as my reading of the statute, they don't have much authority at all, and they can't warn the public."

    (Setting: the school playground where government and corporations play)
    Government: I can keep a secret. Tell me all your nasty mistakes and I won't tell anyone.
    Company: Ok, but you have to promise that you won't

If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...