This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
Bug Finding: Ethical and Necessary|
Regarding Bruce Schneier and Marcus Ranum's "Is Vulnerability Research Ethical?" (Face-Off
|, May 2008), the question may as well be: "Is it Ethical to Force Automobile Companies to Crash Test Their Cars?"
Would Microsoft ever have gotten a clue about reducing programming mistakes without the constant stream of security revelations about its software? Have any other vendors been significantly better than Microsoft on mistake reduction?
It's a shame Ranum didn't bother to speak to the question, but rather chose to trot out examples of poorly done software development. It's interesting how similar Ranum's list of "counterexamples" is to vulnerability research: "This should be fixed, that should be fixed, and that new thing on the Web shouldn't be going on at all."
It's also interesting that Ranum sheds some light on the design side of the problem. We commonly look on our security problems with software as mistakes made in implementation. Sometimes though, the sources of these problems go all the way back to the original design.
I've long held a theory that "brokenness" in software/firmware is conservative (i.e., it seems there's pretty much the same number of flaws out there to be fixed year-over-year). Let's hope counterevidence to this theory is someday provided by the computer industry.
In the meantime, the messengers aren't the problem. Be glad security researchers are sticking their necks out to keep the heat turned up for long-term gains in computer security.
I can look up the phone number, address, etc., for nearly anyone in my neighborhood or across the country. Sure, modern electronic methods make it quicker or easier to do thousands of them, but they have always been available in the phone book.
To me, one real issue is the feature creep of the Social Security number. This was a system designed to track individual income and accounts for the purpose of providing benefits.
In the meantime, it has become the substitute for a national identity card. Of course, the solution of a national identity card gets fought tooth and nail by nearly every state.
What we really need is a system where nothing can happen without my direct involvement in the process. I should be able to go out into the world (physical or virtual) with an expectation that the only way someone could take my identity is if they are my identical twin.
When people receive credit cards in the name of their dog, the card companies are acting irresponsibly, and if they get burned, too bad. If they did any type of real verification, this wouldn't happen. I should be able to give away all sorts of numbers and information because the ultimate key needs to reside with something no one else can steal without my consent.
Back to your original thesis, I'm all for a national law. We deal with more than 40 state breach notification laws. And most of them only deal with notification after the fact versus protection up front. With PCI, the protection and standards are set up front. We need this for SSN and other information as well.
Connect to us:
Send your comments to firstname.lastname@example.org.
This was first published in September 2008