There was once a time where disclosure of a software vulnerability was considered reckless, uncouth and even potentially criminal. These days full disclosure (with a courtesy email to the author of the software and an acceptable period of time to allow a patch to be produced) is considered responsible and generally an accepted practice. It is even acceptable to publish your findings in the absence of a patch where the vendor has been given ample opportunity to fix their product but has not done so. Some would argue that this system provides software vendors with an incentive to produce higher quality code at release time and – sound problems be found – to release a patch as soon as possible. Were there not the “big stick” of imminent disclosure through security lists like bugtraq hanging over the heads of software vendors it is likely vulnerabilities would be remain unpatched for a far greater period of time or perhaps never be fixed. Public shaming, it seems, is a decent motivator.
It is with this in mind that I question vendors that demand a schedule for the release of security related patches (e.g. Microsoft’s patch Tuesday). While I can understand their rationale that it assists large enterprises in managing their assets and also take into account that on rare occasions Microsoft has elected to push an out of cycle patch for some important vulnerability the idea that we should schedule patches for release on a specific day seems ludicrous, especially in the world of security where time is absolutely critical. Assessments of the severity of found flaws can often be dead wrong – leading to a vulnerability that should have had patches rolled out immediately being left open and exploitable for up to another six days depending on where in the cycle it was first reported. Updates should be made available as quickly as possible. This doesn’t mean that testing of patches in a variety of environments should be skipped and “alpha” quality patches delivered to customers. Microsoft has had a few “bad updates” of late and no doubt would not like a repeat of such behavior, particularly where regression is difficult and an administrator must intervene to fix the issue. Moreover the entire process should be streamlined and these big vendors should work to ensure that the patches are released the day they are ready and not a moment later. Threats will not care that a patch is forthcoming next Tuesday if your machines are exploitable today.
A second and somewhat related thought centers around whistleblowers like Edward Snowden who the government regards as a terrorist. Whistleblowing on government practices that violate a nation’s own constitution or otherwise adversely affect a country should not be regarded as a crime but a service to the citizens of said country. Many have stepped forward to shine the light on corrupt practices only to be rewarded with arrest and incarceration. As a consequence many do so anonymously, afraid to voice their concerns or air privileged information that may shed light on dark practices. Snowden and his breed of whistleblowers have had the courage not only to leak information that they believe is important for the world to know but they have done so openly and without obscuring their identity. Depending on who you ask they are either extremely brave or incredibly stupid. No doubt Snowden will have to live with the consequence of his decision to go public and sign his name to these disclosures.
Snowden is, in effect, doing to government what the security industry’s ideal of “full disclosure” does to software vendors. No doubt questions remain as to how effective this process will be in achieving real change in how the US government’s surveillance agencies operate. Given that many citizens regard Snowden as a traitor and believe that mass surveillance is a necessary price to pay for their safety I hold little hope that things will change.
A sensible government would establish a taskforce charged with the investigation of corruption and create an official channel through which government employees and contractors can anonymously voice their concerns about practices they have witnessed without fear of reprisal. Such a taskforce must have the legal clout to facilitate a thorough investigation and to render their results to Congress and by extension the American people.
Given the way that Washington operates today the above suggestion is perhaps laughable. The check books of lobbyists, not to mention senators with obvious conflicts of interest have caused civil representation to morph into corporate representation, with the company with the most buddies in Washington (not to mention the deepest pockets) winning the game. The two parties horns are locked together to such an extent that there is a kind of governmental paralysis in D.C. that ensures that those that complain the loudest receive the most attention, even if they represent the smallest of minorities.
It goes without saying that the US government is broken and I do not blame the conspiracy theorists for believing that there is a plot in place to dissolve the core values of the nation. From the PATRIOT Act to NDAA to secret courtrooms and NSLs our rights have been eroded significantly in just ten years and all in the name of “security.”
Everyone, it seems, needs protecting from the “terrorists,” a term that is not well defined and seems to be applied to anyone the government doesn’t like the look of (e.g. Middle Eastern men being placed on “no fly lists” solely because of their ethnicity or surname).
The worst thing is that the people (with assistance from the well cultivated government relationships with the supposedly “free” mainstream media) don’t seem to have a problem with this disturbing trend. It is not uncommon to hear at an airpoint checkpoint, a place where people are asked to submit to ridiculous and ineffective security theater, a complaint from one traveller about the onerous procedure being countered by another exclaiming that they are ignorant and that this nonsense is somehow for the good of the nation. Clearly the TSA has no sense of humor as a recently photographed sign at an airport in Texas reads in italics “No jokes” and threatens that you may be detained if you disobey.
How did a country that was once the bastion of freedom slip so far away from the ideals of the Founding Fathers? I can’t answer this question but posit that a lack of diligence from the citizens as to the actions of those appointed to represent us combined with an acceptance of increasingly draconian policy certainly took us a long way down the road.
Benjamin Franklin is quoted as stating that “those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” Perhaps those who obediently allow themselves to be groped at the airport by the TSA whilst entertaining some vague notion that their molestation is somehow making the country a safer place to live should consider the true motives behind the circus that is the current state of the US federal government.