Full Disclosure and Whistleblowers

There was once a time where disclosure of a software vulnerability was considered reckless, uncouth and even potentially criminal. These days full disclosure (with a courtesy email to the author of the software and an acceptable period of time to allow a patch to be produced) is considered responsible and generally an accepted practice. It is even acceptable to publish your findings in the absence of a patch where the vendor has been given ample opportunity to fix their product but has not done so. Some would argue that this system provides software vendors with an incentive to produce higher quality code at release time and – sound problems be found – to release a patch as soon as possible. Were there not the “big stick” of imminent disclosure through security lists like bugtraq hanging over the heads of software vendors it is likely vulnerabilities would be remain unpatched for a far greater period of time or perhaps never be fixed. Public shaming, it seems, is a decent motivator.

It is with this in mind that I question vendors that demand a schedule for the release of security related patches (e.g. Microsoft’s patch Tuesday). While I can understand their rationale that it assists large enterprises in managing their assets and also take into account that on rare occasions Microsoft has elected to push an out of cycle patch for some important vulnerability the idea that we should schedule patches for release on a specific day seems ludicrous, especially in the world of security where time is absolutely critical. Assessments of the severity of found flaws can often be dead wrong – leading to a vulnerability that should have had patches rolled out immediately being left open and exploitable for up to another six days depending on where in the cycle it was first reported. Updates should be made available as quickly as possible. This doesn’t mean that testing of patches in a variety of environments should be skipped and “alpha” quality patches delivered to customers. Microsoft has had a few “bad updates” of late and no doubt would not like a repeat of such behavior, particularly where regression is difficult and an administrator must intervene to fix the issue. Moreover the entire process should be streamlined and these big vendors should work to ensure that the patches are released the day they are ready and not a moment later. Threats will not care that a patch is forthcoming next Tuesday if your machines are exploitable today.

A second and somewhat related thought centers around whistleblowers like Edward Snowden who the government regards as a terrorist. Whistleblowing on government practices that violate a nation’s own constitution or otherwise adversely affect a country should not be regarded as a crime but a service to the citizens of said country. Many have stepped forward to shine the light on corrupt practices only to be rewarded with arrest and incarceration. As a consequence many do so anonymously, afraid to voice their concerns or air privileged information that may shed light on dark practices. Snowden and his breed of whistleblowers have had the courage not only to leak information that they believe is important for the world to know but they have done so openly and without obscuring their identity. Depending on who you ask they are either extremely brave or incredibly stupid. No doubt Snowden will have to live with the consequence of his decision to go public and sign his name to these disclosures.

Snowden is, in effect, doing to government what the security industry’s ideal of “full disclosure” does to software vendors. No doubt questions remain as to how effective this process will be in achieving real change in how the US government’s surveillance agencies operate. Given that many citizens regard Snowden as a traitor and believe that mass surveillance is a necessary price to pay for their safety I hold little hope that things will change.

A sensible government would establish a taskforce charged with the investigation of corruption and create an official channel through which government employees and contractors can anonymously voice their concerns about practices they have witnessed without fear of reprisal. Such a taskforce must have the legal clout to facilitate a thorough investigation and to render their results to Congress and by extension the American people.

Given the way that Washington operates today the above suggestion is perhaps laughable. The check books of lobbyists, not to mention senators with obvious conflicts of interest have caused civil representation to morph into corporate representation, with the company with the most buddies in Washington (not to mention the deepest pockets) winning the game. The two parties horns are locked together to such an extent that there is a kind of governmental paralysis in D.C. that ensures that those that complain the loudest receive the most attention, even if they represent the smallest of minorities.

It goes without saying that the US government is broken and I do not blame the conspiracy theorists for believing that there is a plot in place to dissolve the core values of the nation. From the PATRIOT Act to NDAA to secret courtrooms and NSLs our rights have been eroded significantly in just ten years and all in the name of “security.”

Everyone, it seems, needs protecting from the “terrorists,” a term that is not well defined and seems to be applied to anyone the government doesn’t like the look of (e.g. Middle Eastern men being placed on “no fly lists” solely because of their ethnicity or surname).

The worst thing is that the people (with assistance from the well cultivated government relationships with the supposedly “free” mainstream media) don’t seem to have a problem with this disturbing trend. It is not uncommon to hear at an airpoint checkpoint, a place where people are asked to submit to ridiculous and ineffective security theater, a complaint from one traveller about the onerous procedure being countered by another exclaiming that they are ignorant and that this nonsense is somehow for the good of the nation. Clearly the TSA has no sense of humor as a recently photographed sign at an airport in Texas reads in italics “No jokes” and threatens that you may be detained if you disobey.

How did a country that was once the bastion of freedom slip so far away from the ideals of the Founding Fathers? I can’t answer this question but posit that a lack of diligence from the citizens as to the actions of those appointed to represent us combined with an acceptance of increasingly draconian policy certainly took us a long way down the road.

Benjamin Franklin is quoted as stating that “those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” Perhaps those who obediently allow themselves to be groped at the airport by the TSA whilst entertaining some vague notion that their molestation is somehow making the country a safer place to live should consider the true motives behind the circus that is the current state of the US federal government.

6 thoughts on “Full Disclosure and Whistleblowers

  1. Hey one more little tidbit that might make you cringe at the state of Federal gov’t in America. The day of the latest intrusion into my home by a gov’t agent, my dog was limping. I immediately thought hip displacia, a common ailment in dogs, but this was on the front left shoulder and she could still walk and balance on her hind legs. This was a very pronounced limp, and worried me and my brother. After 4 days or so the limp disappeared and she’s back to normal. My brother stays w/ the story of a “pulled muscle”. I think the gov’t agent felt threatened by my dog and kicked w/ its right leg onto the front left shoulder of my dog. It’s a wonderful world, eh?

    • I would put nothing past government and often their “enforcers” (law enforcement, with an exception being the many local sheriff’s who have stood against the erosion of the constitution).

      I heard a particularly terrible story about the feds raiding the WRONG property. Said folks were in plain clothes and did not identify themselves loudly. The property owner was charged with a firearm related offense as he shot a warning round into the air. Not only that but his cattle dog (this was a ranch) had the audacity to have a bit of a bark at the trespassers and copped a bullet for his trouble.

      You hear about these sorts of stories all too often. In this instance they possessed no valid warrant (wrong address), had no probable cause and recklessly caused the death of the guy’s pet. As far as I am concerned he should have made that shot he fired count.

      Last time I checked we were allowed to defend our castles against illegal intrusion, but the way things are going we won’t even have the right to defecate without governmental approval.

      • Yeah…It’s just common sense and it’s getting so extreme now. So damn depressing that I gave up trying to work out a political decision. I’ve seen enough screw ups that I have no problem saying I’m very biased to be anti-police. Too many failures, and too many times they treated me like sh*t.

        BTW I think someone popped your spam cherry. It made me laugh nonetheless.

      • Not sure what the solution will be to the great farce that is the government but I am sure it will result in a second civil war if they keep trampling on the constitution. Then again people are too dumb, fat and busy working for peanuts to keep their home from being foreclosed by their local friendly banking conglomerate.

        Re spam cherry – nah, the guy is actually legit and posts on both Stanislav and Popescu’s blogs occasionally. I think he was responding to my post that said I wouldn’t over moderate comments.

        Speaking of spam though I am forced to delete a lot of Chinese blog spam. All nonsensical Markov chain generated text followed by a link to some Chinese website. Weird stuff. Funnily enough your post keep getting quarantined for moderation for some unknown reason. I have white listed you so hopefully that fixes it.

  2. Oh ok whoops. Maybe it’s my email address (you shouldn’t ask for mine lol). I’ve noticed some chinese attacks on my computer (there’s been a lot). I have 2 suspects (1 of which got a little “treat”) who are actually kind of close to me. This comp doesn’t matter though to me and I’ve got bigger problems (why would I try to secure when they break in my home)…I figure give them the black mail they want and leave me alone.

    So if spam’s coming from my comp. (since I’ve lost control of it) or IP (no proxies, coming at you straight up) then block it.

    Liked Stanislav’s “microwriter”, neat.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s