Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« How to Survive a Robot Uprising | Main | New Zealand Espionage History »

January 25, 2006

Vulnerability Disclosure Survey

If you have a moment, take this survey.

This research project seeks to understand how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, this thesis will investigate:
  1. How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process.
  2. The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date.
  3. The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns.
  4. The relationship between secrecy and openness in providing and exchanging security-related information.

This looks interesting.

Posted on January 25, 2006 at 8:24 AM13 CommentsView Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Tsk, Tsk, Tsk?

Posted by: Myles Grant at January 25, 2006 10:00 AM

Hmmm.. now, if the survey primarily contains people who read Bruce S. Blog, will it be fully representative of the general public?

Posted by: Aze at January 25, 2006 10:11 AM

Bruce,

Check this out:

"I registered deusto.com in 1997. Now, eight years later, Planeta Agostini, one of the biggest publishing groups in Spain and owner of Ediciones Deusto, sends me letters via its lawyers demanding me to transfer them the domain, because they registered the trademark "deusto" in 2002 (I repeat, I registered the domain in 1997)."

http://wolfb.com/2006/01/big-publishing-group-demands-my-domain.html

Love to hear your take on this!!

Posted by: elamb at January 25, 2006 10:33 AM

It's kind of easy to see where Rick is going with this survey, but a couple questions threw me. For example I had a hard time understanding what he meant by this:

"Secrecy can be a convenient method to conceal management errors."

If you say no, does your answer get interpreted to mean secrecy is always inconvenient to conceal management errors? ("Can" as in possible).

Posted by: Davi Ottenheimer at January 25, 2006 11:29 AM

So I'm the only one that sees "Tsk, Tsk, Tsk." when I go to the page?

Posted by: Myles Grant at January 25, 2006 11:47 AM

@ Miles

I sure don't.

Sounds like it's a web site that is being blocked by a proxy? You on a corporate network?

Try TOR :)

Posted by: Pat Cahalan at January 25, 2006 12:42 PM

@ Davi

I agree, some of the questions are leading. Some of them are also very subjective. I'd like to see the results of the study, just to see how they are presented.

Posted by: Pat Cahalan at January 25, 2006 12:44 PM

@ Pit

Actually, I assume that site is blocking me, because of which large corporate network I happen to be on right now.

Posted by: Myles Grant at January 25, 2006 2:20 PM

@Myles
FWIW, I thought "Tsk, tsk, tsk" was your reaction to the site. Maybe you should be a little less subtle in future ;=)

Posted by: Jim Hyslop at January 26, 2006 7:03 AM

@Jim

Sorry about that. That's literally all it says when I go there, and I thought that's what everyone was seeing.

Posted by: Myles Grant at January 27, 2006 8:40 AM

A agree with some fo the others that the questions were a bit leading (I agree with Davi?!?? Shocking!). Of course, rigging polls is more common than not.

My answer to several of the questions would be "it depends." I can think of some areas - for instance, a security flaw that only affects major core routers - that would be best shared only within the group of customers until a patch is available. Like everything else in life, some discretion is necessary. But IMHO the strongly preferred default is full disclosure.

Posted by: Anonymous at January 27, 2006 3:00 PM

Too many subjective ways to interpret the questions in this one. I'd like to see what quantitative formulas they use to analyze these results. Classic "survey 101" problems with this set of questions, but I am interesting in seeing the results nonetheless (just read the conclusions with your own serving of salt).

Posted by: Rich at January 30, 2006 1:38 AM

It's ironic that in order to take the survey on
security, you need to have set your browser to
poor security. I filled out the first page and clicked
"continue" and nothing happened. It requires that
you have JavaScript turned on.

Posted by: Ron at January 30, 2006 2:58 PM

Post a comment



Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.



E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page
100 Latest Comments

Archives

October 2008
September 2008
Complete Archive
Support Blogger's Rights!
New Book
Schneier on Security

more books by Bruce Schneier

Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more