More on the Vulnerabilities Equities Process

The Open Technology Institute of the New America Foundation has released a policy paper on the vulnerabilities equities process: "Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications."

Their policy recommendations:

  • Minimize participation in the vulnerability black market.
  • Establish strong, clear procedures for disclosure when it discovers and acquires vulnerability.
  • Establish rules for government hacking.
  • Support bug bounty programs.
  • Reform the DMCA and CFAA so they encourage responsible vulnerability disclosure.

It's a good document, and worth reading.

Posted on August 4, 2016 at 7:25 AM • 22 Comments

Comments

WmAugust 4, 2016 7:51 AM

Since this has nothing to do with the current day corrupt government that is only interested in money, vote buying through giveaways, buying votes through hiring people into unnecessarily created government jobs, sex parties in foreign countries while accompanying Obama on lavish million dollar vacations and worthless diplomatic trips, all such suggestions on how to fix anything is futile and not worth the effort to research and/or print such suggestions.

SoWhatDidYouExpectAugust 4, 2016 8:58 AM

@r:

Clearly, Wm does not want any improvements and is satisfied with the status quo as it is. That position is to someone's advantage. By the way, Wm should provide details (and proof) for the charges made. Otherwise it is simply political innuendo for a yet unknown purpose.

Allen DullesAugust 4, 2016 8:59 AM

Just as long as the government has license for "minimal" participation in the black market and hack away when needed I suppose the Deep State will support this. Surely the "rules" will accommodate government secrecy requirements on behalf of national security and the public interest. Thereby creating a loophole for intelligence officers to immerse themselves in black ops to their hearts content.

Transparency is for little people. So is rule of law. The United States is the exceptional nation and the intelligence services are exceptional organizations!

Sancho_PAugust 4, 2016 9:48 AM


There is a much simpler policy recommendation: Restore capitalism.

Ditch complicated rules and laws, the principle is old and matured:
Those who make money from selling shit are reliable.
They will be happy to run bug bounty programs on their own.

Wait, won’t work - our society is based on lawmakers, my bad.

albertAugust 4, 2016 10:12 AM

Far be it from me to shy away from cynicism.

I'd expect more from authors, especially since one is a JD, and another a law school grad.

1. "...Minimize participation in the vulnerability black market...." - Why not 'eliminate' it? There are many ways, even in the case of foreign entities.


2. "...Establish strong, clear procedures for disclosure when it discovers and acquires vulnerability...." - 'Procedures' don't have the force of law, nor do they have sufficient punishments for violations.


3. "...Establish rules for government hacking...." - Is this a joke? See 2.

4. "...Support bug bounty programs...." - One out of five; room for improvement.

5. "...Reform the DMCA and CFAA so they encourage responsible vulnerability disclosure...." - OK, 1.5 out of five, but any sort of reform here will require fighting a large and powerful Corporatocracy. It will take a united, independent Congress to accomplish this. (Sometimes I crack myself up, even in print)

At least it's not another academic masterbatory* exercise.

-----------
* as in master thesis.

You thought what?

. .. . .. --- ....

blehAugust 4, 2016 10:50 AM

Why isn't "government hacking" at least as limited as "government blowing up houses, or busting down doors".... I mean after all, my computer is in my private house, it's my own inner sanctum, so by law if you were not invited or somehow "let" in, you should stay out, it's my private property. And it should also be designed to be secure enough to withstand criminals that don't care about law.

WhiskersInMenloAugust 4, 2016 12:50 PM

Just as prohibition and ill designed drug laws spawned a multi billion dollar criminal industry: bad policy, bad law and regulation is also spawning a global industry of stolen data, system hijacks and the sale of defects.
Be knowledgeable of the risks that bad policy and bad policing hold.

ArclightAugust 4, 2016 2:26 PM

Unfortunately, the incentives don't align well for any real "equity" to be achieved.

Companies don't get bad press over vulnerabilities that never see the light of day, and bug bounty programs cost money to run while not increasing revenue.

Governments and defense contractors don't see direct benefits from disclosing and fixing problems in widely-deployed software, as the benefits don't exclusively go to their customers.

In my experience, many companies which do have payout programs often try to weasel out of paying through fine print or legal threats.

Okay, the person who submitted this huge 0-day is a 16 year-old kid from Romania.

I get that tour ToS says you don't have to pay him due to age or geography, but really?

And thia vulnerability affects an IoT device that can't be field-upgraded? Time to wield the DMCA and threaten this college student with federal prison time if he doesn't sign an NDA immediately.

These players will just call VuPen or Raytheon next time and actually collect.


Arclight

ILBAugust 4, 2016 3:02 PM

Interesting read. A few personal comments.

1) Recommendation 1 is for the US government to minimize its participation in the zero day market. Assuming this recommendation is applied, it means that the only actors who would still be using such markets would be criminal actors, intermediaries (who mainly deal with criminal actors and the government who is no longer allowed to deal here) and software vendors (who privilege vulnerability reward programs anyway). Why not then simply criminalize zero-day markets? I understand the difficulties in doing so, but this could certainly help reduce the movement of zero days to malicious parties.

2) Dan Geer idea (page 21) about the US government cornering the vulnerability market, coupled with the mandate of publishing the maximum number of zero day possible, would mean the US government would basically subsidize the security research industry for the benefit of the world population. Not sure if this is realistic. Also, I’m on the “vulnerability are dense” camp, so I don’t think such an approach would scale. I’m sure vulnerability researchers would love it thought.

3) Maybe I misunderstand Recommendation 3, but if the US government is forbidden from buying vulnerabilities on the market, then I’m going to assume that most of the vulnerabilities discovered by government agencies will be for offensive purpose. It doesn’t reduce the importance of a clear vulnerability equity process, but it put it in a realistic context. I don’t see the US government investing resources in discovering new zero-days just to disclose them for free to the industry – again, that would be subsidizing the security for the rest of the planet. The exception here would be for vulnerabilities on software and systems that are of critical and unique interest for the government versus commodity software.

4) Regarding Recommendation 5, I tend to agree with the general idea, but some security researchers could interpret this as allowing them to freely discover and exploit vulnerabilities on private network without fear of legal repercussion. I don’t see this ever be the case, no matter the actual economic harm. One, because it can be non-trivial to discriminate between legitimate researchers and cyber criminals caught before they can do more damage, as the later can always claim to be the former as an alibi. Second, because the action of legitimate researchers can still affect the availability of private systems, and this risk for business cannot be properly managed without first entering a contractual agreement with the legitimate researcher.

jonesAugust 4, 2016 6:11 PM

@ ILB

Dan Geer has some excellent policy recommendations along these lines in his 2014 Black Hat keynote.

One policy recommendation that I think is long overdue is stronger product liability laws for software.

If a Toyota gas pedal sticks, we see vehicles recalled.

If a software bug crashes the New York Mercantile Exchange and Telephone Service in 1998, nothing. ( http://www.nist.gov/director/planning/upload/report02-3.pdf )

65535August 4, 2016 9:46 PM

@ jones

“One policy recommendation that I think is long overdue is stronger product liability laws for software. If a Toyota gas pedal sticks, we see vehicles recalled.”

That is an interesting idea.

I recall a paraphrased quote by General Motors executive saying, In response to Bill's comments, General Motors issued a press release stating: If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics:

1]For no reason whatsoever, your car would crash twice a day.

http://mistupid.com/jokes/msvgm.htm

Fast-forward to the “Vulnerabilities Equities Process” and Microsft’s Windows 10 – which seems to be the biggest set of vulnerabilities for a mainstream OS – and a huge mess.

Or, is there something else going on in the shadows?

Windows 7//8/8.1 were relatively free of vast data-mining compared to Windows 10, Android and Apple Operating systems [sure, there is room for debate].

Now, that Windows 10 is out, all of the widely used Operating Systems on the market are based on data-mining as a business model. This could be very useful to the NSA.

While briefly scanning the consumer acceptance of Windows 10 – or lack of acceptance – I ran across points of interest in an argument for ‘Why Microsoft Corporation Should Make Windows 10 Free Forever’ [ignore the Free for Ever argument for now]:

[Madison]

“2. Operating systems are mostly free

“Unfortunately, Microsoft still doesn't seem to realize that its classic business model of selling operating systems has been turned upside down by Alphabet's (NASDAQ: GOOG) (NASDAQ: GOOGL) Google and Apple (NASDAQ: AAPL).
“Google hands out Android for free, because the OS tethers more users to the Data-Mining Ecosystem, which feeds its core targeted advertising business. iOS can't be installed on non-Apple devices, but Apple provides new versions for free via over-the-air updates. Both companies generate significant revenue by taking a 30% cut of app store sales.

“3. It's the only way to stay competitive

The only way for Microsoft to effectively compete against Google and Apple without a viable mobile platform is to mimic their business models with Windows 10. The only way to do that is to offer Windows 10 as a free download to all consumers until the user base is large enough to be tethered to its ecosystem of ads, apps, and cloud services [and Data-Mining – Ed].”

http://host.madison.com/business/investment/markets-and-stocks/why-microsoft-corporation-should-make-windows-free-forever/article_b7419729-a4f7-558b-a174-270984edf228.html

Could Windows 10 be the NSA's best Friend?

[Other uncomfortable items]

The NIST has been subjected to arm twisting by the NSA and other 3 letter agencies.

The NIST link appears to be Word 7007-011 FR Complete[.]doc – report02-03[.]pdf:

http://www.nist.gov/director/planning/upload/report02-3.pdf

Thus, the NIST is using Microsoft Word to produce it’s pdf documents – which is probably a vulnerability itself. This makes the NIST look awkward.

In the prior thread “NIST is No Longer Recommending Two-Factor Authentication Using SMS” poster r notes the Intercepts article “The Great SIM Heist” by the NSA to steal keys from SIM card maker Gemalto.

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html#c6730225

[The Intercept]

https://theintercept.com/2015/02/19/great-sim-heist/

[Wikipedia]

"Security breaches

"...documents leaked by Edward Snowden, NSA's and GCHQ's Mobile Handset Exploitation Team infiltrated Gemalto's infrastructure to steal SIM authentication keys, allowing them to secretly monitor mobile communications. GCHQ codenamed the program "DAPINO GAMMA". The secret GCHQ document leaked by Snowden also claimed the ability to manipulate billing records to conceal their own activity and having access to authentication servers to decrypt voice calls and text messages. Snowden stated that "When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim), they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto."

"The breach subsequently refueled suspicions against Gemalto chairman Alex J. Mandl, given his role in the CIA venture capital firm In-Q-Tel."

https://en.wikipedia.org/wiki/Gemalto#Security_breaches

[and]

https://en.wikipedia.org/wiki/Gemalto

If In-Q-Tel or any of the tentacles of the NSA have influenced Microsoft into becoming a Full Blown data-mining company then one could surmise all Microsoft products have been compromised and of little use to the average citizen [But of great use to the NSA].

If the above is indeed true, the only solution would be switch to Linux or hope another friendly country develops a secure Operating System that doesn’t data-mine as a business model.

I am not holding my breath nor do I see the curtailment of governmental zero-day exploit purchases.

65535August 4, 2016 10:08 PM

Vunerabilities, Windows and Gemalto:

[one more odd connection between Gemalto, Gemalto keys, and Microsoft]

[Wikipedia]

"Microsoft partnership

"Microsoft employees worldwide use Gemalto .NET smart card technology embedded in their corporate badge to enable access to Microsoft’s own information systems. In... 2008, Gemalto announced that Instant Badge Issuance (IBI), a solution that works directly with Microsoft Active Directory and Identity Lifecycle Manager (ILM) to load digital certificates directly onto the smart card. At Microsoft’s "Heroes Happen Here" event in February 2008, Gemalto and Microsoft demonstrated the only .NET smart card technology with support built into Microsoft Windows Server 2008. In ...2007, Gemalto made its .NET smart card, Protiva Strong Authentication Server and related Protiva credential devices, and other Windows Smart Card Framework-compatible products available for live simulation at the Microsoft Partner Solutions Center on Microsoft Corp.’s Redmond, Washington, campus.

"In November 2007, Gemalto attained Gold Certified Partner status in the Microsoft Partner Program.In 2006, Gemalto organized a Microsoft-sponsored contest, SecureTheWeb, for the best new development in secure personal devices for Web services, such as smart cards and one-time passwords (OTPs)" -Wikipedia

https://en.wikipedia.org/wiki/Gemalto#Microsoft_partnership

I wonder how many Microsoft/Gemalto keys have been stolen by the NSA/CIA/GCHQ and so on - more precieved Vulnerability and less Equity.

rAugust 4, 2016 10:46 PM

@65535,

Thanks for putting that all together, I had recently seen the .NET smart cards because I've been investigating SC's due to Thoth and others plugging them (not Gemalto). Thank you again for putting 2 and 2 together there. I guess I should pay attention to who more in addition to what as per my usual self.

The other thing, I guess I hadn't quite noticed but you're right about the modern "consumer oriented" Android/Apple(?)/and Microsoft ecosystem. A couple mechanisms to consider, Microsoft used to give subsidized copies of Windows to manufacturers. The manufacturers were then bound legally to only provide Microsoft products IIRC, I may not be acurately remembering that. The point is that they may still have some of the companies locked into such deals, and now with UEFI they are sometimes quite literally locked into that situation.

Lastly, about your question about "how many keys". The NSA like others is technically what we refer to as an APT, I wouldn't expect them to settle for anything less than the root key or the RNG/keygen/computer behind it's generation.

There's ALOT of people out there who swear by .NET (personally, I think it's because of MSBASIC), and MS just ported it officially to linux rendering mono pretty well moot. SO, the usefulness of such forethought could be immense if it is allowed to persist or gain a foothold in things like ATMs. We both know Microsoft is there already, so why not?

albertAugust 5, 2016 10:38 AM

@65535, @jones, @etc,

Stronger product liability laws? Neither the government nor the corporations want -any- kind of liability, product or otherwise.

Ford (Motor Co.) refused to re-design its Bronco (and later Explorer) even though it paid out tens of millions in liability lawsuits, one even reaching the Supreme Court.

I don't even want to talk about the software sector. It's a mess, even without the security issues.

NIST is wholly-owned subsidiary of the US gov't. They can measure their jump heights very accurately.

@r,
"...Microsoft used to give subsidized copies of Windows to manufacturers. The manufacturers were then bound legally to only provide Microsoft products IIRC, I may not be acurately[sic] remembering that. The point is that they may still have some of the companies locked into such deals, and now with UEFI they are sometimes quite literally locked into that situation...."

Of course that was the whole point with UEFI, wasn't it.

The leopard can't change its spots (they're genetically coded). MS can't change its behavior. The law means nothing to them. The more market share they lose, the more desperate they become. Without their corporate lock-in, they would have been gone years ago. That's why I was sad to see Ballmer go. He could have ruined MS, if he'd had a little more time.

. .. . .. --- ....

65535August 5, 2016 1:22 PM

@ r

“A couple mechanisms to consider, Microsoft used to give subsidized copies of Windows to manufacturers. The manufacturers were then bound legally to only provide Microsoft products IIRC, I may not be acurately remembering that. The point is that they may still have some of the companies locked into such deals, and now with UEFI they are sometimes quite literally locked into that situation.”

I agree.

Microsoft consolidated power in that way. The UEFI was the icing on the cake of Lock-in control – and the ability to spy at a level beneath the OS.

“The NSA like others is technically what we refer to as an APT, I wouldn't expect them to settle for anything less than the root key …”

Yes, it looks that way

“There's ALOT of people out there who swear by .NET (personally, I think it's because of MSBASIC), and MS just ported it officially to linux rendering mono pretty well moot. SO, the usefulness of such forethought could be immense if it is allowed to persist or gain a foothold in things like ATMs. We both know Microsoft is there already, so why not?”

The [dot]Net thing was supposed to be more secure and more flexible – yet has not proven so. It is used by a lot programmers under "fairly-land" assumptions.

Your point on the Automated Teller Machines being powered by XP is well taken.

@ Albert

“NIST is wholly-owned subsidiary of the US gov't. They can measure their jump heights very accurately.”

It looks that way.

The NIST started out as legit standards body then was corrupted by the NSA and other 3 letter agencies. The NIST needs to be free of the NSA’s grip. I would guess that what ever the NIST recommends should be taken with a large grain of salt [or disregarded altogether].

albertAugust 5, 2016 3:34 PM

@EvilKuru,

"...7. Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light...."

and it would be blue (with white text).

. .. . .. --- ....

65535August 5, 2016 6:28 PM

@ EvilKiru

That’s not the point.

Note I said paraphrased and gave you the jokes link.

Further, I had already read the “snoope poop” before writing the comment. I had friends in the Auto business during the time of those comments. Many of them felt the comments – or sarcastic jokes – were indeed planted by Auto Company PR firms and quietly disseminated as way of not getting sued [Who wants to get sued my M$].

I will say that snopes is hit-and-miss site. There are a lot of disagreements about some the snopes opinions – and snopes should be taken with a grain of salt.

[I am going to the squid thread – this one has run its course]

Clive RobinsonAugust 5, 2016 11:55 PM

@ EvilKiru, 65535,

The actual comparison about computer performance and cars is way way older than you think (or Snopes says).

The first time I heard "If cars improved like XXX then we would all be driving a £5 Rolls Royce, that did 1500 Mph and 1000Mpg" was at a Christmas Lecture by the IEE at Savoy Place just under fourty years ago. The person giving the lecture paused (as timing is important ;) and then said "Unfortunately it would also be so small, you would need a magnifying glass to see it".

The XXX was the size of active electronic components going from thermionic valves (tubes for US folk) and transistors on microchips. This was a little under a decade and a half after the observation from one of Intel's founders Gordon Moore about the doubling of transistor count every year in his 1965 paper (he later revised to every two years, then someone else revised down to eighteen months).

So not an original "Gates Observation" at all...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.