Truth About Computer Security Hysteria
Freedom from Outside Interlopers Act (FfOIA)George C. Smith, Ph.D., Editor-at-large
Thursday, 3 January 2002 NOTES FROM THE pages of a recent copy of the local Tagliche Beobachter on the Goner virus and its arrival on L.A. county government computers:
County supervisor: [Everyone] started joking about it when [Goner popped up on their laptops] — probably Osama bin Laden communicating with us. I said 'Shouldn't somebody warn somebody before it's opened and infects the whole system? This is supposed to be a time when we're protecting ourselves from cyber-terrorism but at the same time everybody was very laid back about it, which was very discouraging to me. I'm glad we stopped [a county-wide] $3-million expenditure [for more and better computer security protections] ... nobody was alarmed at the time we should be alarmed. We had virus protection but it didn't seem like anybody was doing any of that yesterday, so why do we need something even more sophisticated when we're not even doing the basics?"Parsimonious behavior with regards toward global computer security enhancements in an environment where one is very uncertain that they will be of significant benefit is good policy. It's not what anyone wants to hear but it's intellectually honest — preferable to the brainless and reflexive pledging of cash money towards security stuff simply because someone has berated you into doing so as part of your corporate or bureaucratic responsibility in the war on terror.
A Los Angeles county supervisor asked a philosophical question. "Why do we need something even more sophisticated" to fight computer viruses "when we're not even doing the basics?"
It's not what anyone wants to hear but it's intellectually honest...
In other matters, Mark Uncapher of the computer security lobbying group known as the Information Technology Association of America (ITAA) writes, "I'm sure you would not surprised that I disagree with your comments about 'gutting' the Freedom of Information Act to protect information sharing. By way of background, I should say that I was the principal House staff person for the Electronic Freedom of Information Amendments of 1996 (E-FOIA) when I served as Counsel to the House Government Management Information and Technology Subcommittee.
"I'm not sure that many, or any FOIA supporters want information sharing with the government to be disclosable," Uncapher continues. "The major argument against the legislation has been that the existing exemptions protect disclosure for proprietary, national security and law enforcement information. Our concern has been that a company disclosure of third party vulnerability, such as a problem with a piece of software, might not be protected under the proprietary exemption."
Which is one way of looking at the issue. However, the more complete Vmyths interpretation of how this works, folks, is this.
Portions of the computer security industry lobby for the amendment of the Freedom of Information Act under the rationale put forward by the ITAA. The new protection, as the cant on it has been for the past two years or so, would shield corporate America and in so doing encourage it to share information on its computer vulnerabilities with the government. In truth, no one has any real idea if the amendment will improve computer security or lubricate information sharing. It's merely an article of faith.
Yet another rationalization that has cropped recently is the September 11 catch-all. FOIA alteration will aid The War On Terror because the bad guys won't be able to plunder information on corporate security problems with it.
WHAT YOU WON'T get told on the same page is that the computer security industry has proven countless times that it has no regard for the "proprietary" information of others — "such as a problem with a piece of software." Not a week goes by without someone at a corporate computer security firm spilling the beans on someone else's excrement-stained software for the sake of simple vainglorious publicity.
The computer security industry has no regard for the "proprietary" information of other companies with a piece of bad software. They'll gladly spill the beans for the sake of simple vainglorious publicity.
Amendment of FOIA does nothing to alter this entrenched industry practice.
(Did I hear you mutter public service? Pfeh. Read on.)
Amendment of FOIA does nothing to alter this entrenched industry practice. Nope. Instead, it aims at allegedly nasty-minded journalists and non-government observers who are thought to be lurking in the weeds, obviously ubiquitous terrorists, ready to use FOIA maliciously to bite at the ankles of honest corporate entities in order to uncover precious proprietary vitals, honest corporate entities wishing only to better the nation's networked security through improved communications with Uncle Sam.
Never mind that your editor-at-large has never actually met anyone using the Freedom of Information Act who fits this description ... but a savage headache-inducing number within the computer security industry, who most certainly qualify as professional ankle-biters — a group interested in the idea of information sharing only insofar as it is, in some way, of personal profit to them.
Back in October, Utah Senator Bob Bennett, who along with the ITAA is one of the primary forces behind a bill to amend FOIA now in Congress, said this would "address a dangerous national security blind spot" in article for the Salt Lake Tribune. "Accordingly, I support a narrowly drafted exception to the Freedom of Information Act to protect information about corporations' and other organizations' vulnerabilities to information warfare and malicious hacking," he added.
It was to laugh, a quote cynically furnished for consumption by ninnies or those who have only the most childish and uninformed grasp as to how information on corporate "vulnerabilities" has historically been shared (try to say it without smirking) and nationally publicized.
President Bush, it is said, supports this legislation.
The times being what they are, a month ago I gave little thought to the idea that this ridiculous legislation might be stopped. Anything for the war on terror is the Zeitgeist and the amendment of FOIA through computer security industry-lobbied coup was an obscure issue, not on anyone's radar except for those likely to take it for a capital idea.
That impish green-haired fellow from eEye has been in the news again. He gladly exposed another firm's vulnerability for the sake of simple vainglorious publicity.However, in December, things changed somewhat when an environmentalist movement got wind of the matter and cried foul. On December 13, the Salt Lake Tribune reported that Bennett had delayed further action on his FOIA-amending bill until 2002 as a result of targeting by "a coalition that includes doctors, librarians and other groups fearful that it would black out essential environmental information." Bennett's action, the Tribune reported, came "after the coalition began bombarding senators with warnings" asserting the FOIA amendment "would have 'devastating' — if unintended — effects on public information."
MOVING RIGHT ALONG to a related issue, that impish green-haired fellow from eEye Digital Security has been in the news again! Seemingly a man who could not grant enough holiday season good cheer, the one of green hair shared information, like the seasonal dispensation of fruitcakes undertaken by any good samaritan, on yet another Microsoft vulnerability — extending his computer security wisdom and magnanimity to the now much-read of Windows XP universal plug-n-play fault. Although the Freedom of Information Act did not have a hand in this, it is worth noting that Microsoft's former mouthpiece for computer security, Howard Schmidt, supported amendment of FOIA before leaving the company for a position in Richard Clarke's office of infra-cyberstructure care and cleanliness, yet another entity which supports FOIA change. It is also fair to say that with regards to vulnerabilities and information sharing (stop smirking) on them, Microsoft has had considerable trouble dealt it at the hands of partners in the world of computer security but none at all from the Freedom of Information Act. So will Howard Schmidt use his new policy position to organize for a legislative cure for eEye? Here's a suggestion, dear fellow: call it the Freedom from Outside Interlopers Act (FfOIA). Anyway, four days before Christmas, the southern California Tagliche Beobachter playfully noted in a story on the Microsoft XP problem: "four years ago, as a teen hacker using the moniker 'Chameleon,' [the Microsoft-examining happy harpy of holiday help] was known for defacing Department of Defense Web sites with digital graffiti." Those rascals at the Beobachter! The Beobachter reported, too, that Microsoft's Scott Culp had vowed an immediate remedy. "We're going out and asking every Windows XP user on the planet to install this patch," Culp said generously. "It has got to work."
You can always leave it to software developers to promise what can't be delivered, even when they know it's propaganda.Patch everyone on the planet with XP. Ho-ho, such a humorous chap! Others might have to regurgitate direct quote without pointing out it's all a crock but not me. You can always leave it to software developers to promise what can't be delivered, even when they know it's propaganda. But I'm not gonna give you a lecture on inefficiency as it pertains to calls for universal software patching, Scott. Instead, you get a history lesson drawn from biology. I feel free to do this because every week I get press releases about some brain-dead conference on networked computing where people are invited to expound without much trace of humor on topics like "biological models in computing." From biology, then: In the 1970's, D.A. Henderson led the World Health Organization's successful campaign to eradicate smallpox — a real virus, as opposed to the PC kind — in the world population. This was thought feasible, in part, because smallpox only exists in humans. It lacked a reservoir in other species and once thoroughly eliminated from the population would not recur due to natural means. Very quickly, Henderson and WHO scientists realized that it was going to be logistically impossible to vaccinate everyone in the effort. Even universal vaccination in undeveloped nations suffering pandemics wasn't a realistic option. So the WHO did not promise universal vaccination — in a manner of speaking, the patching of humans against smallpox. Instead, the WHO developed a strategy of ring vaccination in which everyone thought to have come in direct contact with the sick or to be at risk from a local exposure was immediately vaccinated — or patched. Another of the considerable problems confronting WHO doctors in this crusade was the fact that 95 percent of all cases of smallpox were never reported to authorities. This was combated by an aggressive approach in which victims were forcibly quarantined. Pictures of people stricken by smallpox were shown to those being vaccinated so that names could be gathered on others showing symptoms of the disease. And rewards were also offered to those who could offer details on other cases of active smallpox.
IMAGINE THAT! A cash incentive to help cure a vulnerability! What a novel idea! I bet that would fly at Microsoft! Cash money rewards for the successful installation of a software patch! Forget FOIA, man, this is win-win-win!
Imagine that! A cash incentive to help cure a computer vulnerability! What a novel idea!