The Security Researcher in Plato's Cave
Blogger: Bob Blakley
In Plato's cave, the things we see are just shadows cast by an archetype, which we cannot see, outside the cave. We have to infer the archetypes by examining the shadows.
Here's an archetype:
a. An individual uses a product for its intended use and observes that in that intended use the product is hazardous.
b. The individual publicizes the fact that the product is hazardous.
c. Consequences ensue.
Now let's look at two shadows of this archetype.
1.
a. Shelby Esses of Jacksonville, Ark. gives her son Jack a number of SpinMaster Aqua Dots - a toy designed to let children create pretty designs.
Jack swallows the Aqua Dots and loses consciousness. Jack is hospitalized and it is discovered that the Aqua Dots are coated with a substance that is metabolized into a poison.
b. In due time, this incident is reported to the US Department of Health and the media.
c. The product is recalled. Its Australian distributor (Moose Enterprises), its American distributor (Toronto-based Spin Master) and its Chinese manufacturer are publicly identified and may be subject to legal action or government sanctions.
(links:
http://www.nytimes.com/2007/11/08/business/worldbusiness/08recall.html?_r=1&oref=slogin
http://www.cnn.com/2007/US/11/08/toys.daterapedrug.ap/)
2.
a. Dan Egerstad, a Swedish security researcher, configures a Tor exit server and observes sensitive traffic flowing in the clear through this server.
b. Dan publicizes the hazard to security and privacy by revealing the information he has observed flowing through his server.
c. Dan Egerstad is arrested. There is no evidence that the users of Tor servers have changed their behavior, Tor has not been recalled or revised, the Tor site has published no advisory, and no one appears to contemplate action against Tor's designers.
(links:
http://www.schneier.com/blog/archives/2007/11/dan_egerstad_ar.html
https://www.torproject.org/)
Arresting security researchers for publicizing flaws isn't new; just ask Chris Soghoian or DVD Jon. Winston Churchill recognized the problem, and the solution. He said "I decline utterly to be impartial between the fire brigade and the fire".
Security researchers are not the enemy. Jailing them is based on the assumption that the enemy is dumber than we are, and will not figure out how to attack systems unless we tell him. This assumption is false.
Operating under this assumption and jailing security researchers will have the effect of ensuring that the good guys cannot work together to build an effective defense, while bad guys can work together to build effective attacks.
If society decides that these are the rules they want us (security researchers) to play the game by, we will play the game by these rules - because we're the good guys, and we believe in following the rules.
But if we play the game by these rules, we will probably lose. And so will you.
You pays your money and you takes your choice, but you only gets what you pays for. Think about how you want to treat your fire brigade. Your life - or at least your bank account - might depend on it one day.
Comments