Presentation is loading. Please wait.

Presentation is loading. Please wait.

Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong."— Presentation transcript:

1 Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong

2 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Approach Context created by course curriculum Disclosure and Non-Disclosure Defined Case studies Observed practices and “norms” Summary and conclusions

3 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Introduction Intro to computer security vulnerabilities To disclose or not? Is it illegal or unethical not to disclose a discovered vulnerability? What practices are observed by industry in the case studies? Questions to the audience: What appear to be the accepted norms?

4 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Introduction (2) Context of course –Ethical Codes: acceptable professional behavior in the computer industry –Lessig: Architecture, Market, Norms, Law –Brin: Transparency, criticism, accountability, authority, authentication, trust

5 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure – What is it? A security flaw that is… Released to the public immediately Developed and discussed in a public forum In general, brought to light before the public and vendors simultaneously (often before a vendor fix is available)

6 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure - Pros Levels the playing field Motivates vendors to fix flaw Lets knowledgeable users know what their program is doing

7 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure – Cons Makes exploiting vulnerability easier Increases chance of compromise or crash Potential loss of productivity May result in incomplete fix

8 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non-Disclosure Defined A security flaw that is… Held until the proper fixes are produced Not to be shared in the public eye Limited disclosure is a medium defined by the company where they disclose some information on the vulnerability

9 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non Disclosure - Pros Potential loss of market share Company/product reputation Undesirable exposure of underlying technology architecture Liability for company (can cut both ways)

10 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non Disclosure - Cons False sense of security Potential delay of fixes (both company and client)

11 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - overview Exploit: (late 1996) Sending large IP packets to a computer may crash it. Stakeholders: –Malicious individuals executing attack –Users who rely on vulnerable systems –Vendors of vulnerable systems –Public (relies on any of the above)

12 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - analysis Classification: Full disclosure Pros –More stable TCP/IP implementation –Similar exploits prevented Cons –Lost data –Vulnerable systems may still exist

13 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - Issues Ethical tests: –Utilitarian: TCP/IP is more stable now – ethical. –Golden Rule: It sucks when someone crashes your computer, so you shouldn’t do it to them. -- unethical Legal issues: –Denial of service attacks are illegal under CFAA –Saw the beginning of contemporary issues International boundaries Data integrity

14 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS June ‘99: eEye/Microsoft IIS Security Vulnerability eEye finds a serious security flaw in IIS Server eEye emails Microsoft and places warning bulletins, along with CERT Microsoft does not respond to the emails or warnings eEye discloses the vulnerability due to Microsoft’s apathy.

15 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS (2) November ‘00: Microsoft’s Anti Disclosure Plan Microsoft and 5 security companies decide to create a industry standard for disclosure. Will draft a standard for notifying the public about newly-found software security bugs Leading objective of the group will be to discourage "full disclosure" of security holes

16 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS (3) April ’02: Microsoft’s Practices Today Trustworthy Computing Initiative started by a memo from Bill Gates where all employees are being trained in security Microsoft placed a bulletin warning on ten of their IIS vulnerabilities Both events are high profile in the area of security

17 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs. RIAA (1) Hack SDMI Contest (Fall 2000) –Break 4 watermarks Render watermarks undetectable without significantly degrading audio quality –Edward Felten & Team Broke all 4 technologies RIAA threatened team with litigation thru DMCA if team presented research to public Felten sued RIAA to allow presentation of research –Case thrown out since DMCA does not apply to research

18 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs. RIAA (2) Stakeholders –Professor Edward Felten & Team Crackers of digital watermark technology –Other researchers –RIAA Record Industry –Secure Digital Music Initiative (SDMI) Holders of the watermark contest –Verance One of the watermark manufacturers –Public

19 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs RIAA - analysis Classification: Full Disclosure Pros –Public learns truth; watermark technology fails –Watermark companies can learn from hacks and develop better technology –SDMI & RIAA learn technology doesn’t work before full scale release of watermarked Cd’s Cons –Verance’s watermark compromised DVD-Audio already in use in market, now easily hacked

20 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs RIAA - Issues Ethical tests: –Rights: RIAA threat to sue Felten for presenting paper on hacking watermarks – unethical –Utilitarian: Public learns that watermark technology doesn’t work – ethical –Utilitarian: Hackers learn of vulnerability in DVD- Audio thru paper – unethical Legal Issues: –Right to disclose SDMI watermark hack –Fear of litigation due to DMCA

21 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP Simple Network Management Protocol (SNMP) Vulnerability reported by the Oulu University Secure Programming GroupOulu University Secure Programming Group Vulnerability concerned trap and request handling Impact included DOS, service interruption, and unauthorized access and control

22 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP (2) Stakeholders: –equipment from over 250 manufacturers involved –3Com, Cisco, Compaq, Dell, Hewlett Packard, Lucent, IBM, Iplanet, Larscom, Lotus, Juniper, Nokia, Novell, Microsoft, Red Hat, Sun, Xerox Potential impact critical to Internet and majority of government and commercial networks.

23 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP (3) Response and solution CERT and CVE Ethical test: text book case of vendor notification and posted fixes Majority of vendors post patches within three weeks of notice Immediate work around non- catastrophic

24 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Observed Industry Practices Emergence of clearing house and response organizations: Computer Emergency Response Team (CERT), Common Vulnerabilities and Exposure (CVE), Responsible Disclosure Forum Accepted as legitimate by industry and the customer

25 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Observed Industry Practices (2) Role of industry and mainstream press Role university and industry research groups Evidence of industry, press, and buying public arriving at a sense of a “norm” Norm legitimized through criticism

26 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Summary and Conclusions From case studies: Both non-disclosure and full disclosure can be ethical and unethical depending upon the tests applied The rights test is not applicable in most contexts due to the timeliness of the legal system

27 Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Summary and Conclusions (2) Movement of the Industry: Practices by major software corporations are moving from non-disclosure (and limited interest in security) towards full disclosure (and a much greater interest in software security). Stakeholders following this trend: Microsoft, the 281 manufacturers and organizations like CERT.

Download ppt "Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong."

Similar presentations

ETHICAL HACKING.

ETHICAL HACKING.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.

Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.

IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Ed Felton v. RIAA Fredrik Lundberg Matt Gong Sung Noh.

Ed Felton v. RIAA Fredrik Lundberg Matt Gong Sung Noh.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Similar presentations

Ads by Google