Thursday, September 22, 2016

The Information Singularity of Vulnerability Discovery Collisions

Corrections of corrections of corrections.

So I want to point out a great example of how not understanding the technology - in fact, not having a deep background in the technology - can make it impossible to do valuable analysis on a policy problem.

If you've read Mailyn's posts, which are a response to Matt Tait and I when we talked about the VEP being a pure PR exercise, you'll note she tries to continue a common claim that vulnerabilities we are using are often found by our adversaries and then used against US interests.

In her first post, she claimed MS08-067 was an example of this, but failed to realize due to her lack of technology background that Stuxnet only included it after it was made public. In her second post, she claimed the LNK bug in Stuxnet was a clear example of this, being found used in the wild by AV company VirusBlokAda. The problem with her "corrected" analysis is that what VirusBlokAda found was...Stuxnet itself! In other words, she makes the ultimate in circular arguments about vulnerability discovery collisions without even realizing it. Her post has since been edited to claim that LNK makes her argument, but in some unknown way that is unclear and unsupported (and untrue, in my opinion).

It's not just Mailyn. The Schwartz and Knake paper does the same thing: assumes vulnerability collisions are a known common effect in our world. But the truth is no doubt infinitely more complex. And without a deep understanding of the technology, it's impossible to talk about the policy issues around vulnerabilities.

This is the difference between Access Now-style activism, where things are true if you WANT them to be true, and science-based policy, which requires understanding the subject matter at hand.

Below is another example, from Cyber War vs Cyber Realities, a book out of Oxford University Press (not from Oxford University itself) I'm peer-reviewing right now.

What these types of authors would love to say is "We are policy people, not technologists". Which is fine, but in this case, we are doing highly technical policy work, where knowing Stuxnet when you see it is important. Knowing what parts of your policies are more complex than a simple statement is how you get to good policy, and without that, we are lost in this bizarre information singularity.

1 comment:

  1. What about stored/persistent XSS?! Is a correction needed for the post berating articles that require corrections? Your overall point about the book’s quality still stands, you may just need to pick a different example. ;)