Monday, September 5, 2016

The Tech Does Not Support the VEP

https://www.justsecurity.org/32697/vulnerability-equities-process-intelligence-community/

 wrote a little rebuttle to Matt and my piece on the VEP. Here's the thing: I get told off quite a lot for asking for policy people to understand the technology at a fairly deep level before trying to argue the merits of the VEP. And here's why:
From Mailyn's "rebuttle"...


I love this idea that you can just study policy at Harvard and understand this issue. But you can't. MS08-026 (the bug used in Conficker) came out in version 1.001 of Stuxnet which was compiled in 2009, after it was patched. Now, that's "as far as we know" - it's possible it was used for other things before it went into Stuxnet.

I know why she wrote that though - because there was a Spooler bug that was used in Stuxnet that was also made "public" by a Russian newspaper and nobody noticed. So it was technically not 0day, but not patched, a category of bug that proponents of the VEP would like to pretend does not exist.

Not only that, but Matt and I do not propose "Bulk Disclosure" and we do not claim that the US does not have an interest in a secure Internet for commerce - we simply claim that the VEP is a pure PR move that cannot hope to accomplish its stated goals and does great harm while doing so (and in addition is bad PR!).



No comments:

Post a Comment