Saturday, January 7, 2017

"Zero Day===Totally Gnarly"

So RDanzig sent an email to someone I'm working with on a policy paper and he corrected a term "Zero Day" to be "Zero Day Exploit vs Zero Day Vulnerability". This insistence on broken terminology is common among a certain set of policy people and it's a bit laughable.

"Zero Day" does not have a technical meaning, despite any Rand papers to the contrary, and the honest truth of it is that it is synonymous in the technical community to "Totally Gnarly". In your head, replace "Zero Day" with "Totally Gnarly" when reading a paper by any of the policy teams and they'll make equal amounts of sense.

I want to, of course, focus on the recent CSIS paper, which we've all read by now. It has a broken section on "Zero Vulnerabilities", which at first I read as similar to "Zero Inbox", but turns out to just be their West Coast team not knowing that it's "Zero Day" and then trying to put extremely dangerous policy ideas into their paper, seemingly without any internal peer review process?

A legally enforced code of conduct for all security researchers? Imagine the fun of trying to get that working when we can't even agree on basic principals around the subject in 40 years of trying. NIST, which had the NSA backdoored random number generator debacle and lost all industry trust, is going to "Gather best practices" on vulnerability handling? Is that really something we need? NO. GIANT WASTE OF TIME IS WHAT IT IS. The US Government can't even get CVE working properly without a brouhaha and that's just about counting bugs, like the most basic biology lab on Earth.

Mandate publication of security assessments? I'm sure every vendor will sign right up for that and that won't cause any problems. This whole thing was written by a bug bounty vendor who wants the contract for a federal bug bounty program. It has no ideas worth using, and what REALLY should worry you, is there are a lot of super smart people who worked on this CSIS report, and none of them read this section closely enough to even correct the title from Zero Vulnerabilities to Zero Day Vulnerabilities which is what I assume they meant.

There's some good stuff elsewhere in the report, but why didn't anyone even bother to read this section? How can we trust the other sections went through an internal peer review process?

1 comment:

  1. Where does it say "legally enforceable"?
    I see it saying "The President should clarify the legal status of vulnerability research" - in other words, let's look at how the CFAA as currently written can undermine research. Let's define research and create a legal safe harbor so that legitimate researchers can't have CFAA thrown at them.

    "This whole thing was written by a bug bounty vendor who wants the contract for a federal bug bounty program.". That's complete speculation, and patently inaccurate.