CSI Working Group on Web Security Reseach Law Concludes…Nothing
In May I blogged what I thought was an interesting question regarding the legality and liability of reverse engineering in security vulnerability research. That discussion focused on the reverse engineering and vulnerability research of hardware and software products that were performed locally.
I continued with a follow-on discussion and extended the topic to include security vulnerability research from the web-based perspective in which I was interested to see how different the opinions on the legality and liability were from many of the top security researchers as it relates to the local versus remote vulnerability research and disclosure perspectives.
As part of the last post, I made reference to a working group organized by CSI whose focus and charter were to discuss web security research law. This group is made up of some really smart people and I was looking forward to the conclusions reached by them on the topic and what might be done to potentially solve the obvious mounting problems associated with vulnerability research and disclosure.
The first report of this group was published yesterday.
Unfortunately, the conclusions of the working group is an inditement of the sad state of affairs related to the security space and further underscores the sense of utter hopelessness many in the security community experience.
What the group concluded after 14 extremely interesting and well-written pages was absolutely nothing:
The meeting of minds that took place over the past two months advanced the group’s collective knowledge on the issue of Web security research law. Yet if one assumed that the discussion advanced the group’s collective understanding of this issue, one might be mistaken.
Informative though the work was, it raised more questions than answers. In the pursuit of clarity, we found, instead, turbidity.
Thus it follows, that there are many opportunities for further thought, further discussion, further research and further stirring up of murky depths. In the short term, the working group has plans to pursue the following endeavors:
- Creating disclosure policy guidelines — both to help site owners write disclosure policies, and for security researchers to understand them.
- Creating guidelines for creating a "dummy" site.
- Creating a more complete matrix of Web vulnerability research methods, written with the purpose of helping attorneys, lawmakers and law enforcement officers understand the varying degrees of invasiveness
Jeremiah Grossman, a friend and one of the working group members summarized the report and concluded with the following: "…maybe within the next 3-5 years as more incidents like TJX occur, we’ll have both remedies." Swell.
Please don’t misunderstand my cynical tone and disappointment as a reflection on any of the folks who participated in this working group — many of whom I know and respect. It is, however, sadly another example of the hamster wheel of pain we’re all on when the best and brightest we have can’t draw meaningful conclusions against issues such as this.
I was really hoping we’d be further down the path towards getting our arms around the problem so we could present meaningful solutions that would make a dent in the space. Unfortunately, I think where we are is the collective shoulder shrug shrine of cynicism perched periously on the cliff overlooking the chasm of despair which drops off into the trough of disillusionment.
Gartner needs a magic quadrant for hopelessness. <sigh> I feel better now, thanks.
/Hoff
The Report does not explore a key topic. If a security professional gives people good advance notice/explanation before undertaking an aggressive probe or action, he helps avoid appearing to be a criminal.