A Few More Thoughts on Disclosure
Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues our industry is, itself, a well kept secret. (Arthur, I’ve heard from people whom I respect that ISAC is much like FIRST, in that there’s no data sharing.)
When I say it plagues us, I mean that in an almost literal sense. We are sick. Information security professionals often carry and communicate a contagious contempt towards information sharing which has prevented us from learning from each others mistakes. Buffer overflows were first documented by James Anderson in 1972 , and until after exploit techniques were clearly described by Aleph1, no systemic defenses were built.
The lack of good information leaves us powerless at the hands of auditors who come in threatening to fail companies on Sarbox rules if they don’t require password changes monthly. It leaves us with any idiot able to declare their personal ideas of how to improve security as “best practices.”
Laws such as California’s SB 1386 and the 31 laws it has inspired give us a stream of anecdotes which may, at some point, start to resemble data.
This is why 1386 is good for us, despite being bitter to swallow today.
 Cite after the break.
Computer Security Planning Study,” James P. Anderson, October, 1972:
“In one contemporary operating system, one of the functions provided is to move limited amounts of information between the system and user space. The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine.”