Jennifer Granick's awesome explantion
Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.
I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired.
The same can be said of sweeping breach information under the rug. We’re better off if we talk about it.
Wow. That is a keeper.
Perhaps someone should patent “buying up stuff that makes your patented technology look bad” as a business process.
Actually, the tobacco companies *do* hold many patents on testing devices and they *have* protected their IP. And with no impact on scientists’ ability to test for health effects using many other techniques. (See, e.g., http://news.bbc.co.uk/1/hi/health/background_briefings/smoking/289211.stm).
It may sound good, but it doesn’t hold up with even the tiniest bit of skeptical inquiry. I can understand the reticence in doing the two minutes of research it took me to find the reference above, since the original statement is not intended to be accurate – it is simply there to sound good and be biased.
Pete,
What you say may sound good, but it doesn’t hold up even with the tiniest bit of skeptcal inquiry. That page lists 57 patents for reducing potentially harmful substances, not for measuring the health effects of smoking.
@Adam –
Touche. Glad you agree that “sounding good” is not enough. So, what kind of research did you do to support the veracity of Ms. Granick’s claim?
Would you care to place a bet that the tobacco companies actually DO have one or more patents on devices to measure the (good or bad) health effects of tobacco?
Or, are we better off assessing the value of security research on its own merits? Care to provide your best argument in support of security research? Analogies are great for E.T. moments, but not so good for objectivity, eh?
Pete
1) I believe Ms. Granick is a competent attorney who has done her homework on issues of patents and restraint.
2) There are many allegations that ‘big tobacco’ did all sorts of things to suppress, counter, or belittle research into harms associated with smoking through 1960 and 70s. A great deal of that has come out in trials, books, newspaper reports, etc. I’ve never heard any allegation that patents were part of that.
3) Proving something never happened is impossible. You could cause quite a stir by showing any patent threat. Please feel free to show that I was over-eager in my posting.
Adam
Pete:
We’ve discussed academic papers that analyze the social welfare characteristics of different disclosure regimes several times here at EC. If you want to claim that society would be better off w/out such disclosures, you are welcome to. You take it too far, however, if you say that the burden of proof is on proponents of the status quo to show why it is better than some possible world that exists (possibly only) in your head. Maybe you’re right. Prove it. Every paper I have seen, except maybe one, says you aren’t, but I have an open mind.
Ah, the good old days of high school debate (not meant to be insulting to Chris, Adam, or Pete). The “burden of proof” versus the “burden of rejoinder”.
The burden of proof usually lies with the “affirmative” side, which seeks to make a change and a plan for change, while the “negative” side holds the burden of rejoinder, which generally either says no change is needed or offers a counter-plan to the affirmative’s proposed solution.
Then again, I only did debate for the hotties, so VMMV.
@Adam – I was trying to get you out of superficiality-heartstring land of analogies and into a real discussion on the merits or problems of security research. I sense you are sticking with your tobacco thingy as the clearest explanation of why threats to security research are bad. Which is telling in itself.
@Chris – are you talking about disclosure of breach information or disclosure of vulnerability/attack information? If the former, I generally agree that breach disclosure is beneficial – in fact, there are so few actual cases of fraud, and people react so strongly that I think it is more likely that breach disclosure makes us *more* secure than status quo.
If you are talking about the latter, or the strict limited subset of research involving patents as discussed here, the evidence of excessive cost with little to no real benefit (see Rescorla’s “who cares?” and even Ozment’s “milk or wine?” if you constrain the life of software and Geer’s monoculture paper for how patching makes systems more complex and more insecure).
Don’t mean to troll your blog, so this will be my last comment, at least on this entry 😉
Pete
Pete:
I mean disclosure as in “full disclosure mailing list” or “responsible disclosure”.
Rescorla’s is the one paper I was thinking of.
You only have to agree not to troll if you stop allowing comments on your blog. :^)
Pete,
I’ve been talking about disclosure issues for a dozen years. It gets boring.