Breach disclosure and Moxie's Convergence
Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence in some little ways. But what I want to talk about is something that struck me as I listened to Moxie tell the story. He talks about how Comodo’s CEO talks about the attack, and how in order to prove it was Iran, Comodo released an IP address. That IP address enabled Moxie to discover that someone coming from the same IP address had downloaded his SSLSniff tool, and dragged him down a rabbit hole that led him to create Convergence. It also led him to see some of the search terms that the attacker used, and allowed him to assess their likely skill level.
Let me say that again: the attacker IP address being revealed revived and revitalized the debate about PKI and certificate authorities. Without that, the motivators and even the truth of the claim of clinical Advanced Persistent Cyber Ninja Dudes would have been hard to contest. Without that, we might have believed for a few more years the bizarre hypothesis that Certification Authorities are a useful part of internet trust. With the IP address Moxie was able to test those ideas, and show exactly how flawed they are.
Before I say the rest of what I want to say, let me say that I like Moxie. I think he’s a good guy, does really good work, and I always enjoy talking with him. But Moxie isn’t the “sort of person” who’s going to “fit in” at a London meeting with the Prime Minister. He might not have an easy time getting “read in” for “information sharing programs” operated by people who work for three letter agencies and think that a background check every year is a normal way to live. But we need different perspectives, backgrounds and approaches to learn as much as we can from data. If we limit it to those who “fit in,” then we implicitly limit the perspectives, frames and orientations which are brought to bear.
But let me give benefit of the doubt to those information sharing folks. They deserve it. Many of them are quite smart and hard-working. Several of the ones I met with recently had really interesting things to say. A fellow named Paul had fascinating things to say about the economics of information sharing–things I hadn’t heard before. And folks like Mudge are getting read in. So perhaps Moxie could get access to those meetings and mailing lists. If he agreed to limit how he distributed information, he could have maybe had access to those 4 bytes of Internet Protocol address.
If we treat that IP address like a nugget of treasure, he’s unlikely to see it, and if he sees it, he may be unable to talk about it. Moxie was able to analyze the attack because the information was published, not shared. Moxie was able to publish
share his analysis of the attack because the information was published, not shared. Moxie was able to tell a convincing story because the information was published, not shared. And I’m able to talk about and expand apon what he said because (wait for it!) the information was published, not shared.
We need to publish more data about what goes wrong, because when do, we can share new ideas, let them cross-fertilize and sometimes even converge into progress.
[Update: thanks for the correction, Nicko.]