Wednesday, February 27, 2008

The Laws of Full Disclosure

I added a really interesting article (from Security Focus) to my Interesting News feed. If you are new to my Blog or News Feed, please check it out. I add stories/content I find interesting.

The Article: The Laws of Full Disclosure

Summary: A Security Focus contributor researches the legality of disclosing vulnerability information to the public in twelve European countries.
  • Belgium - Illegal with Conditions - Full Disclosure of vulnerability information is proved to have causes harm to the vendor, is proved to be written for the sole purpose of an intrusion (hacking), or is proved to have been a breach of a employment contract/non-disclosure agreement.
  • Denmark - Illegal with Conditions - If you are an employee or contractor for the software development company, vulnerabilities are considered "trade-secretes". Release details instructions to exploit the vulnerability can be considered "assisting in a crime." A competing software company would be fined for release such information.
  • Finland - Proof of Concept Illegal with Conditions - Concept code can only be prepared for a CERT.
  • France - Mostly Legal - Only illegal when you use the attack or share confidential/proprietary information.
  • Germany - Legal
  • Greece - Legal
  • Hungary - Legal with Conditions - If the information you release is incorrect you can be held liable for damages. It cannot violate patent of copyright clauses.
  • Ireland - No Laws - Having "tools" that can result in an intrusion could be a crime, but disclosing vulnerabilities is an uncharted area.
  • Italy - Legal with Conditions - You can not decompile code, unless working on interoperability.
  • Poland - Legal
  • Romania - Illegal with Conditions - If the information is used in an intrusion. In addition writing exploit code is illegal.
  • UK - Legal
Four out of the twelve countries have laws that make it illegal to release vulnerability/security information. Three enforce constrictions on the disclosure. Leaving only four countries that allow disclosure (with the last country being neutral).

Comments: This article causes me great concern. I find it absurd that in the year 2008, with the average person starting to think about security, that we would be limiting research. Obviously the only way to secure software is to test it, and then release the information you find. If they disallow people to disclose the information the vendor may never know about the issue, let alone fix it! If they do allow disclosure to the vendor but not the public, then you fall in the issue with vendors ignoring security concerns. Or worse the users never knowing their at risk. Reasonable Disclosure verse Full [Public] Disclosure have been a debate of the security community for all of time, and both have a time and place, but out right criminalizing disclosure and research is insane. I really hope these laws are reviewed.

Leave your comments in the comment section, and if you feel so inclined (and live in one of these areas, contact your government and let them know your concerns).

Google Reader and Intresting News

Get all your news and blogs in one place with Google Reader

With Google Reader, keeping up with your favorite websites is as easy as checking your email.

  • Stay up to date Google Reader constantly checks your favorite news sites and blogs for new content.
  • Share with your friends Use Google Reader's built-in public page to easily share interesting items with your friends and family.
  • Use it anywhere, for free Google Reader is totally free and works in most modern browsers, without any software to install.
Take a tour »

I started using Google Reader over a week ago. I more of less grew tired of re-adding all of my "feeds" to each "feedreader" I sit in front of, or re-emailing myself my OPML file each time I make a change. An online reader seemed to be a happy solution to this problem. Allowing me to view all of my news feeds, no matter where I am (even on my Blackberry).

There are a handful of them out there, and in the past I have used a few others. But this was the first time I really made an honest attempt. And Google takes the cake (in my opinion). I highly suggest everyone checks it out.

Here is a list of features I really enjoy:
  • Feed Recommendation (At first it was annoying, but as I started "staring" content, it became rather fun to look through the recommendations
  • Feed Browsing (You don't even need the RSS URL, you just search for the feed by name, site, content, etc
  • Sharing and Staring (You mark content as stared much like emails in Gmail, this allows me to then share the content almost like Digg and other social news sites, the difference I control the content)
  • Friends (Allowing you to keep track of news your friends find interesting has really never been easier)
  • Trends (Structured Analysis of your News Reading and Feeding activities)
  • Offline Mode (Allowing you to view content, without updates/connectivity)

I would also like everyone to check out my "Interesting News Feed" which provides news I find interesting. It is published through Google Reader and includes and RSS feed, in case you want to keep an eye on my findings. In addition, I'll publis blog posts about the really interesting news articles and pass along my two cents.

Interesting News and Feed


Blogging - Yeah Right!

Hello Universe...

As I stated in my first post (which was published almost a year ago), I not very consistent with blogging.

But, at least I keep trying! So here goes...