ESPP at the RSA Conference
At the RSA Conference yesterday, I attended the Experienced Professional Program (ESPP). To attend this event, you nominally had to be invited by the Program Committee. I suspect that their criteria weren’t really that strict. If you had 10 years or more experience in the information security industry and signed up for the RSA Conference (even for just the expo), you were probably automatically invited.
I found one of the ESPP presentations particularly interesting. This was “The Ghosts of Security Past, Present, and Future.” The title of this talk tells about as much about its contents as the titles of some of my blog posts do (not much at all), but it was interesting nevertheless.
This talk could be summed up by the catch-phrase “there is nothing worse than a well enforced bad rule.” The Digital Millennium Copyright Act (DMCA) was used as an example of this, and there was lots of discussion that suggested that the Rockefeller-Snowe bill that’s now being considered by the Senate could be another example of it if it ever becomes law.
The problem with the DMCA is that it makes it very difficult to discuss any security vulnerabilities that you might find. If you find a security vulnerability, the responsible way to handle it usually considered to have two steps. First, you notify the vendor that makes the vulnerable product. After the vendor has a reasonable chance to patch it, you then publish your results. According to the lawyers that were on the panel for this discussion, this can get you in legal trouble.
If you do this, you might be threatened with legal action under the DMCA to keep any information about the vulnerability from being published. Instead of informing the vendor, the lawyers recommended that the first step after finding a security vulnerability is to talk to a lawyer about how to handle what you’ve learned in a way that will keep you out of court.
I had to wonder exactly what kind of advice you’d get from a lawyer if you actually did this. In my experience, lawyers tend to mention even very slight risks, sort of like a doctor telling you than any medical procedure could end in your death. That’s why you can get exchanges like this:
You: Should we go out for lunch today?
Laywer: You should be aware of the risks that can accompany going out for lunch. You could be involved in an accident that results in your death, the death of one or more of your coworkers, or of the driver or passengers of another vehicle.
You: Are you saying that we shouldn’t go out for lunch?
Lawyer: I can’t advise you on how to make that decision. I can only advise you of the possible consequences if you do.
It was interesting that Microsoft was mentioned more than once in this discussion as being an example of a company that tries to handle security vulnerabilities in their products in a reasonable way. Microsoft seems to be more interested in fixing security problems in their products, while other vendors may be more interested in threatening legal action against security researchers.
The authors of the DMCA may of may or may not have envisioned their legislation being used to threaten security researchers, but that’s apparently where it has ended up. The Rockefeller-Snowe bill also has the potential to have repercussions from unexpected consequences. The panelists claimed that this bill will effectively nationalize information security, making every computer in the US one of “national interest” that’s then covered by federal regulations. All panelists thought that this was an extremely bad idea.
The ESPP Program Committee plans to produce a “call to action” document, get feedback from the attendees at yesterday’s session, and then publish the document. This should happen in the next four months or so. This might be interesting to read when it comes out.