Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts' The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered US federal agencies outside the defense and intelligence communities to develop a working vulnerability disclosure policy. In an online memo, Bryan Ware, Assistant Director for Cybersecurity at CISA, described …
Finding governments that listen to other than themselves is the problem.
And everyone knows the system just loves the whistleblower because it invariably treats them as a RAT [Remote Access Trojan]
That realisation and proaction, .... which in extremis has one in real danger of being incarcerated in a penitentiary, wilfully persecuted and even prosecuted in secret behind closed doors/in camera ... if one survives and is not the subject and object of a monumental number of unbelievable blunders which coincidentally, quite conveniently just also proven themselves to be so very helpful in delaying the emergence of particularly enlightening first party evidence ...... is all too often the case not to be true, the abiding unfortunately pervasive and subversive and consistently damaging experience one can expect of governments as they dither and deliberate on matters before bursting forth again onto the greater picture scene to race around like headless chickens and three wise monkeys with the idea of protecting themselves from their own unsavoury or challenging behaviour, thought or language ........ as they profess to save worlds and economies with media moguldoms in tow either as their complicit ignorant following or arrogant leading lackeys, for without that virtual global megaphone are they both practically and virtually as nothing ?
It does have one a'wondering and a'pondering on who and/or what is thinking themselves in charge of commands and controls running whom and/or what and for why ..... to what glorious end, does it not? And to marvel at its present complex current simplicity.
The dodgy part comes when the identified security flaw was built-in on purpose, although supposedly 'hidden', and some well-meaning interloper points it out to our helpful Homeland Security forces. What's exactly to prevent that helpful techie from becoming an involuntary guest of Russia for the rest of his or her life for pointing it out?
I can think of a few examples where the impulse to scruples ended badly.
Except that investigating a vulnerability may well fall foul of the DMCA, so we could have a conflict of interest here.
Quite apart from which, we're still concentrating on finding foul ups after the fact instead of trying to prevent them happening in the first place. Not a good strategy really. Practically every reported data breach over the last couple of decades has been fundamentally down to sloppy management, rather than primarily due to technical issues. The technical issues typically arise from sloppy management at one or more points on the life cycle.
I suspect this will end up like the system at [REDACTED], a major network equipment manufacturer, back when I worked there. Any question was answered with "It's on [internal website of all company info]". But of course it wasn't. And the "report problems" link was a mailto: to a no longer existing email address (if that address ever existed). Then the telephone number listed for similar problems/errors rang on the desk of someone who was more than adequately aware of the fact that they were _not_ the responsible party, and had no idea who that might be.
(And of course given recent news, any report that treads on any toes will be filed in the room with the "Beware of the Leopard" sign.)
What protections will be in place for the poor schmuck who finds one of these problems, then get charged with hacking a Government system? In order to find vulnerabilities in websites you have to do more than browse through the source code, there is the network, server side software/hardware, databases, certificates...etc. And how do you differentiate between a white hat and a guy trying to break in, where do you draw the line?
Probably if you visit the site by clicking a link from google or bing and it spills it's entire database to you then you will be fine reporting it.
If it went wrong after you logged in then it might be a bit dodgier to report
If you actually dared to type a new url in the address bar of your browser to make it mess up then you're in trouble.
If you used the well known F12 keyboard shortcut to enable and access the incredibly dangerous hacking tool called developer tools to examine or modify requests then you can expect no less than 25 years
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
