back to article CIA infosec guru: US govt must buy all zero-days and set them free

Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online. Geer played a crucial role in the development of the X Window System and the Kerberos authentication protocol, and is now the chief security officer of the CIA’s VC fund In-Q-Tel. And during …

  1. Denarius
    Thumb Up

    get that man to Gitmo

    Dangerous, he has ideas and values. His ideas will disrupt the new economy. From the CIA, who would have thunk?

    1. Destroy All Monsters Silver badge
      Thumb Up

      Re: get that man to Gitmo

      Dan Geer always has food for thought.

      Have a gander:

      Polarization (PDF) In: IEEE Security & Privacy, 2014-01.

      Resolved: the Internet Is No Place for Critical Infrastructure In: ACM Queue, 2013-04

  2. Marshalltown

    Remember

    . . . where the internet really began and who released TCP/IP. The 'net may have been a plot from the beginning.

    1. Destroy All Monsters Silver badge

      Re: Remember

      Thats would akin to saying Bush Junior had a plan.

      1. Destroy All Monsters Silver badge
        Headmaster

        Re: Remember

        ITT: One voter who thinks Bush Junior had a plan.

        Come on, he even need to be told there was a connection between Neocons and Israel. Never reading a US broadsheet, how shrub can you get?

    2. Denarius
      Meh

      Re: Remember

      nah, that assumes that these guys can think ahead more than 30 seconds. A decades long plot is beyond any western organisation. Drat this cold. I am spending too much time online because its too cold outside

    3. Anonymous Coward
      Anonymous Coward

      Re: Remember

      I know someone critical to the birth of the cell phone. Their views of where it would go in the future was SOOOO far from today's reality. I can't fathom the creators of the internet having it's current state in mind from the beginning.

  3. Thorne
    FAIL

    Right to be forgotten

    It's a lovely idea but will never work.

    Currently these people have tried and failed to shutdown the sites with the information and have resorted to going after search companies like Google. This is exactly the same as getting rid of a book in a library by removing it's index card from the card catalogue.

    As soon as somebody reindexes, the information is back.

    It's a total waste of time that only benefits lawyers.

  4. dan1980

    Make un-patched software open source is a great idea on the surface of it, but dig a little deeper and you can quickly see a glaring problem - code re-use.

    If large chunks of code are ported across from version to version, is it really abandoned? Perhaps the code that was left out, but how do you isolate that?

    I am very much for a lot of what this chap is saying but an unrealistic goal is worse than none in this instance because it allows the software companies to take the initiative and re-frame the discussion as they please.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      I don't see where the problem is.

      If you built new software from the old, it becomes new software. If you import the old warts, you become responsible for maintaining and fixing them.

      Unless you open source your new product (hopefully not under a Microsoft "open" *cough* license).

      1. solo

        "..If you built new software from the old, it becomes new software.."

        Totally agreed. You should have named it XP 8 and should not have boasted a totally new platform.

        1. Destroy All Monsters Silver badge

          ...and judging from what I have seen so far, a lot of code teams containing interns in senior positions would become liabilities overnight.

          I'm all for it.

      2. dan1980

        @D.A.M.

        The problem that I am seeing - whether it is a big hurdle or not - is that code is intellectual property, at least inside the current legal framework.

        Making software open-source means that you expose that code to the masses. If part of that code is being re-used in new software then that will open up commercial secrets you are currently earning money from.

        In this way, I suppose, it is similar to the way record labels re-release best-ofs and remasters every so often to extend copyright. Note that I am not condoning the practice, just drawing a parallel.

        However, with an album of music, each song can be dealt with individually without much problem and you could release one song from an album from copyright while keeping it on the remaining tracks. With code, this is substantially more difficult as the bits of code that are no longer in use (and thus eligible for release as open source) require other bits of code that are still in use.

        As I said, it's a good idea but the details trip it up somewhat. You'd have to have strict criteria for what software fits the bill and one suspects that, just like music copyright, there would be ways to make sure your software never qualified for release as open source.

    2. Mad Chaz

      Actually, code re-use is a good argument FOR the measure.

      If your cold is old enough you aren't willing to support it, then why are you still using it in the newer product?

      In truth, the whole idea is to force software compagnies to do something all other compagnies have to do, take responsability for the products they offer. By forcing them to re-internalise a lot of the costs of the crap they put out, you make it financially worth it for them to fix it.

    3. Tom 13

      Re: Make un-patched software open source is a great idea. Period.

      My own thought was that at that point you should lose your copyright protection and the code should become public use. But given the way most people treat open source, Stallman and his acolytes are the only people who would argue against it being mere semantics.

      Whether or not a chunk has been abandoned is irrelevant. The monolithic code has been abandoned and it is in the public interest that the monolithic code continue to be supported. Yes, you do need to indemnify the company so that their continued use of a code segment isn't a violation of copyright on the old code, hence my preference for copyright expiration over OSS.

      1. Michael Wojcik Silver badge

        Re: Make un-patched software open source is a great idea. Period.

        Whether or not a chunk has been abandoned is irrelevant. The monolithic code has been abandoned

        OK, now show us how to define "chunk" and "monolithic code" in a manner that is legally useful, fair, and can't trivially be avoided by software authors.

        I like the idea of copyright lapsing on orphaned software, and the source being published, I really do; but it's patently unworkable.

    4. Michael Wojcik Silver badge

      It's an unworkable proposition in any case, because the cost of "maintaining" software can be reduced to nearly zero. Physical property, children, etc are abandoned because they have high minimal maintenance costs (at least in terms of opportunity costs and the like, if we're talking about something that doesn't require active maintenance). A company could "maintain" software indefinitely by issuing an annual vapid update of some sort. There's also the inheritance argument made by other posters - what's to stop a company from saying "this new product is the maintenance release for the old product"? (Try to create a legally useful definition of maintenance that prohibits that while recognizing whatever you consider legitimate maintenance.)

      It would be impossible to regulate what significant maintenance (to prevent abandonment) would entail - the range of software is just too wide - so software could often only be determined to be abandoned by costly litigation.

      The proposal also doesn't work well with a lot of embedded software.

      It's a cute idea, but it would require a massive, hugely complicated, highly fraught regime of software oversight. Ain't gonna happen, and the cure would be worse than the disease.

  5. Anonymous Coward
    Anonymous Coward

    Childish question, read honest

    When I had installed my first software in a PC which had EULA, I had tried to read some of the lines and it was shocking .. "Takes no responsibility.."

    1. MyffyW Silver badge

      Re: Childish question, read honest

      Compare and contrast the EULA for most closed software with the GPL. It's the difference between Joseph Stalin and Thomas Jefferson.

  6. baseh

    The man is right but it costs money and effort

    History teaches that humans remain complacent until a crisis occurs. Then they try to patch the system in an "economical" way. They do it until a real catastrophe happens. Then the whole old system has to be ripped up and rebuilt from scratch.

    All is well for a time until a crisis ....

  7. amanfromMars 1 Silver badge

    Nice One, Dan's the Man. Filthy Lucre doing what it does best and is ignorantly designed for

    Humanity is at a civilizational crux point, Geer said, where meatspace and the digital world are converging with very few controls. He said that unless humans reassert control over the digital sphere and make it work to human rules, humanity will not be able to take back control once code is law.

    Take back control from whom and/orwhat, In-Q-Tel?

    Geer also suggested a new way to stamp out the exploitation of software security vulnerabilities for which no patches exist – dreaded zero-day vulns: the US government should make a standing offer to pay a bug bounty equivalent to TEN times the price companies are willing to pay for the security flaws, and then make them public after a patch has been developed.

    This could go a long way to end inter-state cyberwar and stop common criminals, we're told. No mention of the NSA, of course.

    Such would create, or more accurately legitimately and attractively fabulously reward the extremely intelligent entity able to create and deploy, and autonomously and anonymously both micro and macro manage, inter-state cyberwarfare. And attractively fabulously because such an ability and facility and ubiquitous virtual utility is worth an absolute fortune to companies willing to pay for national, international and internetional security flaws which deliver to them inequitable overwhelming global executive advantage. But hey, is that not the Wild Wacky Western American Dream in the Capitalist Way, and perfectly normal in its own big little perverse and corrupt sort of way?

    However, as for the the need and feed of the flourish ……”and then make them public after a patch has been developed” ……. rather than the intellectual property remaining MkUltra Sensitive TS/SCI and Strictly Need to Know Private Pirate Renegade Rogue Information and Super CyberIntelAIgent, well, that might be best given a rethink.

    1. NumptyScrub
      Go

      Re: Nice One, Dan's the Man. Filthy Lucre doing what it does best and is ignorantly designed for

      Fancy inferring that the CIA might have an ulterior motive for suggesting that the US government run a global bug bounty offering huge money for information on product flaws.

      Honestly, Dan Greer is obviously just thinking of the children / out to punish terrorists and paedos / <insert boogeyman of the day here>, and this information most emphatically would not be used for (industrial) espionage purposes.

      Pfft, perish the thought...

  8. Anonymous Coward
    Anonymous Coward

    So he's asking for two changes

    1) US buys all zero days instead of just some of them

    2) US sets them free instead of using them for itself

    I could see #1, because Congress has an unlimited appetite for giving money to defense and spy agencies with little or no oversight. #2 has no chance in hell of ever happening.

    1. MyffyW Silver badge

      US govt must buy all zero-days and set them free

      The proposal for government to buy 0day exploits and altruistically manage them assumes that government is a disinterested party. As the article said, the chap made no mention of NSA etc.

      As an ideal Dan Geer's proposals have some merit, but it assumes a level of trust we, the people, simply don't have in our governments.

      1. Grikath

        Re: US govt must buy all zero-days and set them free

        I was wondering why this rather critical flaw in the logic wasn't commented on immediately....

        You cannot trust any government with a scheme like this, let alone one that has proven to have a rather cavalier attitude when it comes to civilians' rights. Within a week the first accusations of [government body x] not releasing all acquired data, or retaining data for [nefarious purpose x] will fly. Nationally and internationally.

        And no way to really prove the opposite even if the agency involved was squeeky clean and holier than st. Peter.

  9. msknight

    How about...

    Instead of... "offer to pay a bug bounty equivalent to TEN times the price companies are willing to pay for the security flaws, and then make them public after a patch has been developed."

    ...how about, make them automatically public one month after the purchase, to make damn sure that a patch gets developed in the mean time!

    I know ... I'll get my coat.

  10. asmblur

    I like the way this guy thinks and agree with many of his points but find the proposed solutions unlikely to ever be implemented, at least without being modified severely enough that they would be useless.

    When it comes to buying-up all vulnerabilities, wouldn't this just cause a bidding war and drive up the price of vulnerabilities? It would be nice to think that the government of a major world power could consistently outbid any crime syndicate but I find that hard to believe given how much money/power/etc. is involved in exploitation of certain vulnerabilities and the limitations imposed by government budgeting.

  11. keithpeter Silver badge
    Windows

    Legends...

    "He said that in the intelligence community building plausible false identities is becoming much harder in the digital age and will only get harder. These days it’s a much better solution to steal someone’s identity and use that, Geer opined."

    nanowrimo coming up. Interesting idea that one. LegendOMatic to steal from Le Carre. Ebay for IDs. Have bots manufacturing a social media history for agents.

    1. Anonymous Coward
      Anonymous Coward

      Re: Legends...

      It could make a good story but the problem is that HUMINT is pretty much dead these days with all the major agencies relying almost exclusively on SIGINT. Exceptions include the police, who still illegally infiltrate groups they have been told might at some future point be a threat to somebody important.

      The John le Carré/Len Deighton spy is dead, although to be fair Deighton's world weary bureaucrats were also closer to the reality anyway.

  12. heyrick Silver badge

    this will end computing as we know it

    Somebody should tell this guy that there is something between big commerce and open source.

    How about the army of bedroom coders who release their software for free, but don't want to make it open source? There's quite a few of them around, and applying the same legal liabilities for something given away for free would most likely make them think "sod it", especially if they don't feel (for whatever reason) that they want to make the source available.

    1. DropBear

      Re: this will end computing as we know it

      To be honest, these days I'm quite weary of those exact people - allegedly disinterested enough to let you use their software for free, but not enough to actually let you make proper use of it by also giving you the source ("please let me put my hand into your pocket, I promise I won't take anything! Well, maybe later, just a little bit..."). I prefer to use as few such 'gifts' as I can (as opposed to fully open source ones), so as far as I'm concerned, good riddance...

    2. NumptyScrub
      Happy

      Re: this will end computing as we know it

      quote: "How about the army of bedroom coders who release their software for free, but don't want to make it open source? There's quite a few of them around, and applying the same legal liabilities for something given away for free would most likely make them think "sod it", especially if they don't feel (for whatever reason) that they want to make the source available."

      If those bedroom coders have performed rigorous security testing, and write code taking basic security principles into account, then there is no issue. If they are unaware or unwilling to, then I think I'd rather they do say "sod it I won't bother", as it cleans up the install base for those functions to software that is either open source (and vetted) or proprietary and properly tested.

      Just as some bedroom coders are exceedingly skilled and conscientious, some are writing their first Hello World app and then vanity publishing it, without even considering input validation, ASLR or other techniques that help mitigate potential exploits. Discouraging insecure development is a pre-requisite of making computing a more secure place, and any bedroom coder worth the name won't begrudge putting the extra effort in to learn how to do it properly, IMO ;)

      1. heyrick Silver badge

        Re: this will end computing as we know it

        " proprietary and properly tested "

        You must be talking about Microsoft.

        No? Maybe you are talking about Flash?

        Adobe Reader?

        Or...? Ubuntu? Android? iOS? Everything has patches and updates to correct errors (and sometimes, to introduce new ones!).

        If the big companies have to provide regular patches for the same sorts of flaws (buffer overrun and failing to sanitise inputs), isn't it a bit rich to expect a non-pro part time coder to turn out something better? If in doubt, refer to OpenSSL for an example of the supposed specialists getting it wrong, and to WPS for an example of a protocol broken from the outset. Software is a very complex thing with zero tolerance for mistakes, created by creatures who are imperfect and make mistakes. I disagree that we the populace should serve as an army of beta testers, but likewise I think expecting absolute perfection is a dream...

    3. amanfromMars 1 Silver badge

      This will begin computing as IT should be? Or as the Few can Phorm IT? :-)

      Somebody should tell this guy that there is something between big commerce and open source. .... heyrick

      The Danegeld Route Root though, as crazily rewarding and exciting as it is, is not something for everyone or anyone who hasn't done a minefield of crash testing, heyrick. But then highly specialised and potentially unique and original have always been naturally prized and much sought after.

      1. heyrick Silver badge
        Happy

        Re: This will begin computing as IT should be? Or as the Few can Phorm IT? :-)

        "or anyone who hasn't done a minefield of crash testing, heyrick"

        amanfromMars 1 name dropped me! Whoo-hoo!

  13. DropBear
    Mushroom

    Oh, and just one more thing...

    ...I kinda have a problem with any suggestion of artificially enforced end-of-life for a product. If I'm able and willing to put up with using the same worn, ageing thingie my entire life, nobody has the right to tell me I don't get to do that, period.

    1. Anonymous Coward
      Thumb Up

      Re: Oh, and just one more thing...

      Yes, it is rather nice.

  14. hplasm
    Thumb Up

    "There are only two industries that have no liability problems he said – religion and software-

    – and this needs to change for the coding community."

    Change for both would be even better

  15. Anonymous Coward
    Anonymous Coward

    We'll know soon enough

    Geer's ideas are an interesting blend of old-fashioned capitalist market economics and ... common sense. Can't wait to hear/read his full remarks. Whether it will actually have legs is dependent on a lot of factors, but it seems like the trend in tech is that individuals at the bottom will continue to gain more power as the tech itself becomes more capable. Of course even if we see courts (and legislatures) holding publishers responsible for bad software and withdrawing of legal protection for abandoned code, it's not likely to happen in an orderly way. In fact it will probably come about as the result of public pressure and civil disobedience -- which is something that's already been building for at least 2 decades. One indicator of the direction the wind is blowing will be the outcome of the current campaign to further spread the reach of the DMCA via the latest round of Trans regional "Partnership" treaties over the next few years. It will be an interesting ride.

  16. Clive Galway

    If you start a policy of buying all zero days and making them public...

    ... the price would go up. Probably exponentially. Supply and Demand and all that.

    If the person who discovers it can now only charge once, he's gonna make damned sure to get the most out of it.

  17. Michael Wojcik Silver badge

    Software liability is not a new idea

    "Software houses will yell bloody murder and pay any lobbyist they can to scream that this will end computing as we know it,” he said.

    Well, yes, of course. Publicly-traded companies have a fiduciary responsibility to oppose burdensome regulation, unless they have reason to believe it will give them a competitive advantage. Doesn't mean it's not a good idea, but blaming software vendors for opposing it is more than a little disingenuous. This is precisely why we have governments - to force people to do things they'd rather not.

    In any case, the idea of software liability is a old one, and has been vigorously debated by the IT security community. Schneier used to talk about it a fair bit, and there have been some interesting discussions of it on his blog.

    1. Christian Berger

      Re: Software liability is not a new idea

      Yes but apparently his point is that if you have software where you can "remove features you don't want", i.e. open source software, you aren't liable. This makes it very feasible as there is no reason for not distributing your source code anymore, except for malware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like