[Cryptography] Fwd: SANS NewsBites Vol. 19 Num. 020 :Industry to Government: "Share More"

[Tom Mitchell]

On Fri, Mar 10, 2017 at 10:45 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>
> The following complaints are entirely compatible with the idea that the Three Letter Agencies have decided that there is more advantage in maintaining security flaws in commercial systems so they can be broken than it in having them fixed so US organizations are protected.
>
> Cheers - Bill

Interesting...
Companies have learned and often need to be reminded that holding data
like credit card data and
other data that might be used to facilitate identity theft is a very
large liability when some years back
it was considered an asset.

In the context of national defense each exploit is also a national
weakness and liability.
Such things are double edged weapons ill suited for defense.
Some exploits might be easy to catch by canary systems.
If the source of the bug info and detection was easy and was not
discovered from a public
source one might argue that it can be held.
Such bugs that can be reliably detected by canary systems might have
value to TLA's.

The double edge risk perspective also supports a fix it deadline when
reporting policy.  i.e. this is bigger than MS vs. Google
Both are international companies so a global view may apply.

Reporting the bug in multiple responsible systems in multiple
jurisdictions at the same time might help
to keep the discoverer from being subject to a secret silence action.
A trick is finding multiple responsible systems
and individuals.

Serious bugs require serious consideration.

 --
  T o m    M i t c h e l l