Here's what I’m reading this week:
- A contrary voice: Would increased vulnerability disclosure really help?: The debate about the Vulnerability Equities Process – the internal process through which the US Government decides whether to disclose known vulnerabilities – has only picked up speed since #WannaCry and #notPetya became object lessons in criminals repurposing exposed vulnerabilities. Rick Ledgett’s piece in Lawfare last week makes some strong points (“no single set of actions will solve the problem” is a good reminder that much of the fallout from recent disclosures was a result of failure to quickly secure systems – not the rapid weaponization of a 0-day). It also relies on some weaker arguments (Even if criminals could have used other vulns if the recent disclosures hadn’t been released, this misses the point that having fewer vulnerabilities makes them more expensive and could drive up the cost of crime). But its most valuable contribution is to offer a contrasting point of view to most other voices in the public debate today.
I'm reading: "No, the U.S. Government Should Not Disclose All Vulnerabilities in Its Possession"
- “So, people hire you to break into their places … to make sure no one can break into their places?”: There’s nothing more evocative (or useful) in security than a good pen test. Most pen tests stay secret – known only to the operators and their employers. But every now and then there’s one you can read. This week, @HydeNs33k posted a recap of one of her pen tests on Twitter. Let’s just say it’s a worthwhile read, and it would be quite the page turner if there were pages to turn...
I'm reading: "Pentest from this morning in 3-2-1..."
How the private sector can come together to tackle cybersecurity: There are few people who’ve had a more central role in cybersecurity strategy and policy over the last six years than Michael Daniel, top cybersecurity advisor in President Obama’s White House. Recently, he sat down for an interesting interview with Technology Review. It’s a good read to see cybersecurity perspectives from the government imported into the private sector.I'm reading: "We're Thinking About Cybersecurity All Wrong"
- If you could turn back time … : South Korea is developing an alternative to GPS for ship-based navigation that relies entirely on earth-based connections. The goal is to provide backup for the increasingly fragile-seeming GPS system, which powers more navigation around the world than ever before, and seems more exposed with each new discovery and every passing week. This is far from the only example of increasing cyber-threat pushing institutions to consider alternatives, but this isn’t just an effort to turn back the clock to older systems. Instead, the goal is to innovate a new platform on top of an alternative technology that is better suited to weather the kind of network intrusions that are becoming increasingly common today.
I'm reading: "Cyber threats prompt return of radio for ship navigation"
- “The Weapons of the Geek” and the rise of hacker politics: A longer read for one of those few remaining lazy summer days – Gabriella Coleman on how to understand “hacker politics” and what it means for political engagement and public debate today.
I'm reading: "From Internet Farming to Weapons of the Geek"