Petition: make it safe to report security flaws in computers




Can we broaden the scope? It should never be against the law to speak the truth about any subject.


I would amend a “when it can be learned just by looking” to that. There are scenarios where information that is genuinely hard to get should remain hard to get, but this is clearly not one of them.


Recently I viewed an presention given at one of the old Defcon conferences.

Creating an A1 Security Kernel in the 1980s

In which the presenter explains how he designed a “proveably secure” operating system for the military/NSA. kind of a nostalgia trip for his audience, perhaps. Anyway, at one point, he described how fixing bugs on NSA computers involved enlisting a confederate in academia to duplicate the bug on their non-classified system, so that non cleared programmers at the vendor would be able to develop a fix that coincidentally resolved the NSA’s problems…,


“Truth” is a bit problematic, in that often times it depends on perspective, and proving un-truth can come down to trying to prove intent.

To unpack that a bit; it’s perfectly reasonable to suppose two people say exactly the same objectively untruthful thing (“This water cures cancer!”, or more on topic “This flaw compromises security!”). The difference between them is that Toni genuinely believes that the water will cure cancer (or the flaw affects security), whereas Stef knows that the water is just water (and the bug just affects the appearance of the UI), and is consciously using information arbitrage to spread FUD or make money.

But they both said exactly the same thing.

Which is why, I suppose, freedom of speech is kinda important, and punishing actions (ie, fraud in the case of Stef) is more useful than trying to get into pre-crime. Unfortunately, on the one hand actual free speech has been biffed out the window (DMCA and CFAA), while on the other hand functional free speech has been biffed out the window (Citizens United).


Liked for “biffed”


This topic was automatically closed after 5 days. New replies are no longer allowed.