ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Full disclosure: The only protocol for net security

Leader ZDNet.co.uk

Published: 27 Aug 2008 13:37 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment
Full disclosure: The only protocol for net security

It can be hard in business to distinguish between greed, laziness, incompetence and wilful ignorance.

One or more of these is better than any technical analysis in explaining the latest 'worst internet threat', revealed at the DefCon hackers' conference in August. The flaw is that BGP, the Border Gateway Protocol used to route inter-ISP data, can be hoodwinked into sending traffic through a unauthorised third party, potentially delivering enormous amounts of traffic to snoopers — or cutting it off altogether.

That's bad enough. What's worse is that the vulnerabilities in BGP have been known for many years, and that security analysts have already spent much time at the highest levels trying to get the problem recognised and addressed. There are fixes available, as well as longer-term strategies towards inherently more secure systems, but they take co-operation, time and money. To date, the ISP industry has declined to make that investment.

Which leaves just two paths to getting this fixed. One is for public disclosure to shame the ISPs into taking action, effectively putting commercial pressure on them. The other is to wait for disaster, recrimination and reform. The latter, called gravestone regulation in the aviation industry, is in every case the worse option.

When the proper authorities know of a problem and decline to fix it, full disclosure is the only moral option. Ideally, it becomes the weapon too terrible to use — the threat alone should be enough to cause action.

That is why the right to full exposure should be legally guaranteed, protecting researchers from the threat of disruptive injunction providing proper procedures are followed. We are loath to call for new regulations and new responsibilities, but in the absence of any alternative and in the face of real danger they become the only safeguard against foreseeable disaster.

Full disclosure isn't just a good idea. It should be the law.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
113 out of 113 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

Financial Software House seeks Senior Java Developer for Product team

Senior Engineer

Customer Services Planner / Inbound Contact Centre / Customer Service

Sentry Posts Blog

The Technological Singularity

Are we approaching a point when machines may wake up and become self or seemingly self aware? Vernor Vinge in 1993 seemed to think so. He refered to this event as the "technological... More

1 comment

Mobile Operating Systems: MOPS At a Gl...

Mobile Operating Systems: At a Glance Author: Eric Everson, Founder MyMobiSafe Since posting my blog exposing the security Google G1 security issue, I have received a few emails... More

Post a comment

Met Police catch test cheats

I saw the funny side of this press release, I can just imagine the two people sitting in the car giving the answers to the questions. Why they had wires running from under the bonnet... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers