Comments on: Disclosure

By: Derek Bambauer

Derek Bambauer — Fri, 03 Nov 2006 21:09:56 +0000

The difficult part here is determining when intermediate steps have been sufficiently played out. How long does one give DHS to fix the problem? (After all, don’t Schneier and Schumer’s warnings count here?) Must one alert every federal agency? Is this an “exhaust all steps” standard or a “reasonable efforts” standard?

These problems hold for most security problems. The difficulties are 1) absent public disclosure, there is often limited incentive to fix the problem (it’s like catching spies – they shouldn’t have been there in the first place, so one receives little credit for it), and 2) proof of concept is important, but revealing such things privately to government agencies may let them quash the report without fixing the problem. Intermediate steps are clearly important, and one should have to deal with this issue in mounting a necessity defense, but I think the risk here is that what we’ve seen in the whistleblower context will be replicated in the security context…

By: William McGeveran

William McGeveran — Wed, 01 Nov 2006 19:57:30 +0000

Becky, I agree with you. As I said, “There may be situations where you must show your audience what you are doing in order to make them believe you.” But I can imagine intermediate steps — perhaps showing your tools to the Dept. of Homeland Security Inspector General — that are still short of posting the tool on the web for other people to duplicate your security breach. Insofar as those alternatives are available, I think it should undermine the sort of defense Derek is proposing.

By: Becky

Becky — Wed, 01 Nov 2006 13:27:38 +0000

Excellent and interesting commentary Derek! As far as Mr. McGeveran’s comments above I have a question of practicality: Would the government actually listen if Soghoian actually stated he could make the boarding passes? How many citizens have warned/ commented/ suggested terrosim methods to the government and been ignored. Maybe his method of drawing attention to the issue was the only reason the government gave it any attention.

By: Neil Wehneman

Neil Wehneman — Wed, 01 Nov 2006 03:21:34 +0000

For those that are interested, I have recorded a twenty-minute “lecture” on the criminal law defense of necessity. It’s from the cases I studied and the notes I took in Criminal Law at Cincinnati. (This is one episode of a larger project recording what I learned in law school.)

The specific episode on necessity is at http://www.lifeofalawstudent.com/article.php?story=crimlaw24. It’s licensed as CC-Attribution and GNU FDL.

– Neil Wehneman

By: William McGeveran

William McGeveran — Tue, 31 Oct 2006 21:13:43 +0000

Fascinating post, Derek!

I’d suggest one possible expansion on the outlines of your suggested defense — one that might make Soghoian’s conduct out of bounds but still allow experts to raise the alarm about security breaches.

The harm in announcing to the world “I can make fake boarding passes” must be less than the harm of then adding: “And I am posting my tools on the web — you can try it at home!” Did he (or should he) have a duty to limit himself to the first?

There may be situations where you must show your audience what you are doing in order to make them believe you. And to be sure, there may still be some harm just in revealing the existence of a security loophole (perhaps outweighed, as you say, by disclosure increasing the likelihood that the loophole will be closed). But, as we alreay know from the world of “white hat” hackers, there are good and bad ways of disclosing security flaws, and I might suggest that mass distribution of your tools falls into the “bad” category, and perhaps it should diqualify you from this line of defense — however noble your intentions might have been.