Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Black Hat keynote: U.S. should buy up zero day attacks for 10 times going rate

Tim Greene | Aug. 8, 2014
Las Vegas -- The U.S. government should pay 10 times the going rate for zero-day software flaws in order to corner the market and then make those vulnerabilities public to render them less potent for attackers, Black hat 2014 attendees were told yesterday.

Another suggestion that aimed again at software vendors would make vendors liable for damage their products cause to customers who use them normally. That means legislators and courts would have to sort out what normal means, but it would end the vendors' getting a free pass for bad software, he says.

Vendors would be allowed to duck that liability if they made it possible for customers to turn off whatever pieces of the software they choose to as part of the licensing agreement. That wouldn't allow them to modify the code, just cut out parts of it they deemed unnecessary or that they just didn't trust, Geer says.

His proposal would let consumers protect themselves without violating software vendors' copyrights, he says, but "software vendors will yell bloody murder."

Geer says embedded software in common Internet devices such as home routers and sensors should either include remote management interfaces or have a limited lifetime. That way holes discovered in their software could be patched remotely via the management interface. If there is no management interface, the limited lifetime would ensure that the flaws would eventually be removed when the devices hit their end of life.

Geer addressed the issue of Net Neutrality by offering ISPs the right to charge more for faster services but only in return for accepting responsibility for the content they transport on their networks. ISPs that didn't take up the offer could still operate as common carriers providing a single level of service with a common price but without having to accept responsibility for the content of the traffic.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.