SoylentNews is people
SoylentNews
Ars Technica UK has an informative article about how zero-day vulnerabilities are actually used in practice, who buys them, and the state of the zero-day market cum regulations.
How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.
Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?
And then what about legislation and regulation of zero-days? In most countries, there are scant legal mechanisms for discouraging or punishing the discovery of new zero-days. There are even fewer laws and directives dictating how zero-days should be responsibly disclosed. It isn't that lawmakers aren't aware of these problems, it's just that there isn't an easy solution. How do you craft a law that allows some research groups to keep on digging for vulnerabilities while at the same time blocking the black hats? What if the government's idea of "responsible disclosure" means disclosing all vulnerabilities to GCHQ or the NSA?
Recently, Europe began discussing how best to interpret the Wassenaar Arrangement—an agreement between 41 countries that was originally designed to limit the proliferation of physical, military weapons to non-desirables—when it applies to the proliferation of surveillance software, intrusion tools, and zero-day software vulnerabilities. In the US, the Senate is set to vote on the Cybersecurity Information Sharing Act as soon as today [20 Oct]. The legislation would expand the Computer Fraud and Abuse Act to include security research. The US is trying to decide how to interpret Wassenaar when it comes to the exporting of intrusion software and zero-days too.
(Score: 2, Interesting) by chrysosphinx on Thursday October 22 2015, @06:45PM
CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION
Article 13 Freedom of the arts and sciences
The arts and scientific research shall be free of constraint. Academic freedom shall be respected.
At least in my country (Czech Republic) the Charter has been accepted by Constitution, (article 112 I guess), so it is constitutional right to research anything here.