Chinese perspectives on disclosure

with the recent discussions, blog postings, whining, finger pointing, and characterizations that have once again sparked the never ending vulnerability disclosure debate, and earned it a lifetime achievement award as the security industry’s most useless topic, I thought I would share some time I spent with some Chinese friends during my travels through SE Asia.

What I was shown was the most active and open distribution of malware, kits, and exploits I have ever witnessed. I will refrain from the details but considering the perceived insular nature of China and the openness of the US, I can tell you from the sharing of knowledge perspective we are way behind.

I asked some questions about disclosure and was met with puzzled looks and shaking heads. It reminded me of a conversation I had with a Ukrainian programmer friend of mine. I was recalling how during my childhood and at the peak of the cold-war (at least in my era, I was not around during the Cuban missile crisis) the schools would run bombing drills – air raid sirens would bellow and we would be instructed to move quickly, but judiciously, towards the shelter of our cheaply built wooden desks. I asked my friend if they experienced similar drills in the Ukraine – same puzzled look, same head-shaking, and then laughter as he said “Wow, where the desks made of adamantium? In the Ukraine we would practice running to the nearest bomb shelter” The Ukraine was one of the major weapons manufacturing centers for the USSR, so he also told me as kids they played with hollowed out tanks and decommissioned and non-firing AK-47’s – that would of been cool – but I digress.

You didn’t have to be a nuclear physicist or a demolitions expert or even have beyond a first grade education to know that if a nuclear bomb was launched and exploded anywhere within a state or two of the school the cheap, wooden desks, with wobbly aluminum legs would have done nothing, but we went on running the drills anyway.

I am pretty sure that the “sharing” is the same in Russia, Brazil and throughout the non-english speaking world (except for France). So if most of the world has a policy of sharing security information, regardless of their political, economic, or social position and we are adamantly caught up in the “drama” of disclosure, you have to ask the question – is it working?

2 thoughts on “Chinese perspectives on disclosure

  1. This really raises some interesting points on their censorship vs disclosure model and the aggregate effects their open-ended underworld’s innovations in subverting product security checks.

    I am overly concerned moreso about the Chinese governments lack of public response to the continuing development of software which can backdoor certain brand name products. Even reading Jon Longoria’s article @ I am beginning to understand the level of contempt that the government has for outside prying eyes, it’s thumb on the people and the struggle that knowledge share (and inherently proactive protection) is having in that region.

  2. Pingback: china, disclosure, and malware |

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s