Closed blackswanburst closed 5 years ago
digitalstandard-bot
commented
6 years ago Thank you for helping shape the Digital Standard. Addressing privacy, security, and data issues in the marketplace requires a community-driven response.
The partners meet once every 3 months to review pull requests.
Thanks again!
j-br0
commented
6 years ago I think that most of the elements in the security section apply not just to attacks that compromise the user's information or device functionality, but also attacks that cause the externalities you reference. But I agree that it might be helpful to clarify somewhere in the security section the different types of attacks/damage that we are worried about. But I'm not sure where the best place to do that is.
This also could be in part addressed by looking at individual tests and criteria that may be too user- or information-focused. The criterion for authentication, for example, is "A product has an authentication system that corresponds to the sensitivity of the user data it manages," where perhaps it really should be proportional also to the the harm it can do the device itself or to other users/devices.
blackswanburst
commented
6 years ago Thoughtful response, thank you. I need to learn my way around the standard with some smaller commits and additions, then I'll think about some tests for at least DDoS related externalities.
KatieMcInnis
commented
5 years ago Thanks @blackswanburst :) I appreciate the input! I am going to close this issue for now--but we can always reopen it if you have something to suggest regarding a test for DDoS-related-externalities.
We appreciate your feedback!
In the standard, we have a nice taxonomy around privacy, security, and safety. However, as it stands we are "user focused", which is how it should be as an entire project. I propose we add a new section though which contains product issues that are not a harm to the owner of the device, but to others, as an externality.
A classic example might be UDP reflection attacks. The misconfigured device is used by the attacker to harm SOMEONE ELSE and the user is usually unaware they need to reconfigure the device to protect others. https://www.cybergreen.net/mitigation/
Any time a user might reply "It works for me." without understanding how the bug impacts other people, would be a case for this section of the standard. Is this worth it's own section, or should it just be a subsection of security, privacy, and safety?