A Case Study on Software Vulnerability Coordination

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: [...

Vulnerability reduction of infrastructure reconstruction projects

Various infrastructure segments of numerous countries have been repeatedly subjected to natural and man-made disasters. The potential reason of damaging infrastructure facilities and their services is resultant disaster risks due to natural or man-made hazards connect with vulnerable infrastructure facilities and vulnerable communities. The simplest way to prevent or mitigate disaster losses is addressing vulnerabilities. The main study based on which this paper was compiled aimed at exploring and investigating the vulnerabilities of infrastructures and communities benefited from infrastructures and possible solutions to overcome them. This paper presents the literature review conducted on vulnerabilities of infrastructures and empirical evidence collated on best possible DRR strategies to overcome such vulnerabilities of infrastructures. The main study was conducted using case study strategy and the expert interviews. This paper is entirely based on the data collated from the expert interviews conducted in Sri Lanka and United Kingdom. The expert interviews discovered various DRR strategies to overcome the vulnerabilities of the infrastructure project

Coordination in Network Security Games: a Monotone Comparative Statics Approach

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.Comment: 10 pages, to appear in IEEE JSA

Trade-offs Between Water Transport Capacity and Drought Resistance in Neotropical Canopy Liana and Tree Species

In tropical forest canopies, it is critical for upper shoots to efficiently provide water to leaves for physiological function while safely preventing loss of hydraulic conductivity due to cavitation during periods of soil water deficit or high evaporative demand. We compared hydraulic physiology of upper canopy trees and lianas in a seasonally dry tropical forest to test whether trade-offs between safety and efficiency of water transport shape differences in hydraulic function between these two major tropical woody growth forms. We found that lianas showed greater maximum stem-specific hydraulic conductivity than trees, but lost hydraulic conductivity at less negative water potentials than trees, resulting in a negative correlation and trade-off between safety and efficiency of water transport. Lianas also exhibited greater diurnal changes in leaf water potential than trees. The magnitude of diurnal water potential change was negatively correlated with sapwood capacitance, indicating that lianas are highly reliant on conducting capability to maintain leaf water status, whereas trees relied more on stored water in stems to maintain leaf water status. Leaf nitrogen concentration was related to maximum leaf-specific hydraulic conductivity only for lianas suggesting that greater water transport capacity is more tied to leaf processes in lianas compared to trees. Our results are consistent with a trade-off between safety and efficiency of water transport and may have implications for increasing liana abundance in neotropical forests

Open Source Innovation, Patent Injunctions, and the Public Interest

This Article explores the difficulties that high technology markets pose for patent law and, in particular, for patent injunctions. It then outlines the ways in which “open source innovation” is unusually vulnerable to patent injunctions. It argues that courts can recognize this vulnerability, and respond to the particular competitive and innovative benefits of open source innovation, by flexibly applying the Supreme Court’s ruling in eBay v. MercExchange. Having dealt with the lamentable failure of the International Trade Commission to exercise a similar flexibility in its own patent jurisprudence, despite statutory and constitutional provisions that counsel otherwise, the Article concludes with some recommendations for reform

Comparative analysis of spring flood risk reduction measures in Alaska, United States and the Sakha Republic, Russia

Thesis (Ph.D.) University of Alaska Fairbanks, 2017River ice thaw and breakup are an annual springtime phenomena in the North. Depending on regional weather patterns and river morphology, breakups can result in catastrophic floods in exposed and vulnerable communities. Breakup flood risk is especially high in rural and remote northern communities, where flood relief and recovery are complicated by unique geographical and climatological features, and limited physical and communication infrastructure. Proactive spring flood management would significantly minimize the adverse impacts of spring floods. Proactive flood management entails flood risk reduction through advances in ice jam and flood prevention, forecasting and mitigation, and community preparedness. With the goal to identify best practices in spring flood risk reduction, I conducted a comparative case study between two flood-prone communities, Galena in Alaska, United States and Edeytsy in the Sakha Republic, Russia. Within a week from each other, Galena and Edeytsy sustained major floods in May 2013. Methods included focus groups with the representatives from flood managing agencies, surveys of families impacted by the 2013 floods, observations on site, and archival review. Comparative parameters of the study included natural and human causes of spring floods, effectiveness of spring flood mitigation and preparedness strategies, and the role of interagency communication and cooperation in flood risk reduction. The analysis revealed that spring flood risk in Galena and Edeytsy results from complex interactions among a series of natural processes and human actions that generate conditions of hazard, exposure, and vulnerability. Therefore, flood risk in Galena and Edeytsy can be reduced by managing conditions of ice-jam floods, and decreasing exposure and vulnerability of the at-risk populations. Implementing the Pressure and Release model to analyze the vulnerability progression of Edeytsy and Galena points to common root causes at the two research sites, including colonial heritage, unequal distribution of resources and power, top-down governance, and limited inclusion of local communities in the decision-making process. To construct an appropriate flood risk reduction framework it is important to establish a dialogue among the diverse stakeholders on potential solutions, arriving at a range of top-down and bottom-up initiatives and in conjunction selecting the appropriate strategies. Both communities have progressed in terms of greater awareness of the hazard, reduction in vulnerabilities, and a shift to more reliance on shelter-in-place. However, in neither community have needed improvements in levee protection been completed. Dialogue between outside authorities and the community begins earlier and is more intensive for Edeytsy, perhaps accounting for Edeytsy's more favorable rating of risk management and response than Galena's