Dailydave mailing list archives
The Loya Jirga of Vulnerability Disclosure: RESULTS
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 1 Oct 2015 11:52:33 -0400
Tuesday was a live streaming meeting hosted by NTIA in Berkeley, about the process of "Vulnerability Disclosure" and how it can better work for everyone. It was on the West Coast because that's where the people the Commerce Department wanted to have at the table were, largely. Oracle, Microsoft, Facebook, Google, Juniper, SAP - the list goes on and on. But also, the parallels to our efforts in Afghanistan go on and on too. Sometimes getting everyone in a room for more discussions can solve problems - and the "Multi-stakeholder approach" the Commerce Department is using is exactly that. Surely over lamb stew, you can talk some of this out? But like we wandered into Afghanistan, without speaking the language or knowing the history or the people, the Commerce Department discussions meandered in a full circle all day until the only agreement was to have another meeting in DC later this year. Josh Corman of I AM THE CAVALRY has a extremely polished point: it took fifteen years for Microsoft and Google to reach this point in the disclosure process, where they realized suing people for sharing information was a bad idea. Car companies can't take that long and hope to survive. That's great, but not actionable in any real way. It's not like there's a real dearth of information on the subject available. It's also clear that yes, there is a hope that there is a way out of the "Weev Problem". And that problem is this: is there any way to say which releases of vulnerability information are "valid" and which are "invalid" and only send out prosecutors and FBI agents out to beat the snot out of the "Bad people doing invalid vulnerability disclosures which violate community norms"? As much as the Commerce Department and various parts of industry wish this were true, it is not true. More talking and multi-stakeholder meetings is not going to make it true. And after getting ambushed by the Commerce Department at Wassenaar, everyone comes to every meeting with body armor and grenades. You can't both refight the Crypto/Software war on one hand, and then expect to be viewed as an independent third party Red Cross vehicle on the other. Sitting in Berkeley among the techno-elite you can't help but realize all of these things are connected somewhere - you know, "in the cloud". I just hope the Commerce Dept people felt the same. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The Loya Jirga of Vulnerability Disclosure: RESULTS Dave Aitel (Oct 01)
- Re: The Loya Jirga of Vulnerability Disclosure: RESULTS Darkpassenger (Oct 08)