Dailydave mailing list archives
Re: The Loya Jirga of Vulnerability Disclosure: RESULTS
From: Darkpassenger <darkpassenger () unseen is>
Date: Sun, 04 Oct 2015 05:24:59 -0700
speaking of Afghanistan it would be smart to notice other moves from top usg officials around silicon valley , particularly dod's FlexTech Alliance . members? all the names , from Apple to Lockheed . in the name of national defense . i remember a TV piece aired like 4-5 years ago named به نام دموکراسی : in the name of Democracy . it showed various people , some were Americans , who were involved in reformist moves against the Ayatollahs funded by known western figures involved in colored revolutions .
i strongly warn infosec people , in whatever industry they define themselves , to notice the differences between morale-oriented value system-based right and wrong from the govt plans and "house of cards" politics played by immeasurably weird players ..huh ..well usually for pretty selfish retard backward reasons .
not that i care about a bunch of exploits..but found the nature of this headline amusing..awful monarch Saudis wanted to buy HT where the pimp was a former us ambassador in italy..in the name of ?
-dp On 2015-10-01 08:52, Dave Aitel wrote:
Tuesday was a live streaming meeting hosted by NTIA in Berkeley, aboutthe process of "Vulnerability Disclosure" and how it can better work foreveryone. It was on the West Coast because that's where the people the Commerce Department wanted to have at the table were, largely. Oracle, Microsoft, Facebook, Google, Juniper, SAP - the list goes on and on. But also, the parallels to our efforts in Afghanistan go on and on too. Sometimes getting everyone in a room for more discussions can solve problems - and the "Multi-stakeholder approach" the Commerce Department is using is exactly that. Surely over lamb stew, you can talk some of this out? But like we wandered into Afghanistan, without speaking the language or knowing the history or the people, the Commerce Department discussions meandered in a full circle all day until the only agreement was to have another meeting in DC later this year. Josh Corman of I AM THE CAVALRY has a extremely polished point: it took fifteen years for Microsoft and Google to reach this point in the disclosure process, where they realized suing people for sharing information was a bad idea. Car companies can't take that long and hope to survive. That's great, but not actionable in any real way. It's not like there's a real dearth of information on the subject available.It's also clear that yes, there is a hope that there is a way out of the"Weev Problem". And that problem is this: is there any way to say which releases of vulnerability information are "valid" and which are "invalid" and only send out prosecutors and FBI agents out to beat the snot out of the "Bad people doing invalid vulnerability disclosures which violate community norms"? As much as the Commerce Department and various parts of industry wish this were true, it is not true. More talking and multi-stakeholder meetings is not going to make it true. And after getting ambushed by the Commerce Department at Wassenaar, everyone comes to every meeting with body armor and grenades. You can't both refight the Crypto/Software war on one hand, and then expect to be viewed as an independent third party Red Cross vehicle on the other. Sitting in Berkeley among the techno-elite you can't help but realize all of these things are connected somewhere - you know, "in the cloud". I just hope the Commerce Dept people felt the same. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The Loya Jirga of Vulnerability Disclosure: RESULTS Dave Aitel (Oct 01)
- Re: The Loya Jirga of Vulnerability Disclosure: RESULTS Darkpassenger (Oct 08)