Re: NSP-SEC

["Justin M. Streiner" <streiner () cluebyfour org>]

On Fri, 19 Mar 2010, William Pitcock wrote:

> On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote:
> > An ongoing area of work is to build better closed,
> > trusted communities without leaks.
>
> Have you ever considered that public transparency might not be a bad
> thing?  This seems to be the plight of many security people, that they
> have to be 100% secretive in everything they do, which is total
> bullshit.

That's fine, in theory, but in practice it doesn't work.

Part of the issue is that information that could be considered sensitive 
generally has to have a level of trust for both the sender(s) and 
receiver(s), and that level of trust is generally not possible in an open 
forum.  By "level of trust" I mean that if I have sensitive intel about an 
ongoing incident (attack, pwnd box, etc) I need to have some assurance 
that the information gets to people who can and will act on it, and keep 
that information confidential.  nsp-sec has worked to build that level of 
trust (in general, work pretty good success) through the vetting process 
that every potential participant goes through.

Is it a perfect system?  No, but it does serve a useful and important 
purpose.

Many security people have to keep things quiet for the same reasons, in 
addition to (not an all-inclusive list):
1. They might be under NDA or be employed at a company that has a 
policy against any sort of "unapproved disclosures"
2. The sources of various bits of intel is confidential and releasing 
unfiltered information could compromise that source.
3. Releasing unfiltered information could compromised intel gathering 
methods, potentially rendering them useless for further action.

"The likelihood that a secret will be kept goes down by the square of the 
number of people who know it"  -- source unknown
"The likelihood that a meeting will be productive goes down by the square 
of the number of people who attend"  -- me

jms