oss-sec mailing list archives
Re: Opinion: Governments don't want IT security, they want to have cyber weapons
From: cbf0001 () proton me
Date: Sat, 24 Jun 2023 11:23:18 +0000
I agree with Solar and David, please stop lowering the bar with content that is not relevant to the distro subscribers. Warm regards, Cbf Primmo On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <[dwheeler () dwheeler com](mailto:On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <<a href=)> wrote:
On Jun 23, 2023, at 6:28 AM, Solar Designer <solar () openwall com> wrote: I actually think we should be rejecting postings like this. I accepted this one as an example. By "postings like this" I mean rants without proposed solutions, not helpful for this community (and where replies are unlikely to be helpful either), and/or lacking focus on Open Source. I think in this case it's all 3 of these.I agree with you. I'd prefer if this (and ALL mailing lists) tried to stay on-topic. Currently that's "Discussion of security flaws, concepts, and practices in the Open Source community".I think the recent thread "The AI chatgpt writes insecure code" was of similarly questionable value for this list's subscribers.I think the *first* post that "AI systems (including LLMs) often generate insecure code" was plausibly on-topic. Now that it's happened, we don't need any more such posts. If someone has a solution, with evidence that it *works* and can be used in OSS, that would be relevant (and possibly interesting). Regarding your comment:I think most governments do want IT security. Some also want "cyber weapons", which is partially contradictory, but that's how it is: https://en.wikipedia.org/wiki/NOBUSSince we're on this topic, my understanding of US policy (at least at one time) was that it's considered a trade-off, so what will be done is decided on a case-by-case basis by the "VEP process": "The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence." https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF That's a little old, and I don't know if the policy has been changed, but that's an official page from the US archives. I have opinions about this policy, generally negative, but I think that discussion is outside the scope of this mailing list so I'l stop there. So having discussed this, I look forward to more messages focused on the topics of this mailing list :-). --- David A. Wheeler
Current thread:
- Opinion: Governments don't want IT security, they want to have cyber weapons Georgi Guninski (Jun 23)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons Solar Designer (Jun 23)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons David A. Wheeler (Jun 23)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons cbf0001 (Jun 24)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons Solar Designer (Jun 24)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons David A. Wheeler (Jun 23)
- Re: Opinion: Governments don't want IT security, they want to have cyber weapons Solar Designer (Jun 23)