Re: [Regs] Did the list just Die?

[Dave Aitel <dave.aitel () gmail com>]

Ok, so here's what I get from talking to Allan about it briefly last week.
It reminds me a whole lot of the 2003 Loya Jirga
<https://en.wikipedia.org/wiki/2003_loya_jirga> convened in Afghanistan,
for ALL THE RIGHT REASONS.

I mean, if you ask the question "Does the status quo work for you?" enough,
then people will want to come to the table, because no, clearly it is not
working.

And in theory, you can then force some sort of "consensus" from whoever
shows up, either by excluding the most contentious defenders of their
positions or by simply finding a middle ground that is so banal that is is
palatable. "Everyone is for cute puppies, right? As a principle?"

Then in theory you can take this statement of principles to the people who
are trying to rework the CFAA and related bills and say "Look, people are
FOR PUPPIES, so maybe we shouldn't throw everyone in jail all the time for
incrementing numbers in the URL bar?"

There are two major problems with this extremely expensive Vulnerability
Management Loya Jirga:

The first is that clearly you only get a veneer of respectability for any
statement of principles. Oracle is NOT an outlier with their opinions
<http://arstechnica.com/information-technology/2015/08/oracle-security-chief-to-customers-stop-checking-our-code-for-vulnerabilities/>
on how copyright allows them to deal with vulnerability researchers. And
researchers are of many many minds, but pretty much rightfully wary of any
attempt to put an official imprint on what way is "responsible" when it
comes to releasing or handling vulnerabilities, even at its most watered
down way. We JUST got over Microsoft trying to enforce the rules of
responsible disclosure, and I don't think anyone wants to go backwards on
that. One day is maybe enough to discuss an introduction to the problems
involved, assuming nobody sleeps or eats or uses the bathroom, even though
only .01% of the interested stakeholders will be in the room or watching
the video feed.

The second major issue is of course the stick. The current stick for a lot
of this is "Congress is going to make a law. It is inevitable. Don't you
want to help them do it right?" The natives hear this and are perfectly
willing to play stupid even though they know for a fact that this is by no
means inevitable. We have an administration on the way out and Congress's
basic policy is lockjam. Much like in Afghanistan, where everyone knows
that you can wait out the occupation, any time a stakeholder feels it is
losing their position, they're going to ask a few thousand pertinent
questions and push the issue back about 16 months.

And of course there's no talk of a backup plan. What happens if there's NO
consensus? This is what worries me the most. When failure is not an option,
then it is unfortunately guaranteed.

Here's what will happen: A consensus will be forced. SOME documented set of
"principles" will be taken to people writing bills. That is not necessarily
Mission Accomplished, but it's sometimes close enough to write a Washington
Post article about...

-dave


On Mon, Aug 31, 2015 at 4:09 PM Claus C. Houmann <cch () improveit dk> wrote:

> I'm not from the U.S. and my POV might be both irrelevant to you and
> wrong, but it seems to me that if all US interest groups could work
> together on this, you might have a chance at avoiding further, future
> legislation that would hamper even more than any compromise now
>
> Claus Cramon Houmann
>
>
>
> > On 31 Aug 2015, at 21:55, Jason <jason () brvenik com> wrote:
> >
> > My $.02 - If the only output is an agreement that mutual respect
> > coupled with an understanding that one of N possible paths is the
> > typical outcome for the un agreed term "vulnerability" I would
> > consider it a net positive.
> >
> > It is clear something is going to be done and we need to involve if
> > only to minimize the potential negative outcomes of that something.
> >
> > > On Mon, Aug 31, 2015 at 2:44 PM, Dave Aitel <dave.aitel () gmail com>
> wrote:
> > > I'm watching his BSides talk now. Lots of times people disagree because
> they
> > > have valid opposing views and interests.
> > >
> > > Vulnerability disclosure is one of those times. What do they do if they
> > > can't come to a "consensus"? Just give up, or propose a standard that
> > > pleases nobody?
> > >
> > > I haven't spoken to him yet, but I don't think you can come to a
> consensus
> > > on defining what a vulnerability is, let alone what to do about them,
> > > assuming something must be done.
> > >
> > > -dave
> > >
> > >
> > >
> > >
> > > > On Mon, Aug 31, 2015 at 3:41 PM Jason <jason () brvenik com> wrote:
> > > >
> > > > I spoke with him and my take is that there is a sincere desire to
> > > > better understand the various constituencies and differing needs and
> > > > that through a collaborative effort perhaps we can find a normative
> > > > set of principals that everyone agrees on and from there begin to
> > > > address the differing needs. To me it seems a lofty goal but one
> > > > worthy of pursuit in a forum more conducive than a mailing list.
> > > >
> > > > On Mon, Aug 31, 2015 at 2:13 PM, Jennifer Granick
> > > > <jennifer () law stanford edu> wrote:
> > > > > I'll be attending this meeting on 9/29.
> > > > >
> > > > > Via Twitter I asked Allen Friedman who is organizing this meeting why
> is
> > > > > this is on Commerce's agenda and I was told that they want to "expand
> > > > > norms:
> > > > > awareness, adoption, adaptation, innovation of practices &
> standards". I
> > > > > asked what the problem was they were trying to solve, but no answer.
> He
> > > > > invited me and others to contact him further, but I'm not sure a
> private
> > > > > conversation is anything but a waste of time. I think NTIA should
> > > > > publicly
> > > > > justify its efforts and interest here. My guess from Twitter chat is
> > > > > that
> > > > > Friedman has heard a number of complaints and thinks it would be a
> great
> > > > > idea for all the "stakeholders" to get in a room and compromise. My
> view
> > > > > is
> > > > > that the fact that people complain is not necessarily a good reason to
> > > > > do
> > > > > anything about their complaints.
> > > > >
> > > > > J
> > > > >
> > > > >
> > > > >
> > > > > Jennifer Stisa Granick
> > > > > Director of Civil Liberties
> > > > > Stanford Center for Internet and Society
> > > > > 559 Nathan Abbott Way
> > > > > Stanford, CA  94305
> > > > > 650.736.8675
> > > > > jennifer () law stanford edu
> > > > >
> > > > > > On Mon, Aug 31, 2015 at 12:01 PM, Jason <jason () brvenik com> wrote:
> > > > > >
> > > > > > Surprised to not see follow on conversations and no commentary
> > > > > > regarding the NTIA announcement.
> > > > > >
> > > > > > "NTIA will convene meetings of a multistakeholder process concerning
> > > > > > the collaboration between security researchers and software and
> system
> > > > > > developers and owners to address security vulnerability disclosure."
> http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-disclosure-pre-registration
> > > > > > _______________________________________________
> > > > > > Regs mailing list
> > > > > > Regs () alchemistowl org
> > > > > > https://lists.alchemistowl.org/mailman/listinfo/regs
> > > > _______________________________________________
> > > > Regs mailing list
> > > > Regs () alchemistowl org
> > > > https://lists.alchemistowl.org/mailman/listinfo/regs
> > _______________________________________________
> > Regs mailing list
> > Regs () alchemistowl org
> > https://lists.alchemistowl.org/mailman/listinfo/regs
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave