RE: requires full discussion of political and legal aspects of security

["Eric Lauzon" <eric.lauzon () abovesecurity com>]

I dont know about you but u will not find any ML with cutting edge security
expert
disclosing stuff anymore, most of them work for ISS ;P (hi guys) the rest
not interested in the majority of
whats going on with corporate ""bullshit""  security industry.
We could also bring back the anti-security and non disclosure..and funny
thing is that nowdays most of the companies
dont publish anymore unless they need contract or exposure.

-Eric Lauzon


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Matthew
Murphy
Sent: Saturday, April 19, 2003 3:41 PM
To: Full Disclosure
Cc: jasonc () science org
Subject: Re: [Full-disclosure] requires full discussion of political and
legal aspects of security



----- Original Message -----
From: "Jason Coombs" <jasonc () science org>
To: "Matthew Murphy" <mattmurphy () kc rr com>; "Full Disclosure"
<full-disclosure () lists netsys com>
Cc: "Len Rose" <len () netsys com>
Sent: Saturday, April 19, 2003 1:25 PM
Subject: RE: [Full-disclosure] requires full discussion of political and
legal aspects of security


> Matthew Murphy wrote:
> > These kind of discussions, while interesting to some list members, are
not
> > why I subscribe to this list.  The list's purpose is for discussion of
> > security issues -- Theo de Raadt's poor cry baby routine is not a
security
> > issue.  Please keep off-topic discussions like this to a minimum, as
they
> > will destroy this list.  List subscribers, many of whom are looking for
> > actual vulnerability details (and not discussion of world ideals), will
> > begin to leave in droves if posters do not learn to show basic
restraint.
> > If it isn't a security issue, don't post it.  Period.  I will adopt this
> > policy from this post forward, and I encourage others to do the same.
>
> As somebody who has conspicuously and intentionally pushed for more
political
> discussion on this list, I must say first that I disagree completely and
> second that I have no intention of withholding political discussions from
this
> list so you'll either have to tolerate (or filter) me, or lobby Len to
block
> my postings if they really offend you.

I don't find your posts offensive, I find them to be useless junk mail that
clutters my inbox.  If I wanted to hear your political views, I would have
joined a list of politicians.  I joined a list of security researchers --
specifically hoping that the lack of oversight would keep political things
(e.g, selective moderation) out of the list.  Obviously, posters like
yourself will make sure that goal is never reached.  While it is not
possible to have a discussion without some *sense* of politics, it is
possible not to have *political discussion*.  I could understand a story
about something relevant to me that you legitamitely think I need to know --
some threat to my well-being, occupation, etc.

I don't see how some U.S. government agency cutting off money to Theo De
Raadt impacts me, or many of the list's other subscribers to the point where
people's extremist political ramblings need to be flooding my inbox every 5
minutes.

> Geek crypto tech cipherpunk penetration and vulnerability discussions
without
> political and legal context encourage and foster gross misunderstanding of
> reality and place those who engage in security and cryptography research
at
> risk of unreasonable prosecution and persecution beyond socially
acceptable
> and beneficial self-regulation.

I didn't say we needed to have another BugTraq, I just said the discussion
needs to be *relevant*.  And, btw, if you think this list is
self-regulation, you're sadly mistaken.  Self-regulation (essentially
anarchy -- by the proper meaning anyway) cannot happen in security.  The
minute there is a need for security, self-regulation has failed.

> You've already made a political statement by joining this list: you reject
the
> politics of partial-disclosure or no disclosure on the grounds that you
and
> those who rely on you for expertise are best served when everyone receives
> full and timely disclosure of vulnerability details. You are implicitly
> insisting that forces of oppression that curtail disclosure and discussion
do
> far more harm than good.

By joining this list, I hoped to keep political garbage like Symantec's
hiding of information, selective moderation, etc. from coming here.  I did
not join this list for an open-ended political discussion, but for an
open-ended discussion of *security issues* as is in the charter.

> I reject your implication, and the implication of others on this list who
have
> communicated as much to me in the past, that political and legal
discussions
> pertaining to security are harmful to the list's well-being and focus.

Pertaining to security how?  Other than the fact that Theo De Raadt is an OS
project manager with a security interest, and he lost money he admitted he
never needed... that's just too much of a stretch, especially when the list
charter says politics should be avoided "at all costs".

> You've probably noticed that with a couple exceptions we all know better
than
> to engage in flame wars, especially over a non-technical political or
legal
> matter.

That assertion is ridiculous, because this *is* a non-technical political
matter we are dealing with here. :-)

> This self-regulation is working, and the tone and scope of discussion
> on this list coupled with the lack of restrictive moderation makes it
superior
> to bugtraq and others.

I would wonder about that assertion.  In its current state, this list drowns
my e-mail box in so much ridiculous junk that it becomes nearly impossible
to search through a week's worth of postings (a hundred or so), and find the
few things which actually deserved a place here.

> The most compelling reason to support thoughtful and well-informed
political
> and legal discussions rather than cast hate upon them as having nothing to
do
> with the topic of security is that we who support full disclosure are
wise,
> patriotic, law-abiding realists whose understanding of the technical
subject
> matter combined with our experience in the real world convince us beyond
any
> doubt that only the self-interested minority of power and money elite
benefit
> from suppressing full disclosure -- and we recognize, being realists, that
> every disclosure made without the full support of the self-interested
minority
> places those responsible at risk.
>
> You cannot seriously sit on the sidelines of this list, exposing yourself
to
> (nearly) zero risk (*), and benefit from the hard work being done and hard
> risks being taken by others, while simultaneously proclaiming that
discussion
> of the political and legal risks being taken by those who do the work that
> benefits you is somehow off-topic.

As a poster to the list, and a reader of the list, I get very little benefit
from political discussions such as these.  Had this discussion involved
something such as a grant specifically for the purpose of *security* (and
not just concerning the personal reputation of Theo De Raadt), I would have
had some knowledge to gain from it.  The way it is now -- mindless political
ramblings about "free speech" from all corners of the world -- teaches me
nothing about security or any related matter.  Had this been a discussion of
threats to/reasons for support of free speech, I would have had a good
context.  The way this discussion has been presented has no context, only
the rantings of a Canadian cry baby about U.S. law.

Further, I'd be interested in what makes you believe you have taken
substantially more risk than I have, as a fairly regular contributor to the
list.  Were I not a regular contributor, I would have long ago un-subscribed
so that I didn't have to put up with thoughtless political rants and useless
junk e-mail such as your post here.

> In the good 'ol days there used to be an explicit requirement for
> contributions from every member who benefits from the risks being taken by
> others. Either you contributed, and thus took some risk yourself, or you
were
> not entitled to benefit from the risk-taking of others. We've moved beyond
> that point now, and realize that it would be wrong to withhold the
benefits
> from anyone: this is the essence of full disclosure.
>
> But don't tell me this list is not political. If it's just bugtraq without
> Dave Ahmad then I need to unsubscribe.

What about the provision in the charter that says "politics should be
avoided at all costs"?  That seems to say that the list's goal is ***NOT***
politics.

> (*) During World War II, the Nazis apparently used telephone company
records
> to find out who called who. Whenever they hauled a family off to a gas
> chamber, they were sure to check that family's telephone records to
determine
> who else they needed to haul off to the gas chamber also. Therefore,
simply
> subscribing to this list with an e-mail address that is traceable to your
real
> identity places you at risk whether you choose to believe it or not.
Anyone
> who fails to understand the full scope of information security risk,
inclusive
> of its sometimes-subtle and sometimes-dangerous political and legal
aspects,
> fails to understand both history and human nature.

I have to wonder what relevance this has to the list, other than to state
that the goal of the list, with *or without* the political discussion, is
the ultimate freedom of information.  I fail to see how such off-topic,
fringe political discussion contributes to that goal.  By saturating the
list with details that most subscribers do not find useful, you are drowning
out useful information with ultimately useless political baggage.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html