Re: licensing discussion

[Mary and Glenn Everhart <Everhart () gce com>]

Gents -
Consider an old quote from LBJ, approximately "the design of a law when 
well administered is rarely the problem. Designing measures that work 
when badly administered is what is difficult."

A licensing system might conceivably be administered to enhance security 
for the world's software and systems. However it is also likely one 
might be administered to simply shut down all the inconvenient 
discussions of vulnerabilities and any open research into them, which at 
least could allow vendors less adverse publicity.

I consider this far more likely than a system that would genuinely 
distinguish good from evil intentions. If recent history - look at how 
DMCA gets abused in the US and how surveillance "against terrorism" has 
become surveillance for all manner of other stuff - cannot convince, 
then just ask where those running a licensing activity might get their 
people. Care to give odds how many basically unattested experts will be 
there, and how many corporate testers, regardless of the relative level 
of understanding of these people?

Throwing out notions that government might save us from this or that 
evil tends to forget that in the past government has in many cases 
royally "screwed the pooch", and has in others managed not to do its job 
well enough to avoid other crack-ups (like the current financial 
disaster, where apparently they sat by and allowed $60+ trillion in fake 
insurance policies to be written without any capital to back them up. 
(The figure is gleaned from news reports.)

I suspect that looking for technical solutions to some of the infosec 
problems is much more likely to work than tossing the problem over the 
wall to the government.

Glenn Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/