oss-sec mailing list archives
Re: Vendor-sec hosting and future of closed lists
From: Josh Bressers <bressers () redhat com>
Date: Thu, 3 Mar 2011 14:22:43 -0500 (EST)
----- Original Message -----
Hi folks, As moderator of vendor-sec and one of the sysadmins of lst.de I noticed a break-in into the lst.de machine last week, which was likely used to sniff email traffic of vendor-sec. This incident probably happened on Jan 20 as confirmed by timestamp, but might have existed for longer.
Thanks for making this public. I know it can be hard to bring something like this up.
I have asked Solar Designer if he could take over hosting, and he was agreeing, including a full GPG crypted setup.
For those of you who don't know Solar Designer hosts oss-security.
So I would like to open up a discussion with _all_ OSS Security folks present. - Is a closed vendor coordination like vendor-sec still needed at this time?
I've thought about this a lot. I think the answer is probably. There are still reasons to need good cooperation between vendors (this is different than coordination, which is what the CERTs do, which generally doesn't bring the affected parties together to work on a solution, they generally just distribute information).
Meaning: does the benefit of a closed group really outweigh the "left out feeling" of non members and its annoyances?
This is a big challenge. It's also really hard to decide who should get to be a part of such a group. Historically vendor-sec was only vendors, but there are a number researchers who would be useful for example (but again, who do you choose).
- If yes, would it be an idea to confine or split into lists of focus groups? (like Linux vendors, BSD vendors, all OSS source using vendors, etc?)
My only fear with this is complexity (I'll propse a far more complex idea below).
- Or of course the old option is open: Should we proceed with the current state as-is, but throw a bit more GPG encryption on top?
I suspect it's fairly well understood that the current vendor-sec model was broken. Very few "members" ever contributed, which made the list more of an announce venue.
- What other options do we have or should we pursue?
If I had my way (and we had infinite time and resources), I would opt for a solution that let the reporter decide who they wanted to inform. Have a system in place that could handle properly encrypting the traffic, then somehow (web page?) let a reporter decide who to alert. This list of potential recipients could include vendors, other upstream projects, researchers, CERTs, ... the possibilities are endless. Such a system would remove the whole group idea, as nobody gets "left out", but rather included. Perhaps oCERT would be interested in helping with such an idea? They sort of already do this, but we'd want to create more cooperation than there previously exists. Anyhow, thanks for the update. -- JB
Current thread:
- RE: Vendor-sec hosting and future of closed lists, (continued)
- RE: Vendor-sec hosting and future of closed lists Menkhus, Mark (GSE Security HP SSRT) (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 16)
- RE: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 04)
- Re: Vendor-sec hosting and future of closed lists David Hicks (Mar 04)
- Re: Vendor-sec hosting and future of closed lists Nelson Elhage (Mar 04)
- Re: Vendor-sec hosting and future of closed lists Steven M. Christey (Mar 04)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 05)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 05)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 07)
- Re: Vendor-sec hosting and future of closed lists Josh Bressers (Mar 08)
- Vendor-sec hosting and future of closed lists R P Herrold (Mar 08)