[Dailydave] The Loya Jirga of Vulnerability Disclosure: RESULTS

Darkpassenger darkpassenger at unseen.is
Sun Oct 4 08:24:59 EDT 2015 

speaking of Afghanistan it would be smart to notice other moves from top 
usg officials around silicon valley , particularly dod's FlexTech 
Alliance . members? all the names , from Apple to Lockheed . in the name 
of national defense . i remember a TV piece aired like 4-5 years ago 
named به نام دموکراسی : in the name of Democracy . it showed various 
people , some were Americans , who were involved in reformist moves 
against the Ayatollahs funded by known western figures involved in 
colored revolutions .

i strongly warn infosec people , in whatever industry they define 
themselves , to notice the differences between morale-oriented value 
system-based right and wrong from the govt plans and "house of cards" 
politics played by immeasurably weird players ..huh ..well usually for 
pretty selfish retard backward reasons .

not that i care about a bunch of exploits..but found the nature of this 
headline amusing..awful monarch Saudis wanted to buy HT where the pimp 
was a former us ambassador in italy..in the name of ?


-dp


On 2015-10-01 08:52, Dave Aitel wrote:
> Tuesday was a live streaming meeting hosted by NTIA in Berkeley, about
> the process of "Vulnerability Disclosure" and how it can better work 
> for
> everyone. It was on the West Coast because that's where the people the
> Commerce Department wanted to have at the table were, largely. Oracle,
> Microsoft, Facebook, Google, Juniper, SAP - the list goes on and on.
> 
> But also, the parallels to our efforts in Afghanistan go on and on too.
> Sometimes getting everyone in a room for more discussions can solve
> problems - and the "Multi-stakeholder approach" the Commerce Department
> is using is exactly that. Surely over lamb stew, you can talk some of
> this out?
> 
> But like we wandered into Afghanistan, without speaking the language or
> knowing the history or the people, the Commerce Department discussions
> meandered in a full circle all day until the only agreement was to have
> another meeting in DC later this year. Josh Corman of I AM THE CAVALRY
> has a extremely polished point: it took fifteen years for Microsoft and
> Google to reach this point in the disclosure process, where they
> realized suing people for sharing information was a bad idea. Car
> companies can't take that long and hope to survive. That's great, but
> not actionable in any real way. It's not like there's a real dearth of
> information on the subject available.
> 
> It's also clear that yes, there is a hope that there is a way out of 
> the
> "Weev Problem". And that problem is this: is there any way to say which
> releases of vulnerability information are "valid" and which are
> "invalid" and only send out prosecutors and FBI agents out to beat the
> snot out of the "Bad people doing invalid vulnerability disclosures
> which violate community norms"?
> 
> As much as the Commerce Department and various parts of industry wish
> this were true, it is not true. More talking and multi-stakeholder
> meetings is not going to make it true.
> 
> And after getting ambushed by the Commerce Department at Wassenaar,
> everyone comes to every meeting with body armor and grenades. You can't
> both refight the Crypto/Software war on one hand, and then expect to be
> viewed as an independent third party Red Cross vehicle on the other.
> Sitting in Berkeley among the techno-elite you can't help but realize
> all of these things are connected somewhere - you know, "in the cloud".
> I just hope the Commerce Dept people felt the same.
> 
> -dave
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list