[Dailydave] The Loya Jirga of Vulnerability Disclosure: RESULTS

[Dave Aitel]

Tuesday was a live streaming meeting hosted by NTIA in Berkeley, about
the process of "Vulnerability Disclosure" and how it can better work for
everyone. It was on the West Coast because that's where the people the
Commerce Department wanted to have at the table were, largely. Oracle,
Microsoft, Facebook, Google, Juniper, SAP - the list goes on and on.

But also, the parallels to our efforts in Afghanistan go on and on too.
Sometimes getting everyone in a room for more discussions can solve
problems - and the "Multi-stakeholder approach" the Commerce Department
is using is exactly that. Surely over lamb stew, you can talk some of
this out?

But like we wandered into Afghanistan, without speaking the language or
knowing the history or the people, the Commerce Department discussions
meandered in a full circle all day until the only agreement was to have
another meeting in DC later this year. Josh Corman of I AM THE CAVALRY
has a extremely polished point: it took fifteen years for Microsoft and
Google to reach this point in the disclosure process, where they
realized suing people for sharing information was a bad idea. Car
companies can't take that long and hope to survive. That's great, but
not actionable in any real way. It's not like there's a real dearth of
information on the subject available.

It's also clear that yes, there is a hope that there is a way out of the
"Weev Problem". And that problem is this: is there any way to say which
releases of vulnerability information are "valid" and which are
"invalid" and only send out prosecutors and FBI agents out to beat the
snot out of the "Bad people doing invalid vulnerability disclosures
which violate community norms"?

As much as the Commerce Department and various parts of industry wish
this were true, it is not true. More talking and multi-stakeholder
meetings is not going to make it true.

And after getting ambushed by the Commerce Department at Wassenaar,
everyone comes to every meeting with body armor and grenades. You can't
both refight the Crypto/Software war on one hand, and then expect to be
viewed as an independent third party Red Cross vehicle on the other.
Sitting in Berkeley among the techno-elite you can't help but realize
all of these things are connected somewhere - you know, "in the cloud".
I just hope the Commerce Dept people felt the same.

-dave





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151001/7eb52bda/attachment.sig>