<div dir="ltr">Ok, so here's what I get from talking to Allan about it briefly last week. It reminds me a whole lot of the <a href="https://en.wikipedia.org/wiki/2003_loya_jirga">2003 Loya Jirga</a> convened in Afghanistan, for ALL THE RIGHT REASONS.<div><br></div><div>I mean, if you ask the question "Does the status quo work for you?" enough, then people will want to come to the table, because no, clearly it is not working. </div><div><br></div><div>And in theory, you can then force some sort of "consensus" from whoever shows up, either by excluding the most contentious defenders of their positions or by simply finding a middle ground that is so banal that is is palatable. "Everyone is for cute puppies, right? As a principle?"</div><div><br></div><div>Then in theory you can take this statement of principles to the people who are trying to rework the CFAA and related bills and say "Look, people are FOR PUPPIES, so maybe we shouldn't throw everyone in jail all the time for incrementing numbers in the URL bar?" </div><div><br></div><div>There are two major problems with this extremely expensive Vulnerability Management Loya Jirga:</div><div><br></div><div>The first is that clearly you only get a veneer of respectability for any statement of principles. Oracle is NOT an outlier with <a href="http://arstechnica.com/information-technology/2015/08/oracle-security-chief-to-customers-stop-checking-our-code-for-vulnerabilities/">their opinions</a> on how copyright allows them to deal with vulnerability researchers. And researchers are of many many minds, but pretty much rightfully wary of any attempt to put an official imprint on what way is "responsible" when it comes to releasing or handling vulnerabilities, even at its most watered down way. We JUST got over Microsoft trying to enforce the rules of responsible disclosure, and I don't think anyone wants to go backwards on that. One day is maybe enough to discuss an introduction to the problems involved, assuming nobody sleeps or eats or uses the bathroom, even though only .01% of the interested stakeholders will be in the room or watching the video feed.</div><div><br></div><div>The second major issue is of course the stick. The current stick for a lot of this is "Congress is going to make a law. It is inevitable. Don't you want to help them do it right?" The natives hear this and are perfectly willing to play stupid even though they know for a fact that this is by no means inevitable. We have an administration on the way out and Congress's basic policy is lockjam. Much like in Afghanistan, where everyone knows that you can wait out the occupation, any time a stakeholder feels it is losing their position, they're going to ask a few thousand pertinent questions and push the issue back about 16 months. </div><div><div><br></div><div>And of course there's no talk of a backup plan. What happens if there's NO consensus? This is what worries me the most. When failure is not an option, then it is unfortunately guaranteed. </div><div><br></div><div>Here's what will happen: A consensus will be forced. SOME documented set of "principles" will be taken to people writing bills. That is not necessarily Mission Accomplished, but it's sometimes close enough to write a Washington Post article about...</div><div><br></div><div>-dave</div><div><br></div><div><br><div class="gmail_quote"><div dir="ltr">On Mon, Aug 31, 2015 at 4:09 PM Claus C. Houmann <<a href="mailto:cch@improveit.dk" target="_blank">cch@improveit.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm not from the U.S. and my POV might be both irrelevant to you and wrong, but it seems to me that if all US interest groups could work together on this, you might have a chance at avoiding further, future legislation that would hamper even more than any compromise now<br>
<br>
Claus Cramon Houmann<br>
<br>
<br>
<br>
> On 31 Aug 2015, at 21:55, Jason <<a href="mailto:jason@brvenik.com" target="_blank">jason@brvenik.com</a>> wrote:<br>
><br>
> My $.02 - If the only output is an agreement that mutual respect<br>
> coupled with an understanding that one of N possible paths is the<br>
> typical outcome for the un agreed term "vulnerability" I would<br>
> consider it a net positive.<br>
><br>
> It is clear something is going to be done and we need to involve if<br>
> only to minimize the potential negative outcomes of that something.<br>
><br>
>> On Mon, Aug 31, 2015 at 2:44 PM, Dave Aitel <<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>> wrote:<br>
>> I'm watching his BSides talk now. Lots of times people disagree because they<br>
>> have valid opposing views and interests.<br>
>><br>
>> Vulnerability disclosure is one of those times. What do they do if they<br>
>> can't come to a "consensus"? Just give up, or propose a standard that<br>
>> pleases nobody?<br>
>><br>
>> I haven't spoken to him yet, but I don't think you can come to a consensus<br>
>> on defining what a vulnerability is, let alone what to do about them,<br>
>> assuming something must be done.<br>
>><br>
>> -dave<br>
>><br>
>><br>
>><br>
>><br>
>>> On Mon, Aug 31, 2015 at 3:41 PM Jason <<a href="mailto:jason@brvenik.com" target="_blank">jason@brvenik.com</a>> wrote:<br>
>>><br>
>>> I spoke with him and my take is that there is a sincere desire to<br>
>>> better understand the various constituencies and differing needs and<br>
>>> that through a collaborative effort perhaps we can find a normative<br>
>>> set of principals that everyone agrees on and from there begin to<br>
>>> address the differing needs. To me it seems a lofty goal but one<br>
>>> worthy of pursuit in a forum more conducive than a mailing list.<br>
>>><br>
>>> On Mon, Aug 31, 2015 at 2:13 PM, Jennifer Granick<br>
>>> <<a href="mailto:jennifer@law.stanford.edu" target="_blank">jennifer@law.stanford.edu</a>> wrote:<br>
>>>> I'll be attending this meeting on 9/29.<br>
>>>><br>
>>>> Via Twitter I asked Allen Friedman who is organizing this meeting why is<br>
>>>> this is on Commerce's agenda and I was told that they want to "expand<br>
>>>> norms:<br>
>>>> awareness, adoption, adaptation, innovation of practices & standards". I<br>
>>>> asked what the problem was they were trying to solve, but no answer. He<br>
>>>> invited me and others to contact him further, but I'm not sure a private<br>
>>>> conversation is anything but a waste of time. I think NTIA should<br>
>>>> publicly<br>
>>>> justify its efforts and interest here. My guess from Twitter chat is<br>
>>>> that<br>
>>>> Friedman has heard a number of complaints and thinks it would be a great<br>
>>>> idea for all the "stakeholders" to get in a room and compromise. My view<br>
>>>> is<br>
>>>> that the fact that people complain is not necessarily a good reason to<br>
>>>> do<br>
>>>> anything about their complaints.<br>
>>>><br>
>>>> J<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Jennifer Stisa Granick<br>
>>>> Director of Civil Liberties<br>
>>>> Stanford Center for Internet and Society<br>
>>>> 559 Nathan Abbott Way<br>
>>>> Stanford, CA 94305<br>
>>>> 650.736.8675<br>
>>>> <a href="mailto:jennifer@law.stanford.edu" target="_blank">jennifer@law.stanford.edu</a><br>
>>>><br>
>>>>> On Mon, Aug 31, 2015 at 12:01 PM, Jason <<a href="mailto:jason@brvenik.com" target="_blank">jason@brvenik.com</a>> wrote:<br>
>>>>><br>
>>>>> Surprised to not see follow on conversations and no commentary<br>
>>>>> regarding the NTIA announcement.<br>
>>>>><br>
>>>>> "NTIA will convene meetings of a multistakeholder process concerning<br>
>>>>> the collaboration between security researchers and software and system<br>
>>>>> developers and owners to address security vulnerability disclosure."<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> <a href="http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-disclosure-pre-registration" rel="noreferrer" target="_blank">http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-disclosure-pre-registration</a><br>
>>>>> _______________________________________________<br>
>>>>> Regs mailing list<br>
>>>>> <a href="mailto:Regs@alchemistowl.org" target="_blank">Regs@alchemistowl.org</a><br>
>>>>> <a href="https://lists.alchemistowl.org/mailman/listinfo/regs" rel="noreferrer" target="_blank">https://lists.alchemistowl.org/mailman/listinfo/regs</a><br>
>>> _______________________________________________<br>
>>> Regs mailing list<br>
>>> <a href="mailto:Regs@alchemistowl.org" target="_blank">Regs@alchemistowl.org</a><br>
>>> <a href="https://lists.alchemistowl.org/mailman/listinfo/regs" rel="noreferrer" target="_blank">https://lists.alchemistowl.org/mailman/listinfo/regs</a><br>
> _______________________________________________<br>
> Regs mailing list<br>
> <a href="mailto:Regs@alchemistowl.org" target="_blank">Regs@alchemistowl.org</a><br>
> <a href="https://lists.alchemistowl.org/mailman/listinfo/regs" rel="noreferrer" target="_blank">https://lists.alchemistowl.org/mailman/listinfo/regs</a><br>
</blockquote></div></div></div></div>