From: Larry Pingree (LPingreenetscreen.com)
Date: Fri Nov 07 2003 - 09:13:39 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Folks,

I have several questions for those who question whether we should
have disclosure or not and here are my questions:

1. If we don't know what exploits exist, how can we protect
ourselves?

2. A. How does the United States protect itself from Terrorist or
other nations?
        B. Doesn't the US spy to know what the enemy is capable of to
understand where to protect us?

3. If full disclosure does not exist, how will Intrusion detection
companies develop attack signatures to protect your systems?

4. A. Ever read the art of war?
        B. Isn't intelligence essential?

5. Why is this a debate, what person does not want to know more about
the enemies we face and their capabilities?

6. A. Doesn't innovation come from the premise that things are not
perfect?
        B. Isn't innovation built on this principle?
        C. Doesn't progression of culture and nations base their progress on
this priciple?

7. Will a law against disclosure stop the black hats in other
countries from developing exploits?

8. A. In 9/11, what was the failure of the CIA?
        B. Wasn't it intelligence and dissemination?

9. Isn't it obvious that we need to know more and not less about our
enemies?

10. Have any laws against gun ownership stopped criminals from
getting guns?

I think if you answer these questions, it should be quite clear as to
what americans should decide. But I imagine the US public as sheep
and they will most likely think that non-disclosure leads us down the
right path because they are simpletons and have no depth and insight.

- - Larry Pingree

- -----Original Message-----
From: Dave Aitel [mailto:daveimmunitysec.com]
Sent: Thursday, November 06, 2003 11:16 PM
To: vulndiscussvulnwatch.org
Subject: Re: [VulnDiscuss] Cybersecurity, Research & Disclosure
Conference

OIS is hardly the only organization that has tried to bring
researchers
to the vendors - much like sheep are brought to a sheering-shop. CERT
has also built a business on the backs of independant researchers.
The
difference is that CERT is not lobbying Congress to get a
nationalized
monopoly. iDefense and SecurityFocus (bugtraq) are other
organizations
that have served similar purposes, except more honestly for
commercial
purposes.

The amazing thing about any of the organizations trying to set a
policy,
or even comment, on what researchers do with their information (the
result of many hard hours) is that none of these organizations do any
research worth mentioning.

As I believe Churchill said to the Pope (regarding chastity): If you
don't play the game, you can't make the rules.

This conference seems guaranteed to generate a lot of media
opportunities to write things like: "There is a consensus in the
security community that having a trusted third party mediate between
security researchers and vendors would be good for the country" at
which
point OIS could continue on its goal at getting vulnerability
information classified as munitions and regulated.

Nothing could be farther from the truth, which we the people find
self
evident, and have no need to trek to a conference to prove.

Dave Aitel
Immunity, Inc.

Chris Wysopal wrote:

>By my count five out of the seventeen speakers so far work for
>organizations involved with the Organization for Internet Safety.
>Certainly not a majority, but a lot of participation here shouldn't
>come as a surprise as OIS is the only organization that has stepped
>up and tried to bring researchers and technology vendors together
>through a common disclosure process.
>
>More active independant security researcher participation would help
> make the conference better. I encourage people in this group to
>either attend or email Jennifer Granick <jennifergranick.com>
>about getting a speaker slot.
>
>-Chris
>
>On Thu, 6 Nov 2003, Cesar wrote:
>
>
>
>>This seems a "Organization for Internet Safety"
>>meeting than a conference. I don't see any active
>>independent security researcher in the speaking list.
>>
>>Cesar.
>>--- Chris Wysopal <weldvulnwatch.org> wrote:
>>
>>
>>>Cybersecurity, Research & Disclosure
>>>November 22, 2003
>>>Stanford Law School
>>>http://cyberlaw.stanford.edu/security/
>>>
>>>Almost daily, newly discovered vulnerabilities are
>>>revealed on mailing
>>>lists like BugTraq and Full Disclosure. Harried
>>>'emergency response teams'
>>>craft patches and system administrators struggle to implement them
>>>system-wide before an attacker can break in. Is
>>>there a better process for
>>>discovering flaws and securing computers? Do
>>>privacy and security benefit
>>>from the unregulated flow of vulnerability
>>>information or should speech be
>>>silenced to prevent more attacks? Will regulation
>>>or even criminal
>>>penalties promote security, or just help vendors
>>>hide the poor quality of
>>>their software products from customers?
>>>
>>>On November 22, Stanford Law School's Center for
>>>Internet and Society will
>>>host a day-long exploration of the relationship
>>>between computer security,
>>>privacy, and disclosure of information about
>>>security vulnerabilities.
>>>Experts from government, industry and academia will
>>>gather to debate seven
>>>questions addressing how vendors, customers,
>>>government, researchers and
>>>consumers can better promote vulnerability research, computer
>>>security and consumer privacy.
>>>
>>>Confirmed speakers include:
>>>
>>>Matt Blaze, AT&T
>>>Mary Ann Davidson, Oracle
>>>David L. Dill, Professor of Computer Science,
>>>Stanford University
>>>James Duncan, Cisco
>>>Gerhard Eschelbeck, Qualys
>>>Stephanie Fohn, Consultant
>>>Tiina Havana, Oulu University Secure Programming
>>>Group (OUSPG), Finland
>>>Shawn Hernan, CERT
>>>Steven B. Lipner, Microsoft
>>>Simple Nomad, NMRC, Bindview
>>>Len Sassaman, Anonymizer
>>>Bruce Schneier, Counterpane
>>>Peter P. Swire, Professor of Law at Ohio State
>>>University
>>>Hal Varian, Professor, University of California,
>>>Berkeley
>>>Vincent Weafer, Symantec
>>>Stephen Wu, InfoSec Law Group
>>>Chris Wysopal, stake
>>>
>>>Anyone who is interested securing the
>>>infrastructure, free speech,
>>>protecting consumer's privacy and the future of the
>>>computer industry
>>>should attend this day-long event.
>>>
>>>Register now at:
>>>http://cyberlaw.stanford.edu/security/
>>>
>>>
>>>
>>__________________________________
>>Do you Yahoo!?
>>Protect your identity with Yahoo! Mail AddressGuard
>>http://antispam.yahoo.com/whatsnewfree
>>
>>
>>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP6u2konzlYmweWy/EQKKTwCdEbC5f2ykLQjSWGemMr3dIuQ9A3YAoPFk
SPTnZBOcJh8YY82svsAlCqb9
=cxYw
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]