Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [VulnDiscuss] Cybersecurity, Research & Disclosure Conference
From: Larry Pingree (LPingreenetscreen.com)
Date: Fri Nov 07 2003 - 09:13:39 CST
-----BEGIN PGP SIGNED MESSAGE-----
I have several questions for those who question whether we should
have disclosure or not and here are my questions:
1. If we don't know what exploits exist, how can we protect
2. A. How does the United States protect itself from Terrorist or
B. Doesn't the US spy to know what the enemy is capable of to
understand where to protect us?
3. If full disclosure does not exist, how will Intrusion detection
companies develop attack signatures to protect your systems?
4. A. Ever read the art of war?
B. Isn't intelligence essential?
5. Why is this a debate, what person does not want to know more about
the enemies we face and their capabilities?
6. A. Doesn't innovation come from the premise that things are not
B. Isn't innovation built on this principle?
C. Doesn't progression of culture and nations base their progress on
7. Will a law against disclosure stop the black hats in other
countries from developing exploits?
8. A. In 9/11, what was the failure of the CIA?
B. Wasn't it intelligence and dissemination?
9. Isn't it obvious that we need to know more and not less about our
10. Have any laws against gun ownership stopped criminals from
I think if you answer these questions, it should be quite clear as to
what americans should decide. But I imagine the US public as sheep
and they will most likely think that non-disclosure leads us down the
right path because they are simpletons and have no depth and insight.
- - Larry Pingree
- -----Original Message-----
From: Dave Aitel [mailto:daveimmunitysec.com]
Sent: Thursday, November 06, 2003 11:16 PM
Subject: Re: [VulnDiscuss] Cybersecurity, Research & Disclosure
OIS is hardly the only organization that has tried to bring
to the vendors - much like sheep are brought to a sheering-shop. CERT
has also built a business on the backs of independant researchers.
difference is that CERT is not lobbying Congress to get a
monopoly. iDefense and SecurityFocus (bugtraq) are other
that have served similar purposes, except more honestly for
The amazing thing about any of the organizations trying to set a
or even comment, on what researchers do with their information (the
result of many hard hours) is that none of these organizations do any
research worth mentioning.
As I believe Churchill said to the Pope (regarding chastity): If you
don't play the game, you can't make the rules.
This conference seems guaranteed to generate a lot of media
opportunities to write things like: "There is a consensus in the
security community that having a trusted third party mediate between
security researchers and vendors would be good for the country" at
point OIS could continue on its goal at getting vulnerability
information classified as munitions and regulated.
Nothing could be farther from the truth, which we the people find
evident, and have no need to trek to a conference to prove.
Chris Wysopal wrote:
>By my count five out of the seventeen speakers so far work for
>organizations involved with the Organization for Internet Safety.
>Certainly not a majority, but a lot of participation here shouldn't
>come as a surprise as OIS is the only organization that has stepped
>up and tried to bring researchers and technology vendors together
>through a common disclosure process.
>More active independant security researcher participation would help
> make the conference better. I encourage people in this group to
>either attend or email Jennifer Granick <jennifergranick.com>
>about getting a speaker slot.
>On Thu, 6 Nov 2003, Cesar wrote:
>>This seems a "Organization for Internet Safety"
>>meeting than a conference. I don't see any active
>>independent security researcher in the speaking list.
>>--- Chris Wysopal <weldvulnwatch.org> wrote:
>>>Cybersecurity, Research & Disclosure
>>>November 22, 2003
>>>Stanford Law School
>>>Almost daily, newly discovered vulnerabilities are
>>>revealed on mailing
>>>lists like BugTraq and Full Disclosure. Harried
>>>'emergency response teams'
>>>craft patches and system administrators struggle to implement them
>>>system-wide before an attacker can break in. Is
>>>there a better process for
>>>discovering flaws and securing computers? Do
>>>privacy and security benefit
>>>from the unregulated flow of vulnerability
>>>information or should speech be
>>>silenced to prevent more attacks? Will regulation
>>>or even criminal
>>>penalties promote security, or just help vendors
>>>hide the poor quality of
>>>their software products from customers?
>>>On November 22, Stanford Law School's Center for
>>>Internet and Society will
>>>host a day-long exploration of the relationship
>>>between computer security,
>>>privacy, and disclosure of information about
>>>Experts from government, industry and academia will
>>>gather to debate seven
>>>questions addressing how vendors, customers,
>>>government, researchers and
>>>consumers can better promote vulnerability research, computer
>>>security and consumer privacy.
>>>Confirmed speakers include:
>>>Matt Blaze, AT&T
>>>Mary Ann Davidson, Oracle
>>>David L. Dill, Professor of Computer Science,
>>>James Duncan, Cisco
>>>Gerhard Eschelbeck, Qualys
>>>Stephanie Fohn, Consultant
>>>Tiina Havana, Oulu University Secure Programming
>>>Group (OUSPG), Finland
>>>Shawn Hernan, CERT
>>>Steven B. Lipner, Microsoft
>>>Simple Nomad, NMRC, Bindview
>>>Len Sassaman, Anonymizer
>>>Bruce Schneier, Counterpane
>>>Peter P. Swire, Professor of Law at Ohio State
>>>Hal Varian, Professor, University of California,
>>>Vincent Weafer, Symantec
>>>Stephen Wu, InfoSec Law Group
>>>Chris Wysopal, stake
>>>Anyone who is interested securing the
>>>infrastructure, free speech,
>>>protecting consumer's privacy and the future of the
>>>should attend this day-long event.
>>>Register now at:
>>Do you Yahoo!?
>>Protect your identity with Yahoo! Mail AddressGuard
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----