lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <ILEPILDHBOLAHHEIMALBAEDFFFAA.jasonc@science.org> From: jasonc at science.org (Jason Coombs) Subject: requires full discussion of political and legal aspects of security Matthew Murphy wrote: > These kind of discussions, while interesting to some list members, are not > why I subscribe to this list. The list's purpose is for discussion of > security issues -- Theo de Raadt's poor cry baby routine is not a security > issue. Please keep off-topic discussions like this to a minimum, as they > will destroy this list. List subscribers, many of whom are looking for > actual vulnerability details (and not discussion of world ideals), will > begin to leave in droves if posters do not learn to show basic restraint. > If it isn't a security issue, don't post it. Period. I will adopt this > policy from this post forward, and I encourage others to do the same. As somebody who has conspicuously and intentionally pushed for more political discussion on this list, I must say first that I disagree completely and second that I have no intention of withholding political discussions from this list so you'll either have to tolerate (or filter) me, or lobby Len to block my postings if they really offend you. Geek crypto tech cipherpunk penetration and vulnerability discussions without political and legal context encourage and foster gross misunderstanding of reality and place those who engage in security and cryptography research at risk of unreasonable prosecution and persecution beyond socially acceptable and beneficial self-regulation. You've already made a political statement by joining this list: you reject the politics of partial-disclosure or no disclosure on the grounds that you and those who rely on you for expertise are best served when everyone receives full and timely disclosure of vulnerability details. You are implicitly insisting that forces of oppression that curtail disclosure and discussion do far more harm than good. I reject your implication, and the implication of others on this list who have communicated as much to me in the past, that political and legal discussions pertaining to security are harmful to the list's well-being and focus. You've probably noticed that with a couple exceptions we all know better than to engage in flame wars, especially over a non-technical political or legal matter. This self-regulation is working, and the tone and scope of discussion on this list coupled with the lack of restrictive moderation makes it superior to bugtraq and others. The most compelling reason to support thoughtful and well-informed political and legal discussions rather than cast hate upon them as having nothing to do with the topic of security is that we who support full disclosure are wise, patriotic, law-abiding realists whose understanding of the technical subject matter combined with our experience in the real world convince us beyond any doubt that only the self-interested minority of power and money elite benefit from suppressing full disclosure -- and we recognize, being realists, that every disclosure made without the full support of the self-interested minority places those responsible at risk. You cannot seriously sit on the sidelines of this list, exposing yourself to (nearly) zero risk (*), and benefit from the hard work being done and hard risks being taken by others, while simultaneously proclaiming that discussion of the political and legal risks being taken by those who do the work that benefits you is somehow off-topic. In the good 'ol days there used to be an explicit requirement for contributions from every member who benefits from the risks being taken by others. Either you contributed, and thus took some risk yourself, or you were not entitled to benefit from the risk-taking of others. We've moved beyond that point now, and realize that it would be wrong to withhold the benefits from anyone: this is the essence of full disclosure. But don't tell me this list is not political. If it's just bugtraq without Dave Ahmad then I need to unsubscribe. Sincerely, Jason Coombs jasonc@...ence.org (*) During World War II, the Nazis apparently used telephone company records to find out who called who. Whenever they hauled a family off to a gas chamber, they were sure to check that family's telephone records to determine who else they needed to haul off to the gas chamber also. Therefore, simply subscribing to this list with an e-mail address that is traceable to your real identity places you at risk whether you choose to believe it or not. Anyone who fails to understand the full scope of information security risk, inclusive of its sometimes-subtle and sometimes-dangerous political and legal aspects, fails to understand both history and human nature.
Powered by blists - more mailing lists