lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ILEPILDHBOLAHHEIMALBAEDFFFAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: requires full discussion of political and legal aspects of security

Matthew Murphy wrote:
> These kind of discussions, while interesting to some list members, are not
> why I subscribe to this list.  The list's purpose is for discussion of
> security issues -- Theo de Raadt's poor cry baby routine is not a security
> issue.  Please keep off-topic discussions like this to a minimum, as they
> will destroy this list.  List subscribers, many of whom are looking for
> actual vulnerability details (and not discussion of world ideals), will
> begin to leave in droves if posters do not learn to show basic restraint.
> If it isn't a security issue, don't post it.  Period.  I will adopt this
> policy from this post forward, and I encourage others to do the same.

As somebody who has conspicuously and intentionally pushed for more political
discussion on this list, I must say first that I disagree completely and
second that I have no intention of withholding political discussions from this
list so you'll either have to tolerate (or filter) me, or lobby Len to block
my postings if they really offend you.

Geek crypto tech cipherpunk penetration and vulnerability discussions without
political and legal context encourage and foster gross misunderstanding of
reality and place those who engage in security and cryptography research at
risk of unreasonable prosecution and persecution beyond socially acceptable
and beneficial self-regulation.

You've already made a political statement by joining this list: you reject the
politics of partial-disclosure or no disclosure on the grounds that you and
those who rely on you for expertise are best served when everyone receives
full and timely disclosure of vulnerability details. You are implicitly
insisting that forces of oppression that curtail disclosure and discussion do
far more harm than good.

I reject your implication, and the implication of others on this list who have
communicated as much to me in the past, that political and legal discussions
pertaining to security are harmful to the list's well-being and focus.

You've probably noticed that with a couple exceptions we all know better than
to engage in flame wars, especially over a non-technical political or legal
matter. This self-regulation is working, and the tone and scope of discussion
on this list coupled with the lack of restrictive moderation makes it superior
to bugtraq and others.

The most compelling reason to support thoughtful and well-informed political
and legal discussions rather than cast hate upon them as having nothing to do
with the topic of security is that we who support full disclosure are wise,
patriotic, law-abiding realists whose understanding of the technical subject
matter combined with our experience in the real world convince us beyond any
doubt that only the self-interested minority of power and money elite benefit
from suppressing full disclosure -- and we recognize, being realists, that
every disclosure made without the full support of the self-interested minority
places those responsible at risk.

You cannot seriously sit on the sidelines of this list, exposing yourself to
(nearly) zero risk (*), and benefit from the hard work being done and hard
risks being taken by others, while simultaneously proclaiming that discussion
of the political and legal risks being taken by those who do the work that
benefits you is somehow off-topic.

In the good 'ol days there used to be an explicit requirement for
contributions from every member who benefits from the risks being taken by
others. Either you contributed, and thus took some risk yourself, or you were
not entitled to benefit from the risk-taking of others. We've moved beyond
that point now, and realize that it would be wrong to withhold the benefits
from anyone: this is the essence of full disclosure.

But don't tell me this list is not political. If it's just bugtraq without
Dave Ahmad then I need to unsubscribe.

Sincerely,

Jason Coombs
jasonc@...ence.org

(*) During World War II, the Nazis apparently used telephone company records
to find out who called who. Whenever they hauled a family off to a gas
chamber, they were sure to check that family's telephone records to determine
who else they needed to haul off to the gas chamber also. Therefore, simply
subscribing to this list with an e-mail address that is traceable to your real
identity places you at risk whether you choose to believe it or not. Anyone
who fails to understand the full scope of information security risk, inclusive
of its sometimes-subtle and sometimes-dangerous political and legal aspects,
fails to understand both history and human nature.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ