From oss-security Fri Jun 23 18:37:11 2023 From: "David A. Wheeler" Date: Fri, 23 Jun 2023 18:37:11 +0000 To: oss-security Subject: Re: [oss-security] Opinion: Governments don't want IT security, they want to have cyber weapons Message-Id: X-MARC-Message: https://marc.info/?l=oss-security&m=168754545604739 > On Jun 23, 2023, at 6:28 AM, Solar Designer = wrote: > I actually think we should be rejecting postings like this. I = accepted > this one as an example. By "postings like this" I mean rants without > proposed solutions, not helpful for this community (and where replies > are unlikely to be helpful either), and/or lacking focus on Open = Source. > I think in this case it's all 3 of these. I agree with you. I'd prefer if this (and ALL mailing lists) tried to = stay on-topic. Currently that's "Discussion of security flaws, concepts, and practices in the Open = Source community". > I think the recent thread > "The AI chatgpt writes insecure code" was of similarly questionable > value for this list's subscribers. I think the *first* post that "AI systems (including LLMs) often generate insecure code" was plausibly on-topic. Now that it's happened, we don't need any more such posts. If someone has a solution, with evidence that it *works* and can be used = in OSS, that would be relevant (and possibly interesting). Regarding your comment: > I think most governments do want IT security. Some also want "cyber > weapons", which is partially contradictory, but that's how it is: > https://en.wikipedia.org/wiki/NOBUS Since we're on this topic, my understanding of US policy (at least at = one time) was that it's considered a trade-off, so what will be done is decided on a = case-by-case basis by the "VEP process": "The Vulnerabilities Equities Process (VEP) balances whether to = disseminate vulnerability information to the vendor/supplier in the = expectation that it will be patched, or to temporarily restrict the = knowledge of the vulnerability to the USG, and potentially other = partners, so that it can be used for national security and law = enforcement purposes, such as intelligence collection, military = operations, and/or counterintelligence." = https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/Ext= ernal%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF That's a little old, and I don't know if the policy has been changed, = but that's an official page from the US archives. I have opinions about this policy, generally negative, but I think that = discussion is outside the scope of this mailing list so I'l stop there. So having discussed this, I look forward to more messages focused on the = topics of this mailing list :-). --- David A. Wheeler