[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Opinion: Governments don't want IT security, they want to have cyber weapons
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2023-06-23 18:37:11
Message-ID: B8655473-CC69-403E-BB35-5F233EF95D1A () dwheeler ! com
[Download RAW message or body]


> On Jun 23, 2023, at 6:28 AM, Solar Designer <solar@openwall.com> =
wrote:
> I actually think we should be rejecting postings like this.  I =
accepted
> this one as an example.  By "postings like this" I mean rants without
> proposed solutions, not helpful for this community (and where replies
> are unlikely to be helpful either), and/or lacking focus on Open =
Source.
> I think in this case it's all 3 of these.

I agree with you. I'd prefer if this (and ALL mailing lists) tried to =
stay on-topic. Currently that's
"Discussion of security flaws, concepts, and practices in the Open =
Source community".

>  I think the recent thread
> "The AI chatgpt writes insecure code" was of similarly questionable
> value for this list's subscribers.

I think the *first* post that "AI systems (including LLMs)
often generate insecure code" was plausibly on-topic.
Now that it's happened, we don't need any more such posts.

If someone has a solution, with evidence that it *works* and can be used =
in OSS,
that would be relevant (and possibly interesting).

Regarding your comment:

> I think most governments do want IT security.  Some also want "cyber
> weapons", which is partially contradictory, but that's how it is:
> https://en.wikipedia.org/wiki/NOBUS

Since we're on this topic, my understanding of US policy (at least at =
one time) was that
it's considered a trade-off, so what will be done is decided on a =
case-by-case basis by the "VEP process":
"The Vulnerabilities Equities Process (VEP) balances whether to =
disseminate vulnerability information to the vendor/supplier in the =
expectation that it will be patched, or to temporarily restrict the =
knowledge of the vulnerability to the USG, and potentially other =
partners, so that it can be used for national security and law =
enforcement purposes, such as intelligence collection, military =
operations, and/or counterintelligence."
=
https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/Ext=
ernal%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF
That's a little old, and I don't know if the policy has been changed, =
but that's an official page from the US archives.

I have opinions about this policy, generally negative, but I think that =
discussion is outside the scope of this mailing list so I'l stop there.

So having discussed this, I look forward to more messages focused on the =
topics of this mailing list :-).

--- David A. Wheeler

[prev in list] [next in list] [prev in thread] [next in thread]