Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <B8655473-CC69-403E-BB35-5F233EF95D1A@dwheeler.com>
Date: Fri, 23 Jun 2023 14:37:11 -0400
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Subject: Re: Opinion: Governments don't want IT security, they
 want to have cyber weapons


> On Jun 23, 2023, at 6:28 AM, Solar Designer <solar@...nwall.com> wrote:
> I actually think we should be rejecting postings like this.  I accepted
> this one as an example.  By "postings like this" I mean rants without
> proposed solutions, not helpful for this community (and where replies
> are unlikely to be helpful either), and/or lacking focus on Open Source.
> I think in this case it's all 3 of these.

I agree with you. I'd prefer if this (and ALL mailing lists) tried to stay on-topic. Currently that's
"Discussion of security flaws, concepts, and practices in the Open Source community".

>  I think the recent thread
> "The AI chatgpt writes insecure code" was of similarly questionable
> value for this list's subscribers.

I think the *first* post that "AI systems (including LLMs)
often generate insecure code" was plausibly on-topic.
Now that it's happened, we don't need any more such posts.

If someone has a solution, with evidence that it *works* and can be used in OSS,
that would be relevant (and possibly interesting).

Regarding your comment:

> I think most governments do want IT security.  Some also want "cyber
> weapons", which is partially contradictory, but that's how it is:
> https://en.wikipedia.org/wiki/NOBUS

Since we're on this topic, my understanding of US policy (at least at one time) was that
it's considered a trade-off, so what will be done is decided on a case-by-case basis by the "VEP process":
"The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence."
https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF
That's a little old, and I don't know if the policy has been changed, but that's an official page from the US archives.

I have opinions about this policy, generally negative, but I think that discussion is outside the scope of this mailing list so I'l stop there.

So having discussed this, I look forward to more messages focused on the topics of this mailing list :-).

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.