RE: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey

[Russ <Russ.Cooper@rc.on.ca>]

Some learning processes never change, the study of human emotion, for
example, is essentially the same today as it was in Socrates time. Other
learning processes, such as the study of how to do amputations done during
the U.S. Civil War, need not be repeated...we know better now how to do such
learning.

Elias talks about throwing the baby out with the bathwater, Pascal talks
about things being sloppy or trivial. Both indicate a problem, and Marcus
has suggested, in his typical radical way, an alternative. Were it not for
such thinking we'd not be doing anything in this field. The thinking is not
that different than the thinking of those he'd suggest change their ways (or
grow up, to use his words). What's different, however, is the basis for his
reasoning as opposed to others.

Because we cannot figure out how to save the baby while throwing out the
bathwater does not mean we should not throw out the bathwater. The study of
amputations proved that not throwing out the bathwater, in the mistaken
belief that cleansing a wound was more important than leaving it free of the
contaminants in the cleansing water, was indeed a mistake. The CVE board
discussions about how to provide candidate numbers showed how important we
felt our time was, you'll get one chance to show us your worth our
time...waste it and we'll be more reticent about doing it again. For the
lack of a mechanism which addressed our concerns we opted for a set of
guidelines that was, at least, restrained. What have we lost as a result?
Clearly not enough to warrant us opening it up to any and all for as many as
they want.

So while you might think we'll get to some grail via the sloppy or trivial
but-it'll-get-better approach, maybe its time to step back and try and
address known issues that still haven't been addressed (but could be if we
focused more attention on it). Instead of looking for new ways, or providing
media attention to new ways, what would happen if we focused that mind share
at existing problems?

What if we made the Internet break for all "insecure" TCPIP implementations
in existence on a given day, at a given time?

If Marcus is anything, he's not "status quo", and that, in and of itself,
makes it valuable input since its not based on some desire to solely get
media attention. Arguable to what extent Marcus will go to make this IPO
work...;-]...but his statements are at least consistent with past
commentaries.

Meanwhile, others look at it and, without offering anything but "status
quo", try to slam dunk it away.

Whether we accept it or not, the media attention lists like mine (and
Elias') provide to "discoverers" can be used as a force. None that I know of
currently treat themselves as being completely free of bias, and all attempt
to maximize coverage for topics/issues they feel are important to the world.
So through them we (as maintainers) are trying to point the readership in a
direction, obvious or otherwise. Vendors (including all "discovery" engines)
leverage that in, and outside of, our lists.

This is, I believe, Marcus' point. Its mine, for sure. This doesn't mean,
however, that I'm in any way trying to prevent the research, knowledge
sharing, or disclosure. What I do in these regards is based on a far more
complex formula than simply whether or not the advisory is ego-based.

I ran a poll recently with my subscribers, based on a suggestion from one
that the advisories were getting too full of ego material. 80% of the
respondents felt the ego-based advisories should be stopped...yet only 5% of
the subscribers actually responded. So, no change in policy on my part.

However, had I not asked and simply made the change I suggested (which isn't
saying that the suggested change was entirely what I would have wanted...it
was a compilation of several ideas from various sources) then chances are
only 5% of the subscribers would have noticed/commented. Those that did
would largely have been happy with the change, and the landscape would have
changed.

Marcus has the *alls to state why a change must be made...little middle
ground, no room for much interpretation. Others yell that "status quo" is
the only way to go. I'd say that its far easier to be in support of "status
quo" than it is to state your well defined opinion on why "status quo" is
*the best* way for things to be.

I'll shortly be hosting an on-line email debate with Marcus and "others"
regarding his disclosure views. I'm looking for people who can strongly
uphold the full and immediate disclosure stance against Marcus' views. I
want the whole thing to be public, usable by anyone who participates...oh,
and a good clean fight (no personal attacks, no profanity, on-topic). Its
meant to last about a month and take a message from you every day or two.
Anyone interested in participating should contact me before Monday, 9/25.

Obviously this is way off-topic for this list (my apologies), any replies I
feel I need to send to this will go just to the individual who posts it.

As always, every time I poke my head into this folder of mine I find an
interesting talk...too bad it never seems to translate into votes on NT
issues...;-[

Cheers,
Russ - Surgeon General of ICSA.net