[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On the topic of MITRE/Board transparency

On Thu, 11 May 2017, Millar, Thomas wrote:

: This is the same committee we talked to last spring after DWF and CVE 
: started making the news, and they are being diligent and following up 
: learn more about how we, and MITRE, manage the CVE program.
: I believe MITRE's response has already been sent to the Committee. It 
: now the Committee's decision whether to release that to the public.
: DHS is still preparing our response, which is quite comprehensive. To 
: the due date for the responses - this is not a subpoena or an 
: investigation, these are questions. Energy & Commerce Committee does 
: have oversight responsibilities for Homeland Security, so this is a 
: respectful request for information about a program they deem 
: for the health of the economy.


So MITRE / DHS talked to the same committe "last spring" after the DWF 
thing, and you think that recent letter is them "following up"?

1. No, not even close.
2. Not up to the commitee to release it. MITRE can if they want. I 
   stress how true and important this is for the industry. If they 
   they know that we have to FOIA it. And MITRE knows I will do just 
   if I have to. Why make me wait for 1.5 years, the current going rate 
   for a FOIA request against DHS? If you weren't aware of that fact, 
   are now. So do the right thing... publish MITRE's response to the 
   Congressional letter quickly. If you don't, I have to assume you are 
   collectively hiding something.
3. Didn't say or suggest it was a subpoena or investigation. Curious you
   are proactively being defensive with those terms. But hey.. in this 
   political climate? Hell yeah you should. =)
4. E&CC doesn't have oversight? Sure! But if you think trying to imply 
   they don't have oversight in the current world of vulnerabilities, 
   especially on the back of *today's news* is some vindication / 
excuse / 
   whatever? Just no. Any government agency, committe, group, or 
   of janitors that takes interest in making CVE better? We should all 
   listen and work with them. Or do you want more hospitals to fall 
   to ransomware because they didn't patch a three-month old 
   vulnerability? And this is actually an incident that supports CVE! 
   vuln is in MITRE's database. When you are ready, we'll talk about 
   dozens of European companies popped via a SAP vulnerability that was 
   disclosed in 2012, and only added to CVE after the news articles 
   out saying they were popped on a 2 - 3 year old vulnerability. Baby 
   steps, I know, but this is how the real world is, outside of MITRE 
   CVE, which is basically academic.

Basically, all of you MITRE and DHS people need to quit being 
and start being industry teammates. We're here to make the industry 
better, help protect them, give them information they can use to 
protect their systems. That certainly doesn't come in the form of MITRE 
opening up a dozen OpenSSL IDs dating back to Sep 2016 last week. If 
think that is what this industry needs or deserves, you need to quietly 
step down and get the hell out of the CVE world. That is *criminal* and 
clear example, I hope, of why the E&CC is asking questions, "oversight" 
not. In the civil world, that is what they call "negligence".

In my book? Ethical and caring people don't really need oversight. They 
just need to ask the right questions in the right light.


Page Last Updated or Reviewed: May 15, 2017