Re: Current standards/criteria for 'Undefined Behavior'

[jericho <jericho@attrition.org>]

On Fri, 12 May 2017, Landfield, Kent wrote:

: Can you let us know why you don?t participate in the calls? Is it a 
time 

Before I do that, can you give me a summary of the calls since they 
started, as far as the % of Board members that attend? What is the 
average 
or medium for attendance? If you can't, you should probably stop to 
consider if these calls were a vehicle for MITRE to usurp control in 
some 
fashion. After all, they have randomly usurped control on so many other 
critical / industry-shocking changes, without our review. Remind me why 
we 
trust MITRE at this point? Stop considering them "your fellow admin", 
and 
start considering them as "APTderp". I think that might be a better 
analogy and more prudent.

: issue? If so we can work to try to find a better time that 
accommodates 
: more Board members.  I agree and have stated in the past that real 

Given the current Board, and I am fairly sure we went through this for 
weeks... trying to find a time that works for EVERYONE is a lost cause. 
The current time was selected based on the "best we could do", no? I 
think 
we have some mails archived on this.

: decisions need to be made on the Board list(s).  The Board calls 
: however, do give us a higher bandwidth opportunity to go more 
in-depth 
: on specific issues.  We need all to be there if possible and have had 

They do. But until we have a true transcript of those calls, and the 
calls 
are treated as a "single email" in the context of the Board, it simply 
isn't fair. Decisions are effectively made on these calls without the 
consent of the board.

: Can you enlighten us as to why you do not attend?

Sure! You can guess which is more important to me:

1. I am typically not available Thursday at ~ 1PM or whenver they were. 
I 
deleted my Calender event because I was basically never available (best 
case, I was driving up I-70 through dead zones and the tunnels, which i 
spent a year working with a local T-Mobile managing engineer to 
resolve). 
I can also guarantee you, that the Europeans will never make that time 
unless they stay up VERY late, after a 14 hour day working, often 
fighting 
to understand horrible CVE assignments.

2. We get a rough summary of the call, but not real detail. We get 
"minutes", great. That doesn't tell me "Kent was really worked up, and 
thought that $newidea was complete crap". It doesn't tell me that 
"$whoever objected quite a bit", or what was said to resolve it and 
ultimately make some "informed" decision.

3. I have long had a serious disdain for InfoSec people who insisted on 
phone calls, after a few emails. In my personal experience, after too 
many 
years, they did it because they specifically did NOT want a record. 
Usually because they were trying to explain why they weren't a 
charlatan / 
fraud, and why you could clearly trust them as a human. [Disclaimer: 
remember, I was the primary person behind Attrition Errata.]

4. Based on the above, security is about integrity. We're auditors. We 
like logs... records... a transcript of what transpired. Until I have 
that, and understand where a conclusion came from? I don't consider 
myself 
informed. Don't in turn expect me to make an informed vote on anything.

.b