ttx's update on the SEO, information architecture, and technical documentation issue(s) described in my email "OpenStack Security Group", 23 Nov 2011, https://lists.launchpad.net/openstack/msg05646.html has made my day. With the holiday today in the US, and knowing that our US peers would likely need to provide coverage for them, I didn't expect momentum on this until some time next week. Thank you Thierry!
So with that ball excellerating thanks to Thierry's, and I'm sure other's hard work, I've turned my attention to explore this emotive topic further -- again, once the external optics and high level best practices look good to me, or more likely I understand the thinking behind the equally excellent OpenStack practices, I'll be trying to stay away from security -- I've already shortened my life too much from past experiences :-D So looking at the actual Vulnerability Management team document, http://wiki.openstack.org/VulnerabilityManagement , I see the result of thoughtful, fantastic collaboration! I do have a couple of serious concerns: A. As my former boss, as of this week, Matt Mullenweg [1] would so often remind us, "don't be so negative" -- he literally reminded my VIP Services sub-team of that last week -- it's natural when you are deep in the trenches. Instead use "Words that Work". [2] Every sentence in the first paragraph is dripping with negativity - "will not give prior notice to their employer" - "not about getting advance notice" - "reduce the disclosure of vulnerability in the early stages" What I hear when I read that is that we have the most serious issues of professionalism among us -- crazy, embarrassing issues! That I've just jumped into a nest of vipers -- Josh and Chris didn't say anything about my impending death when they got me to join! Thankfully, I very much doubt this is the reality! -- it wasn't at the meetup I was at last night. So is there a non-negative way of articulating this? *once* A.2 If somehow this language reflects demonstrated reality, we need to get the relevant parties *physical* in a room this week, and deal with this! Let's also remember that the most likely "original reporter" is one of us relevant parties. B. Maximum of 3 people. This may have caused my heart to skip a beat. Is there a reference implementation of this? Who's successes are we emulating? Having spent 2 years on Mozilla's private security list in a former life, and five years being party to every WordPress security issue [3] only 3 people is madness. Mozilla private security list was (assume still is) open to membership to anyone that demonstrated value and professionalism. I consider Daniel Veditz's [1] Mozilla security team a model security citizen, and consistent and very successful for at least the eight years I've been been paying attention. [5] B.2 But let's assume that there is some real reason to hard code the membership count. Five years working with Automattic's Technical Operations Lead Barry Abrahamson [5] -- the best in the business -- has impressed upon me through his leadership and actions It some cases it can only take a few hours of lack of communication to turn a grey hat [6] into a bad actor. So let's assume all three members are available at the time the report comes in, one person owns communication and collaboration with the reporter, and we hope that both of the other two [7] have the expertise in the vector area to rapidly assess the impact and pervasiveness, and now you've lost another person, who works on IMing, email and phoning the area exports; one is the loneliest number. I don't want to give anyone my nightmares, but it is seasonal, let's not forget that a sophisticated black hat is most likely to launch an attack during a holiday, or when he knows another crisis is being dealt with. You think only having three people gives favorable odds that they are going to be available to respond to the first vender who is investigating this with their panicked business-on--the-line customer? Even ignoring that, do three people alone have the stamina to investigate and deal with *all* the false reports. ;-) Sorry, if I'm a little worked up here. Too many exclamation marks, right? I'm just so excited to be working with you guys and gals, and want us all to really shine. Once again, I'm very impressed with the Vulnerability Management document, and once these issues are addressed, we'll be crushing it! If I should be discussing this elsewhere please let me know, or want additional context or thoughts please let me know. Hope that helps, Lloyd -- 1. http://en.wikipedia.org/wiki/Matt_Mullenweg 2. The best training material ;-) on this as recommend by Matt, and which I thoroughly aggree with is is Frank I. Luntz, "Words That Work: It's Not What You Say, It's What People Hear" 3. WordPress security issues are popular with the press ;-) 4. You may know Daniel Veditz as dveditz 5. http://barry.wordpress.com/about/ 6. People just want to be taken seriously ;-) 7. It takes two to argue over code, three to ;-) _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
