* on the Tue, Nov 14, 2017 at 09:41:29PM -0800, Bill Woodcock wrote:
> The work has been divided into two working-groups: one is addressing 
> the question of what a norm should say (i.e. “Governments shouldn’t 
> cyber-attack X”).  

It's much simpler than that. The difference between black hats and 
white hats is only one: White hats publish. 

Because the victims of vulnerabilties exploited will be everyone,
maybe with the exception your specific organization. If your
spy-agency hoards vulnerabilites, the victims will be your own 
police, army, hospitals, power plants and citizens. Plus everyone
else. And that's not how you spell "security". It's not even how
you do "national security", it's actually "endangering national 
security" -- and your own outfits are doing it. 

Therefore, the only right thing to do is to compel everyone to
publish security vulnerabilities, and ostracize everyone who 
hoards them.

"Those who give up essential liberties for temporary safety deserve 
neither liberty nor safety." -- Benjamin Franklin
"It's also true that those who would give up privacy for security are 
likely to end up with neither." -- Bruce Schneier

swinog mailing list

Antwort per Email an