On Fri, 19 Mar 2010, William Pitcock wrote:
On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote:
An ongoing area of work is to build better closed, trusted communities without leaks.
Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit.
That's fine, in theory, but in practice it doesn't work. Part of the issue is that information that could be considered sensitive generally has to have a level of trust for both the sender(s) and receiver(s), and that level of trust is generally not possible in an open forum. By "level of trust" I mean that if I have sensitive intel about an ongoing incident (attack, pwnd box, etc) I need to have some assurance that the information gets to people who can and will act on it, and keep that information confidential. nsp-sec has worked to build that level of trust (in general, work pretty good success) through the vetting process that every potential participant goes through. Is it a perfect system? No, but it does serve a useful and important purpose. Many security people have to keep things quiet for the same reasons, in addition to (not an all-inclusive list): 1. They might be under NDA or be employed at a company that has a policy against any sort of "unapproved disclosures" 2. The sources of various bits of intel is confidential and releasing unfiltered information could compromise that source. 3. Releasing unfiltered information could compromised intel gathering methods, potentially rendering them useless for further action. "The likelihood that a secret will be kept goes down by the square of the number of people who know it" -- source unknown "The likelihood that a meeting will be productive goes down by the square of the number of people who attend" -- me jms