Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 24 Jun 2023 11:23:18 +0000
From: cbf0001@...ton.me
To: oss-security@...ts.openwall.com
Subject: Re: Opinion: Governments don't want IT security, they want to have cyber weapons

I agree with Solar and David, please stop lowering the bar with content that is not relevant to the distro subscribers.

Warm regards,
Cbf Primmo

On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <[dwheeler@...eeler.com](mailto:On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <<a href=)> wrote:

>> On Jun 23, 2023, at 6:28 AM, Solar Designer <solar@...nwall.com> wrote:
>> I actually think we should be rejecting postings like this. I accepted
>> this one as an example. By "postings like this" I mean rants without
>> proposed solutions, not helpful for this community (and where replies
>> are unlikely to be helpful either), and/or lacking focus on Open Source.
>> I think in this case it's all 3 of these.
>
> I agree with you. I'd prefer if this (and ALL mailing lists) tried to stay on-topic. Currently that's
> "Discussion of security flaws, concepts, and practices in the Open Source community".
>
>> I think the recent thread
>> "The AI chatgpt writes insecure code" was of similarly questionable
>> value for this list's subscribers.
>
> I think the *first* post that "AI systems (including LLMs)
> often generate insecure code" was plausibly on-topic.
> Now that it's happened, we don't need any more such posts.
>
> If someone has a solution, with evidence that it *works* and can be used in OSS,
> that would be relevant (and possibly interesting).
>
> Regarding your comment:
>
>> I think most governments do want IT security. Some also want "cyber
>> weapons", which is partially contradictory, but that's how it is:
>> https://en.wikipedia.org/wiki/NOBUS
>
> Since we're on this topic, my understanding of US policy (at least at one time) was that
> it's considered a trade-off, so what will be done is decided on a case-by-case basis by the "VEP process":
> "The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence."
> https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF
> That's a little old, and I don't know if the policy has been changed, but that's an official page from the US archives.
>
> I have opinions about this policy, generally negative, but I think that discussion is outside the scope of this mailing list so I'l stop there.
>
> So having discussed this, I look forward to more messages focused on the topics of this mailing list :-).
>
> --- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.