Re: Current standards/criteria for 'Undefined Behavior'

["kseifried@redhat.com" <kseifried@redhat.com>]

On 13/05/17 12:28 AM, jericho wrote:
> On Fri, 12 May 2017, Landfield, Kent wrote:
> 
> : Can you let us know why you don?t participate in the calls? Is it a 
> time 
> 
> Before I do that, can you give me a summary of the calls since they 
> started, as far as the % of Board members that attend? What is the 
> average 
> or medium for attendance? If you can't, you should probably stop to 
> consider if these calls were a vehicle for MITRE to usurp control in 
> some 
> fashion. After all, they have randomly usurped control on so many 
> other 
> critical / industry-shocking changes, without our review. Remind me 
> why we 
> trust MITRE at this point? Stop considering them "your fellow admin", 
> and 
> start considering them as "APTderp". I think that might be a better 
> analogy and more prudent.

Sorry I'm having a hard time understanding how board calls, that the
entire board is invited to, and are held at a reasonable
time/availability and involve quite a lot of board members (e.g. myself
and Kent =) holding MITRE's feet to the fire as it were as an attempt by
MITRE to usurp control (for uh.. something that they already control...
at least as I understand the DHS funding/MITRE/etc stuff).

> 
> : issue? If so we can work to try to find a better time that 
> accommodates 
> : more Board members.  I agree and have stated in the past that real 
> 
> Given the current Board, and I am fairly sure we went through this 
> for 
> weeks... trying to find a time that works for EVERYONE is a lost 
> cause. 
> The current time was selected based on the "best we could do", no? I 
> think 
> we have some mails archived on this.

Yup, and to that end we have the board mailing list, minutes of the
calls, etc. It's like embargo release times, it's mostly a case of "what
is the least worst time".

> 
> : decisions need to be made on the Board list(s).  The Board calls 
> : however, do give us a higher bandwidth opportunity to go more 
> in-depth 
> : on specific issues.  We need all to be there if possible and have 
> had 
> 
> They do. But until we have a true transcript of those calls, and the 
> calls 
> are treated as a "single email" in the context of the Board, it 
> simply 
> isn't fair. Decisions are effectively made on these calls without the 
> consent of the board.

I personally wouldn't be comfortable with a word for word transcript of
the call as myself and quite a few others often speak off the cuff (and
say things in a way that might not be politic, or intelligent sounding,
but in summary seem rational).

> 
> : Can you enlighten us as to why you do not attend?
> 
> Sure! You can guess which is more important to me:

Well there you go, CVE is important enough to you for emails, but not
board calls. I and I bet everyone on the board is also busy. But we make
time for this stuff (hint: the board calls actually cross over into time
with my autistic son, but I make it work because my personal life and my
professional life are both important).


> 1. I am typically not available Thursday at ~ 1PM or whenver they 
> were. I 
> deleted my Calender event because I was basically never available 
> (best 
> case, I was driving up I-70 through dead zones and the tunnels, which 
> i 
> spent a year working with a local T-Mobile managing engineer to 
> resolve). 
> I can also guarantee you, that the Europeans will never make that 
> time 
> unless they stay up VERY late, after a 14 hour day working, often 
> fighting 
> to understand horrible CVE assignments.
> 
> 2. We get a rough summary of the call, but not real detail. We get 
> "minutes", great. That doesn't tell me "Kent was really worked up, 
> and 
> thought that $newidea was complete crap". It doesn't tell me that 
> "$whoever objected quite a bit", or what was said to resolve it and 
> ultimately make some "informed" decision.
> 
> 3. I have long had a serious disdain for InfoSec people who insisted 
> on 
> phone calls, after a few emails. In my personal experience, after too 
> many 
> years, they did it because they specifically did NOT want a record. 
> Usually because they were trying to explain why they weren't a 
> charlatan / 
> fraud, and why you could clearly trust them as a human. [Disclaimer: 
> remember, I was the primary person behind Attrition Errata.]
> 
> 4. Based on the above, security is about integrity. We're auditors. 
> We 
> like logs... records... a transcript of what transpired. Until I have 
> that, and understand where a conclusion came from? I don't consider 
> myself 
> informed. Don't in turn expect me to make an informed vote on 
> anything.

Or you could just hop on the call.

> 
> .b
> 

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com