Good morning, Lausanne! Today, first day of workshop "Ethical dilemmas in strategical and operational cybersecurity at State level".

Presentation of the project One thing is certain: we don't lack research projects in cybersecurity and policy.

Best domain name for the next speaker :

Melanie Rieback on ethics in . "We are a social company." "You probably like open source, sorry free software"

Among the clients of Radically Open Security: NGOs and other activists because they have a scary threat model but no budget, so cannot go to the commercial security companies.

Now, demo of the quotation workflow. PDF are generated with Saxon+XSLT+FO, driven by a bot. Customers of the company are in the same channel as the pentest team, the customer can "peek over the shoulder". No more black magic.

"90 % of the problems of the Internet are created by Silicon Valley companies. Do not try to copy the Silicon Valley." (I send a copy to the french governement)

Great talk by Melanie Rieback at


"Companies should not try to grow forever. They should be like trees: grow fast, then produce seeds. Eternal growth is cancer."

Now Reto Inversini and Andreas Greulich talk about "Ethical and legal problems during operations against APT groups"

"There is no swiss Internet or Google Internet. There is one Internet, and it is a common good."

"Is reverse-engineering the code of a malware a violation of intellectual property?" (All malware should be free software, anyway.)

Long discussion about trust in information sharing in cybersecurity (a very old and mostly unsolved problem). "How do you know who the friendly guy who drinks a beer with you really is?"

Now, discussion about ethics in incident response at . Should we share information with parties that may react in a wrong way? (Example given: Israel making "kinetics responses" - euphemism for "missiles" - to suspected computer crackers.)

Tomi Tuominen about how he managed to open twenty millions of hotel doors.

Of course, the company downplayed the issue, said "we fixed it" but it was still broken.

During meetings, there was even an employee of the company insulting the security researchers that discovered the vulnerability.

Interesting ethical issue: when the security researchers fly a plane to a meeting with the vendor, to expose details on the vulnerability, who should pay?

In many hotels, the door security system is unmaintained. Installed "fire and forget" and that's all. Hard to patch.

"I think legislation [on vulnerability disclosures] is unavoidable."

"I'm a lawyer, so I agree, more legislation is always good."

"It's better to do nothing at all, rather than developing non-free software.

At least, when you do nothing, you do no harm."

One hour, but rms still did not start talking about his subject (cyberpeace)...

"A system that does not accept payments with GNU Taler is untalerable." at its best...

@PirBoazo Parfait, merci beaucoup, et ce sera en ligne « bientôt ».

@gub He also asked to disable geolocation but Mastodon strips that from pictures, anyway.

Supprimer la localisation.....

Il a pris des vacances en Suisse 🤗

@PirBoazo J'ai l'impression qu'il habite en Suisse romande. Il a fait combien de conf' en moins de 3 mois entre Genève et Lausanne ? @bortzmeyer

@PirBoazo @im Il a peut-être des clones pour l'aider ? Avec la médecine moderne, tout est possible.

Non non je confirme c'est pas un hologramme.
En chair et en os comme @bortzmeyer

Je les ai vu 🤓


@bortzmeyer @PirBoazo Faut-il encore que le procédé soit publié en GPLv3.

@bortzmeyer C'est bien normal, avant d'être découverte, la vulnérabilité n'existait pas. Comme le Nouveau Monde, m'enfin …

@im Ou alors, c'est comme le chat de Schrödinger, elle existait et elle n'existait pas ?

Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Mastodon est un réseau social utilisant des protocoles Web ouverts et des logiciels libres. Tout comme le courriel, il est décentralisé.