Good morning, Lausanne! Today, first day of workshop "Ethical dilemmas in strategical and operational cybersecurity at State level".

Presentation of the project One thing is certain: we don't lack research projects in cybersecurity and policy.

Best domain name for the next speaker :

Melanie Rieback on ethics in . "We are a social company." "You probably like open source, sorry free software"

Among the clients of Radically Open Security: NGOs and other activists because they have a scary threat model but no budget, so cannot go to the commercial security companies.

Now, demo of the quotation workflow. PDF are generated with Saxon+XSLT+FO, driven by a bot. Customers of the company are in the same channel as the pentest team, the customer can "peek over the shoulder". No more black magic.

"90 % of the problems of the Internet are created by Silicon Valley companies. Do not try to copy the Silicon Valley." (I send a copy to the french governement)

Great talk by Melanie Rieback at

"Companies should not try to grow forever. They should be like trees: grow fast, then produce seeds. Eternal growth is cancer."

Now Reto Inversini and Andreas Greulich talk about "Ethical and legal problems during operations against APT groups"

"There is no swiss Internet or Google Internet. There is one Internet, and it is a common good."

Long discussion about trust in information sharing in cybersecurity (a very old and mostly unsolved problem). "How do you know who the friendly guy who drinks a beer with you really is?"

Now, discussion about ethics in incident response at . Should we share information with parties that may react in a wrong way? (Example given: Israel making "kinetics responses" - euphemism for "missiles" - to suspected computer crackers.)

Tomi Tuominen about how he managed to open twenty millions of hotel doors.

Of course, the company downplayed the issue, said "we fixed it" but it was still broken.

During meetings, there was even an employee of the company insulting the security researchers that discovered the vulnerability.

Interesting ethical issue: when the security researchers fly a plane to a meeting with the vendor, to expose details on the vulnerability, who should pay?

In many hotels, the door security system is unmaintained. Installed "fire and forget" and that's all. Hard to patch.

"I think legislation [on vulnerability disclosures] is unavoidable."

"I'm a lawyer, so I agree, more legislation is always good."

Richard Stallman on stage at "Cyberpeace requires free software"

"It's better to do nothing at all, rather than developing non-free software.

At least, when you do nothing, you do no harm."

One hour, but rms still did not start talking about his subject (cyberpeace)...


"A system that does not accept payments with GNU Taler is untalerable." at its best...

· Web · 0 · 4 · 3
Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Vive les gougères ! mnt-by: @yapret @papaeng89