--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
--- Begin Message ---
Gervase Markham wrote:
> Ian G wrote:
>> Governance is possibly offtopic for this list ... but could
>> you please explain how we know that Mozo receives no money
>> from any CAs, etc?
>
> a) Because I'm telling you so, and I don't lie. I'm a Christian.
OK! Well, I don't want to insult you or your religion, and
I don't know an easy way to break this to you, but your
claim is not helpful, not in an governance or auditing context.
You did not seem to address the other question, to whit "How
do you know?". This suggests that you typically deal with
difficult questions with outrage, which happens to be a
great weapon in the fight for fraud, not against.
(Actually, if an auditor were paid, he would very nicely
introduce this dilemma to their customer.)
> b) See below.
>
>> Try this checklist:
>>
>> * published accounts?
>> * audited accounts?
>
> Both available at http://www.mozilla.org/foundation/documents/ up until
> 2005. When the ones for 2006 appear, you will see no entries for the CAs.
Nope, I didn't find them in 2005. You are right.
Does that show it? No, of course not. It's an unprovable
as it's "secret," if it exists then it's not meant to be found.
There of course will never be a line item that that says "we
did not receive any payments from CAs" because in general,
Mozo is not reporting on, auditing, or even listing
potential *conflicts of interest* in those documents.
So we won't see them in 2006, either.
But that aside, I am somewhat encouraged by these posted
papers. There remain some serious gaping holes there in
governance terms, but I am very encouraged by the good start.
>> * statement of principles?
>
> http://groups.google.com/group/mozilla.governance/browse_thread/thread/b51e5017713e519d/2549ce81d93394c1#2549ce81d93394c1
That's a great post by Mitchell and I am very encouraged by
it. I copied it on my blog and have started a critique.
https://financialcryptography.com/mt/archives/000858.html
For everybody else, read it. It is a draft, it isn't yet a
statement of principles. Mitchell at least is asking
everyone to comment on it. It is a work-in-progress, after
having been written internally over what must have been an
extended period of time.
It was just posted this Wednesday, there is likely now an
extended period to comment.
>> * identified responsible parties?
>
> Board of Directors:
> http://www.mozilla.org/foundation/
Thanks! Who governs them? Where are the minutes?
>> * filings with government?
>
> http://www.mozilla.org/foundation/documents/ again.
Excellent! A great start.
The next issue that we face is that while the posted papers
for a non-profit force you to define a mission, they are not
that useful for verifying your mission.
E.g., IRS is simply interested in whether Mozo maintains its
status, and as long as it doesn't stray too far in financial
terms, it will be fine. Due to what seems like fine advice,
the Mozo Corp seems to have solved that tax issue for the
time being.
And, as we know, the *financial auditor* is simply checking
the *financial statements*. E.g., If one of the "service
partners" happens to be Verisign, would he care? If one of
them was the $10m "special fee" for implementing the back
door covered by National Security Letter, why would an
auditor care about that?
So who governs Mozo? Who turns up at the AGM and says "I am
heartily sick of this deception and I want a new board?"
Here's another checklist, simply to clarify what we would
look for in the next steps.
* identification of the stake holders
* scrutiny by stake holders
* forum for stake holders
* measurement of objectives by stake holders
* actions taken by stake holders
* compliance with wishes of stake holders
* ...
> Care to take back some of your assertions about secret governance? :-)
No. You know how an audit progresses, by now: It's never
good enough :-) All we've done so far is established that
the compulsory things have been done, and some ideas have
taken root.
Show me in the principles where it says "we will make
available the details and scope of 'google deals' so that
you the users can have your say. Before we sign your data
away."
Or any serious discussion of that?
One way to save an organisation from itself is to govern it
such that we scrutinise its decisions. Mozilla is
infamously difficult to scrutinise in decision making terms,
at least in my experience of their security processes.
E.g., none of the debate on EV has been in the open, up
until Zak recently decided to create the master bug #367441.
https://bugzilla.mozilla.org/show_bug.cgi?id=367441
EV is directed at phishing and has therefore an important
impact on users, yet Mozilla's *external* discussions have
been one of selling it, not asking users what they think.
Why? Some people spend all their time on their patch and
ignore others. Others spend far too much time pushing a
particular point of view, and not seeking out alternates.
(Those people are sellers, snake oil salesmen at worst, and
"sold victims" of snake oil salesmen at best.) When an
organisation is full of these, then trouble is not far
behind, because these people don't like change, for
different reasons. They simply adopt a defensive attitude
to outsiders and to change.
Which makes it very difficult to deal with serious systemic
issues, as typified by EV. Which was perhaps why it was
intimated in that recent blog post that Mozo has now got
people "thinking about stuff":
http://weblogs.mozillazine.org/mitchell/archives/2007/01/the_mozilla_foundation_achievi.html
Another way to deal with crazy decisions is to put limits on
their actions. Governance limits. As Mozilla has no
shareholder-body to govern it, and as Mozilla has only
verbal intentions of listening to users and others,
reflecting its weak and confused understanding of
stakeholders, it's a matter of concern as to how Mozilla
gets itself out of a real bind.
Mozo has nobody to tell it when it's off the rails.
Doesn't that worry you? It worries the heck out of me.
I'll bet it worries the living daylights out of Mitchell and
the other board members, who are on the hook for 53 million,
with no help but a bunch of geeks running around selling
software. And that's already 2 years ago...
iang
_______________________________________________
Anti-fraud mailing list Anti-fraud@lists.cacert.org
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud
http://wiki.cacert.org/wiki/AntiFraudCoffeeRoom
--- End Message ---
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
