Guys, this will be my last post, for reasons that I hope are clear. If anyone wants to discuss phishing, let me know. I'm hopeful a specialist list for cross-fertilisation of phishing efforts will pop up soon.
On Saturday 25 June 2005 23:07, Gervase Markham wrote: > Ian Grigg wrote: > > On the notion of common and consistent security > > UI policy - how is that any different to "follow the > > leader" ? It's synonymous as far as I can see it. > > <sigh> > > The implication of the phrase "follow the leader" is that we are just > doing what others are doing simply because they are doing it. The reality is, if Mozilla has decided on a "common and consistent security UI policy" then that requires MS to agree. If they don't agree then you don't have it; if they do agree then you have it. In short, whatever they say is it. That's just commercial reality. > This is > clearly not the case - in partnership with the other browser vendors, we > are together working out the most appropriate UI and then all > implementing it. This is news. Are you intending to announce this or does it remain "embargoed" ? What is "clear" about it? Who's "in" and who's "out" ? > If anything (given that I wrote the proposal) _we_ are > the leader. Is it documented anywhere that this proposal be accepted? By whom? Who's put it down on paper that they are accepting this proposal? What has "staff" said about this? > Do you *oppose* a common and consistent security UI? If not, why am I > wasting my time typing this? I apologise for being short with you, but > this newsgroup has a great enough volume already without me having to > write things which are unnecessary. You (mozilla, you, everyone within) are not playing fair. There were a bunch of people trying to help. Everything they've proposed has been knocked back or ridiculed or blocked. Everything they've asked to help with has been shunted to the left, to the right or wherever. Now it transpires that a new policy is emerging, one which has emerged in a secret or private process to which these people - regardless of their efforts or time or their applicability to the community or their credentials - were decidedly not invited. Let's put this into the wider perspective of how you're not dealing fair and that will answer the question for everyone. 1. This new policy - is it approved? Recall how Frank Hecker went to extreme lengths to create and formulate a policy and debate it in the open with (noisy) outsiders and insiders. And then presented it to "staff" for approval. The word there was "Leadership." Has this been done with the policy for "a common and consistent security UI?" Are "staff" even aware that Mozilla may be outsourcing their security UI to Microsoft? 2. This policy seems to have arisen alongside or from a closed meeting of a month or so ago. Duane (representing a CA of 2000 members) didn't get invited to the closed meeting of CAs and browser manufacturers. No minutes, no agenda, no published results. There is only one word for that - "compromised." 3. It turns out that something happened at that meeting - a month ago? - and this might have resulted in a new policy to do with security. So here we are suggesting stuff about security that happens to be antithetical towards this new secretly evolving policy, and having to drag it out of you so we can finally work out why everything that is tried in the hopefully open forum is being rejected. I'd say the word here is "woftam", thanks very much. 4. When I suggested there wasn't a security process, you all rose up and said of course there is ... and it's "here" or "there" or wherever. But as soon as we went there, it disappeared. This is a 100% screamingly important "staff" issue and my impression is that "staff" still doesn't even know it has an issue. Which is just an astounding statement to make in a society where we are flooded with news on this issue. 5. Tyler Close asked to join the security team and got ignored. That's the procedure that is published and after some hectoring someone on this group said that's what he should do - ask. I chimed in and presented some "credentials" for the people here because the team page specifically mentioned it, and that was ignored too (to put a polite face on it). You wanted coders, and code is there - it's in the plugins that these guys knocked up, but still not good enough. So it's a closed shop, right? We don't want any trouble makers in our security team, so we'll just not help anyone join. You're not even playing by your own rules. The word for that is "bureaucracy." 6. When Amir Herzberg drops his normal politeness briefly and points out that the "common and consistent security UI" clearly and blatantly contradicts the Mozilla mission of "preserve choice and innovation" you manage to take umbrage at his phrasing and thus ignore the central issue he was raising. That is called "evasion" and has its place in politics, not security work. 7. There is no security process, but there are a lot of troublemakers making noise about stuff that is simply not understandable and not appreciated. So, it's better off that those noise makers are constrained here on this group - right? That's what you mean by "this newsgroup has a great enough volume already" isn't it? Don't worry, it's not just you. Heikki said the exact same thing when he said "it's not a 'staff' issue, it's a mozille-security issue" when he discovered we were serious about finding the security process. It's pretty clear that Mozilla is bureaucratised and is running a closed shop for security. Groupthink has taken root, and now the independence has been neutralised as you've realised you can't actually do this thing alone. There is little to be done about it, from the outside, and the only effect my opinion or any one else's opinion on "a common and consistent security UI?" is likely to be the embarrassment of a forced answer in a public maillist. It's also pretty clear that this newsgroup is indeed irrelevant to the issues at hand, being on the "outside". Frank's work in open security was an anomoly, and I wouldn't be surprised if there where strong opinions to not make that mistake again. Amir has mentioned that it would be a good idea to set up a maillist for this issue. Let's pursue that. I am sorry that we all wasted each other's time for so long. So long and thanks for all the fish :-) iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
