RE:横切的主题/董事会透明度

在星期四,2017年5月11日,米勒,托马斯写道::这是同一委员会后我们跟去年春天DWF CVE:开始制作新闻,他们正在勤奋和跟进:学习更多关于我们,和斜接、管理CVE计划。万博下载包::我相信横切的反应已经发送给委员会。现在是:委员会的决定是否向公众发布。::国土安全部还准备我们的反应,很全面。:到期日期的反应——这不是一个传票或:调查,这些问题。能源和商务委员会不:国土安全监管责任,这是一个:尊重请求他们认为重要的项目信息:经济的健康。等待……所以僧帽/国土安全部和同样的委员会”去年春天”DWF的事情后,你认为最近的信是他们“跟进”?1。不,甚至关闭。 2. Not up to the commitee to release it. MITRE can if they want. I cannot stress how true and important this is for the industry. If they don't, they know that we have to FOIA it. And MITRE knows I will do just that if I have to. Why make me wait for 1.5 years, the current going rate for a FOIA request against DHS? If you weren't aware of that fact, you are now. So do the right thing... publish MITRE's response to the Congressional letter quickly. If you don't, I have to assume you are collectively hiding something. 3. Didn't say or suggest it was a subpoena or investigation. Curious you are proactively being defensive with those terms. But hey.. in this political climate? Hell yeah you should. =) 4. E&CC doesn't have oversight? Sure! But if you think trying to imply they don't have oversight in the current world of vulnerabilities, especially on the back of *today's news* is some vindication / excuse / whatever? Just no. Any government agency, committe, group, or workshop of janitors that takes interest in making CVE better? We should all listen and work with them. Or do you want more hospitals to fall victim to ransomware because they didn't patch a three-month old vulnerability? And this is actually an incident that supports CVE! That vuln is in MITRE's database. When you are ready, we'll talk about the dozens of European companies popped via a SAP vulnerability that was disclosed in 2012, and only added to CVE after the news articles came out saying they were popped on a 2 - 3 year old vulnerability. Baby steps, I know, but this is how the real world is, outside of MITRE and CVE, which is basically academic. Basically, all of you MITRE and DHS people need to quit being 'government' and start being industry teammates. We're here to make the industry better, help protect them, give them information they can use to actually protect their systems. That certainly doesn't come in the form of MITRE opening up a dozen OpenSSL IDs dating back to Sep 2016 last week. If you think that is what this industry needs or deserves, you need to quietly step down and get the hell out of the CVE world. That is *criminal* and a clear example, I hope, of why the E&CC is asking questions, "oversight" or not. In the civil world, that is what they call "negligence". In my book? Ethical and caring people don't really need oversight. They just need to ask the right questions in the right light. .b