NSP-SEC

[ge at linuxbox.org (Gadi Evron)]

On 3/20/10 8:37 PM, William Pitcock wrote:
> That is not what I mean and you know it.

What do you mean than? Hank made a good point on the type of traffic 
normally going through these groups.

> What I mean is: why can't anyone contribute valuable information to the
> security community?  It is next to impossible to meet so-called 'trusted
> people' if you're new to the game, which is counter-productive.

Well, that's not transparency at all. That's about being able to get 
connected, and be trusted. That's called a process.

Now, I've been preaching public engagement for years now, and indeed 
also made several attempts in this regard -- some very successful, 
others failed miserably.

There are three suggestions I can make:
1. Join the open mailing lists and show your usefulness. Places where a 
lot of us hang out (depending on communities): NANOG, funsec.

2. Show you are responsive and responsible in handling issues in your 
own back yard.

3. Go to conferences and drink beer with people.

> If you're a 15 year old kid and you just discovered a way to own the
> latest IOS, for example, how do you know who to tell about it?

That's a completely different question yet again, on vulnerability 
disclosure. In this particular case, try Cisco PSIRT.

I recently wrote a post on how to handle the PR aspects of vulnerability 
disclosure, but it covers the basics in the first few paragraphs and I 
think it will clear the subject for you.
http://www.darkreading.com/blog/archives/2009/12/security_pr_str.html

	Gadi.


>
> William
>
>


-- 
Gadi Evron,
ge at linuxbox.org.

Blog: http://gevron.livejournal.com/