Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Eliot Lear <> Sun, 14 July 2019 10:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5BCB5120112 for <>; Sun, 14 Jul 2019 03:56:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EwFRcVgu7Ov3 for <>; Sun, 14 Jul 2019 03:56:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5DAC21200F4 for <>; Sun, 14 Jul 2019 03:56:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2181; q=dns/txt; s=iport; t=1563101806; x=1564311406; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=Qy1uNuJ0VvrA5kYXKO0E1/I7mAElyaXZI+K4WsehfYU=; b=j3zGCYMN7aWqiFsRMkArsY/a5Gxc0afmOfTGqh8kxajC+jVco6BtgZXn vZeulXzott3XjSH7pmeG/G/kD9m+kGQR0mb+CWfvTzD1tH6s+ONxHMuvC 8dlqMjTiVMY0RIASxfgkFJ4GbikUfjIX3bASKApCs0kCgPre7d5V/I1tt c=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AFAAC3CStd/xbLJq1mGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBVAMBAQEBAQsBgWeBagEgEiiEHIh7i1IlmH2BewIHAQE?= =?us-ascii?q?BCQMBAS8BAYFLgnUCgnk1CA4BAwEBBAEBAgEFbYVIhUsBAgIBI1QCBQsLQgI?= =?us-ascii?q?CVwYTgyIBgXsPqgyBMoVHhGYQgTQBgVCHRYJggX+BOAwTgh4uPodOMoImBIh?= =?us-ascii?q?2i3uVcgmCG4IfgQyMHYREG403ilOheoMLAgQGBQIVgVEBNj6BGjMaCBsVZQG?= =?us-ascii?q?BWWg+gg8XFI4PPQMwkGkBAQ?=
X-IronPort-AV: E=Sophos;i="5.63,490,1557187200"; d="asc'?scan'208";a="14227259"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Jul 2019 10:56:44 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id x6EAuhD6004843 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 14 Jul 2019 10:56:44 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_6D0BD5DA-9587-42B6-9D45-CDA79154C6FD"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 14 Jul 2019 12:56:42 +0200
In-Reply-To: <>
To: Melinda Shore <>
References: <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Jul 2019 10:56:49 -0000

Hi Melinda,

>  We
> typically deal with wireline protocols and their support
> structures, and I'm hoping that as the discussions progress
> people can be clear about what they'd like to see from the

I think you’re primarily referring to leaky user databases here.  I agree with you that we cannot fix organizations’ bad internal code with a wireline protocol.  However, to exploit the vulnerability, the attack had to come from somewhere.  We already have one mechanism to address profiling with IoT that manufacturers can use to keep their systems from being exploited as BoTs.  The next question is whether we should be promoting or improving other mechanisms to provide people at home and elsewhere more visibility in terms of what their general purpose computing devices are doing.  I’m thinking of PCP in particular.  And while there may be more we can do, there may also be some limitations relating not only to privacy but also economics of web services.

What I like about Dominique’s draft is that it gets us thinking in those directions (or at least it did me).

> I do think that some of this may be appropriate for opsec,
> as well, or at least should be called to their attention.

Or an RG or a side meeting.  It would be fun to continue the discussion.


> Melinda
> --
> Melinda Shore
> Software longa, hardware brevis