Thursday, July 31, 2014

A Note About Policy

This is one of those posts that I have to throw out there in order to link back to it later, so people can track how it evolves, and point out mistakes. I am fine with that, BTW. That's how we learn, and we certainly need to do a lot of that. This is version 1.0. It will evolve. I should probably put it on github or something.

What I had been meaning to write about was linking policy. This is a branch point--what is really annoying me most recently is disclosure. More on that shortly.


Some sites just don't get a link, period, for reasons that seem good to me. Some (not all) of the features of those sites include, in no particular order:

  • Excessive politics, propaganda, or marketing. This includes propagation of information that is widely known to be disingenuous, is composed of marketing-speak, and similar bullshit. I don't have time for that, and I am going to go out on a limb here, and assume that you do either.
  • Rapid URL rot. Sites that can't create stable links usually have other problems as well.
  • Sites that seem to promote intentionally adversarial discussions. Because there is enough heat and noise. If advertising has to be the chosen business model model of the Internet, there really should be a better mechanism for selecting allowed ads. Notice how many sites trash some vendor product, but the page is splattered with ads from that vendor.


Some vendors have a long history of security fubars. Many vendors (even vendors that are all the rage, these days) talk about Responsible Disclosure. I have problems with that.
  • Who is a vendor? For-profit, non-profit, the admin of some random listserv?
  • Vendors, by whatever definition, tend to take the path of least effort. Its human nature, but does not serve the end user particularly well. 
  • 'Responsible disclosure', as terminology, skews the discussion in the vendors favor. It gives them an opportunity, which they have historically taken advantage of, to stifle publication of problems. The argument is that it would put users at risk. The obverse is that users are at risk anyway--they just don't know it.
  • Vendors have long delivered software (and firmware) which does not pass the most rudimentary sanity check vis-a-vis security. Those who report problems, and are still sometimes attacked for it, are justified in questioning how patently irresponsible vendors can claim a lack of responsibility on the part of those who form what is essentially a distributed QA systems. QA which the vendor should have done.


  • The costs of that distributed QA system.
  • Vendor is probably a bad term--what about providers of free (as in beer) software or services?

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.