How would you cope in such a situation, would you be able to write zips that you personally disagree with?
This is very binary thinking. Issues are seldom agree/disagree and there are a whole spectrum of options, incentives and trade offs to consider. I would presume you wrote zips that presented imperfect options/incentives/tradeoffs that you could otherwise learn to live with, that’s very different from writing zips you fundamentally disagree with.
If you did indeed put forward proposals to the community that you were morally against…I can’t empathize with that psyche.
To what level do you understand the inclusion of your industry standards such as, vendor response, in contract documents?
In my time I’ve both drafted, reviewed and signed many formal security engagement contracts - in addition to managing security engagements. Both as an employee of large organizations and a freelancer. Both as a customer and as a security engineer.
for the record, I have never said you should not be a security researcher and 30111 does cover researcher disclosure. The iso is to stop vendors sending independent researchers to prison. The iso is the cert.org link i previously posted.
Let’s be real, you implied it “I do not understand how anyone could have managed to get a security contract…” blah blah blah…
That link (and your post) explicitly states that the document is an adaption, not the standard. Feel free to post a full copy of the actual, proprietary, standard if you want to make an argument about me violating it. I still don’t understand how you think I violated this “standard” - especially given your stated understanding that the ISO exists to prevent the criminalization of independent researchers - every action I took under this disclosure was legally protected- very confused about your entire stance on this now.
In light of your controversial revelations, how would you go about repairing any potential rift with the community so you can engage and represent them more effectively?
Nice framing. Controversy and rifts are a sign of a healthy, functioning democracy. I will also take this point to note that while much has been made of my “irresponsible disclosure”, “irresponsible development” has been left on the side lines of this thread. I happen to believe the two have the same solution - the MGRC funding access to security expertise across the phases of development.
That is an actual (and based on the discussion in this thread, popular) MGRC policy that I have put forward to resolve this very conflict (prior to the actual conflict).
Instead of discussing the nuances of this (or any) policy, the discussion has turned the long standing, highly contentious, debate on disclosure ethics in infosec into a very personal one.
- I’ve been labelled “toxic” in a post liked by multiple other MGRC candidates - regarding my actions to reduce the impact of a an incredibly likely MITM targeting Zcash users - a vulnerability which has yet to be investigated in any capacity.
- Many of those candidates have also liked a post that contained an outright, demonstrable lie regarding my conduct, which has yet to be removed.
- My inbox has become a dumping ground for people I’ve never met, or otherwise interacted with, creepily wanting to talk with me 1:1 “to help me be more professional”.
I would like to say that this was unexpected, but it was all sadly very predictable. When I was first asked (back in April) by a prominent Zcash community member to consider running for the MGRC I responded with “probably not” citing the following:
More fundamentally, as much as I love the technology and want more people
to adopt it, I’m still questioning to what extent I want continue to involve
myself at all within the wider zcash ecosystem.
Recent experiences have left me exhausted and frustrated with the amount
of effort I have had to invest not only in demonstrating the value of even-
minimal privacy engineering in ecosystem projects but the extent to which
I’ve had to continually defend my expertise, judgment and ethics to core
Finally, above and beyond personal frustrations; given the political
nature of the position, and with internet politics (/cryptocurrency politics) in
particular being what it is, I have to consider to what extent the
evidenced community biases may amplify and possibly exacerbate existing safety
concerns that I have.
After I sent that email I thought about it a lot more over the following 2 weeks, as the initial deadline approached, before coming to the conclusion that I respected the engineers and scientists involved with the Zcash Foundation and ECC enough that it was worth trying to make the ecosystem better. It has been disappointing to see many of those initial predictions and concerns play out.
I put forward my candidacy for two main reasons:
Existing Zcash ecosystem grants were producing unsafe software that was being advertised as usable by both ECC and the Zcash Foundation and that was putting people directly at risk.
- I had heard from several zcash community members that they appreciated my public criticisms of this practice and the vulnerabilities I had discovered in the resulting software.
Only (2) appears (based on this thread) to have changed in recent months.
The election, is of course, the only way to really understand if this thread represents a concrete change or has simply become a magnet for a certain kind of discussion.
For better of for worse, we will know in less than a month to what extent these policies and behaviors resonate with the zcash community. Regardless of the outcome, I do hope whatever MGRC emerges subverts current expectations, takes these policies seriously and takes action to improve the actual safety of the ecosystem and the people in it.
I am, of course, left to consider to what extent I can be effective on an MGRC made up of members who have participated in the above.
I have some faith left that the wider community, not represented in this thread, has the wisdom to see my career and my contributions and understand my motivations and actions and will see that If elected I will continue to be critical of policies and approaches I find wanting. I won’t compromise where compromising means taking or endorsing actions I find reprehensible. I will take a stand for the community members who believe that the zcash ecosystem needs to take a proactive approach to privacy and security, up to and including making grants dependent on projects adopting secure development practices, like vulnerability post postmortems and security reviews prior to big releases.
To those community members, I will say: If you want a strong, critical voice on the committee - a voice that will fight to make the ecosystem as secure and private as it currently (arguably fraudulently) markets itself as; a voice that will say things the zcash community needs to hear as opposed to what it wants to hear; then I have made my case for that.
I’m still happy to answer any other questions in good faith about my proposed policies, the policies that have actually been proposed by other MGRC candidates, or related topics.