Sarah Jamie Lewis announces her candidacy for the Major Grants Review Committee

Interesting take, I disagree. responsible disclosure is something a researcher commits to, not a vendor.

I would argue that quote tweeting first then filling out the github is a clear violation of ISO 30111.

At the end of the day, full disclosure is a mechanism for getting vendors to adopt and adhere to ISO 30111 - responsible disclosure is the enforcement mechanism.

• ISO - ISO/IEC 30111:2019 - Information technology — Security techniques — Vulnerability handling processes (paywalled, just use my version which is an adapted version.)

• 4. Phases of CVD - CERT Guide to CVD - VulWiki

I can find other ISO’s this would violate.

It is worth noting that the git hub was submitted after the initial public disclosure that did not include the vendor. This might seem like splitting hairs but it is actually important.

every vendor I work with would blacklist you for that - The time difference you could explain as lag, but Sarah admits that she sent the tweet before the vendor report. If it wasn’t a quote tweet, it is still a dick move but it is a lot more dubious if it violates 30111 or not and you wouldnt get blacklisted.

30111 is the framework which disclosure ethics are built upon.

I do not understand how anyone could have managed to get a security contract, post 2013, without providing a written copy of their ethics, specifically ISO 30111:2013

You must include ISO 30111 or you fail due diligence. - go check an old NCC contract, it will either reference 30111 or their own more restrictive version, which will be written down.

If you are a contractor, you sign ISO 30111 in your contract. If you are an employee you sign the companies ethics statement in your employee contract. (which will be more constraining than 30111)

This has been a very interesting and important discussion. My two cents:

If it is possible to publicly disclose a vulnerability in a way that reduces the likelihood of it being exploited before a fix is deployed, that should be the preferred option. This position is based on common sense (I have no special expertise in this area), but I’d be very surprised if there are security/disclosure standards that argue the opposite.

(Speaking very much for myself.)

I wouldn’t allow any ISO/IEC (or other) standard to take precedence over my personal ethics, and I wouldn’t expect anyone else to.

As it happens, ECC’s vuln disclosure procedure is here, and if it has any similarity to that standard then it’s pure coincidence. It’s obviously fine for people to voluntarily sign up to particular policies, but if they’re independent researchers, as Sarah is, it is also fine for them not to. In particular, please note that the Zcash Code of Conduct does not place any requirements on modes of vulnerability disclosure, and that’s intentional.

Your position is I violated a proprietary ISO standard, the remit of which explicitly applies to “vendors involved in handling vulnerabilities.” - A standard that you can’t even show everyone because it is paywalled?

Just so I’m clear, that is where you are drawing your ethical line?

If so I’m truly sorry to the ISO and they should revoke my membership ASAP.

More seriously,

I do! It is because your experience is, much like disclosure ethics are, not universal.

Thankfully my ethics are not bound to what vendors think of me. I am free to follow my own sense of right and wrong.

I believe strongly in the peoples right to know what risks they are being subjected to. I’ve already explained why find the modern “responsible” disclosure trend abhorrent, so I’m not going to repeat myself.

If you wish to continue to lament that people like me shouldn’t be security researchers then you are of course free to do so. Lobby for a licensing regime maybe?

Sarah, in retrospect, do you agree that opening a github issue or notifying the developer directly before tweeting out details about vulnerability is the right thing to do?

As I’ve stated numerous times in this thread, this was a trivially exploitable 10 hour-old MITM exploit in a cryptocurrency project - I believed then, and I believe now, that warning users about the risk was more crucial than getting the actual issue fixed.

In an ideal world, the presence of such an issue should be enough to call into question the entire risk assessment of the project. We still don’t have a root cause analysis behind why such a version of the wallet with such a critical issue was released (or any idea of the actual vulnerability window i.e. downloads of the vulnerable version v.s. the update). If we want to talk about actual risks to Zcash users then we need to look there.

To use an imperfect analogy: If I found a fire in a building, my first action would be pull the alarm and get everyone out of the building, to safety, not to call the building owner.

There is a certain action aimed at warning users, we will take for the fact that there is an error and its detection, who told you that only one person found the error, while you are releasing the update, users are under threat, right, and if you spent weeks on elimination, the network cannot be stopped , then you need to stop using at least a problem wallet. As for me, this is a correct and ethical act.
Based on the facts, what do you think is the chance that an attacker seeing this problem was able to gain access to users’ wallets based solely on the information disclosed on Twitter?

(Speaking for myself.)

Look, it’s clear that the approach to vulnerability disclosure is a highly contentious aspect of the infosec field. It has been contentious for over 30 years, and will continue to be, because there isn’t a right answer. It simply isn’t the case that there’s an “accepted behaviour” on how to disclose vulns and that people who don’t follow it are wrong.

There are plenty of toxic people in the cryptocurrency community, but people who accurately report vulns in a good-faith attempt to protect potential users (regardless of whether you agree with how they do it) are not that.

Maybe she could have disclosed it privately and posted a public tweet to not use the wallet until a critical vulnerability was fixed without disclosing what that vulnerability was?

Another (imperfect) analogy is a security guard who finds an unlocked door to a supposedly secure building. If no one else knows about it, the first step might be call the building owner who can simply lock the door, rather than put out a PSA to the whole town.

Your analogy is wrong.

1. The building is not safe, but emergency. 2) The guard, instead of informing everyone about it, is silent about the problem and at this time people come in and get injured.
   As I wrote above, how do you know that one person found the error, and while one informs the developer and waits for a response from him, everyone is using it and it turns out that they are in danger. And if your money was stolen from the bank because someone found a ditch in an electronic wallet and you knew that the bank was aware of this, would you be angry with the bank? The situation is the same here, and the longer people use an unsafe wallet, the worse for themselves in the first place. Yes, you can’t notify everyone via twitter, but it’s better than no one. It is necessary to make a remote switch in the wallet - the wallet is unsafe, use is not possible, update!

Hi Sarah,

I think this is getting a little distracted from the core subject of operating in a professional manner without professional ethics.

One of the key problems with not having professional ethics is that any question of the persons ethics is by nature a question of that persons character. It makes these sorts of conversations very difficult. I apologise if I have stepped over a line, it really is not my intention.

I know you see as any disparity between personal and professional ethics as cognitive dissonance. I disagree with that, im pretty sure cognitive dissonance implies negative effects on mental health.

Here is an example of where me putting aside my personal ethics and using professional ethics has been a benefit to the zcash community as a whole. This is directly relevant to the community you want to help and represent.

Please note: looking back on this, the situation looks very different to how it was. this was explicitly about a continuation of a FR - there was no concept of a zfnd based devfund then. (I think it was me that suggested the rebranding of FR to dev fund.)

The ECC said they needed more money and needed to continue the FR. There was understandable outcry. (I was one of them)
This lead to a heated discussion, then I wrote a couple of zips, 1 to end the FR and another to make any new FR solely from opt in donations.

Once I had submitted these zips and made the czip template I offered my services forward to the community to write their zips too - some of the zips i wrote were strongly against my personal ethics, but my professional ethics overruled them so the community could have a greater choice (very much like the zips I am currently offering to write to change 1014). This caused me no internal conflict even though a lot had mandatory donations in them thus directly conflicting with my personal ethics.

How would you cope in such a situation, would you be able to write zips that you personally disagree with?
In light of your controversial revelations, how would you go about repairing any potential rift with the community so you can engage and represent them more effectively?
To what level do you understand the inclusion of your industry standards such as, vendor response, in contract documents?

also please, lets not get into analogies. they are seldom useful for computer security and nearly always wrong,

for the record, I have never said you should not be a security researcher and 30111 does cover researcher disclosure. The iso is to stop vendors sending independent researchers to prison. The iso is the 4. Phases of CVD - CERT Guide to CVD - VulWiki link i previously posted.

How would you cope in such a situation, would you be able to write zips that you personally disagree with?

This is very binary thinking. Issues are seldom agree/disagree and there are a whole spectrum of options, incentives and trade offs to consider. I would presume you wrote zips that presented imperfect options/incentives/tradeoffs that you could otherwise learn to live with, that’s very different from writing zips you fundamentally disagree with.

If you did indeed put forward proposals to the community that you were morally against…I can’t empathize with that psyche.

To what level do you understand the inclusion of your industry standards such as, vendor response, in contract documents?

In my time I’ve both drafted, reviewed and signed many formal security engagement contracts - in addition to managing security engagements. Both as an employee of large organizations and a freelancer. Both as a customer and as a security engineer.

for the record, I have never said you should not be a security researcher and 30111 does cover researcher disclosure. The iso is to stop vendors sending independent researchers to prison. The iso is the cert.org link i previously posted.

Let’s be real, you implied it “I do not understand how anyone could have managed to get a security contract…” blah blah blah…

That link (and your post) explicitly states that the document is an adaption, not the standard. Feel free to post a full copy of the actual, proprietary, standard if you want to make an argument about me violating it. I still don’t understand how you think I violated this “standard” - especially given your stated understanding that the ISO exists to prevent the criminalization of independent researchers - every action I took under this disclosure was legally protected- very confused about your entire stance on this now.

In light of your controversial revelations, how would you go about repairing any potential rift with the community so you can engage and represent them more effectively?

Nice framing. Controversy and rifts are a sign of a healthy, functioning democracy. I will also take this point to note that while much has been made of my “irresponsible disclosure”, “irresponsible development” has been left on the side lines of this thread. I happen to believe the two have the same solution - the MGRC funding access to security expertise across the phases of development.

That is an actual (and based on the discussion in this thread, popular) MGRC policy that I have put forward to resolve this very conflict (prior to the actual conflict).

Instead of discussing the nuances of this (or any) policy, the discussion has turned the long standing, highly contentious, debate on disclosure ethics in infosec into a very personal one.

1. I’ve been labelled “toxic” in a post liked by multiple other MGRC candidates - regarding my actions to reduce the impact of a an incredibly likely MITM targeting Zcash users - a vulnerability which has yet to be investigated in any capacity.
2. Many of those candidates have also liked a post that contained an outright, demonstrable lie regarding my conduct, which has yet to be removed.
3. My inbox has become a dumping ground for people I’ve never met, or otherwise interacted with, creepily wanting to talk with me 1:1 “to help me be more professional”.

I would like to say that this was unexpected, but it was all sadly very predictable. When I was first asked (back in April) by a prominent Zcash community member to consider running for the MGRC I responded with “probably not” citing the following:

More fundamentally, as much as I love the technology and want more people
to adopt it, I’m still questioning to what extent I want continue to involve
myself at all within the wider zcash ecosystem.

Recent experiences have left me exhausted and frustrated with the amount
of effort I have had to invest not only in demonstrating the value of even-
minimal privacy engineering in ecosystem projects but the extent to which
I’ve had to continually defend my expertise, judgment and ethics to core
community members.

Finally, above and beyond personal frustrations; given the political
nature of the position, and with internet politics (/cryptocurrency politics) in
particular being what it is, I have to consider to what extent the
evidenced community biases may amplify and possibly exacerbate existing safety
concerns that I have.

After I sent that email I thought about it a lot more over the following 2 weeks, as the initial deadline approached, before coming to the conclusion that I respected the engineers and scientists involved with the Zcash Foundation and ECC enough that it was worth trying to make the ecosystem better. It has been disappointing to see many of those initial predictions and concerns play out.

I put forward my candidacy for two main reasons:

1. Existing Zcash ecosystem grants were producing unsafe software that was being advertised as usable by both ECC and the Zcash Foundation and that was putting people directly at risk.
2. I had heard from several zcash community members that they appreciated my public criticisms of this practice and the vulnerabilities I had discovered in the resulting software.

Only (2) appears (based on this thread) to have changed in recent months.

The election, is of course, the only way to really understand if this thread represents a concrete change or has simply become a magnet for a certain kind of discussion.

For better of for worse, we will know in less than a month to what extent these policies and behaviors resonate with the zcash community. Regardless of the outcome, I do hope whatever MGRC emerges subverts current expectations, takes these policies seriously and takes action to improve the actual safety of the ecosystem and the people in it.

I am, of course, left to consider to what extent I can be effective on an MGRC made up of members who have participated in the above.

I have some faith left that the wider community, not represented in this thread, has the wisdom to see my career and my contributions and understand my motivations and actions and will see that If elected I will continue to be critical of policies and approaches I find wanting. I won’t compromise where compromising means taking or endorsing actions I find reprehensible. I will take a stand for the community members who believe that the zcash ecosystem needs to take a proactive approach to privacy and security, up to and including making grants dependent on projects adopting secure development practices, like vulnerability post postmortems and security reviews prior to big releases.

To those community members, I will say: If you want a strong, critical voice on the committee - a voice that will fight to make the ecosystem as secure and private as it currently (arguably fraudulently) markets itself as; a voice that will say things the zcash community needs to hear as opposed to what it wants to hear; then I have made my case for that.

I’m still happy to answer any other questions in good faith about my proposed policies, the policies that have actually been proposed by other MGRC candidates, or related topics.

So i think this thread is coming far too close to concern trolling.

Yes, there is a long running debate between full disclosure and “responsible”/ coordinated disclosure. It’s a long running debate because there is no right answer. You can come down either way. Most people come down on the coordinated side. It’s a judgement call with no right answer. It’s fine to want to know the difference, but continually asking people to repeatedly justify their ethics rapidly turns into concern trolling.

Sarah has strongly held principles about security research and ethics. There is clearly a tension between those principles and working well with other MGRC remembers who probably don’t agree with them. This could cause friction. Then again, people usually can be professionals about this (though sometimes not) On the other hand, principles are important. We do have security problems, they do need to be dealt with and it will take people with principles to stand up to those who want to ignore these issues in the name of expediency.

From a non software developper perspective, based on long term skimming the forums and twitter zcash related subjects (which means that it is not based on strong facts: I don’t have enough time to dive in deeply) I can’t remember another event where someone pointed a security issue beside @sarahjamielewis.
Putting the method aside, I really appreciate the result, and think this is the most important.
For this, I still believe it would make a lot of sense to be one of the elected people.

That was just an average zcash user perspective

The majority of potential vulnerabilities in Zcashd are found internally at ECC. However, there have been a small number of bugs in Zcashd and related libraries that were pointed out via non-public disclosure by external researchers. An example of that is the PING/REJECT side channel attack found by Florian Tramèr, Dan Boneh, and Kenneth Patterson, that was later published in this paper.

It’s worth pointing out that there are significant practical differences between the bugs that were disclosed this way, and the one in ZecWallet that has been referenced in this thread. Taking the PING/REJECT attack as a (fairly representative, I think) example, the fix we settled on required a refactoring of how the network thread communicated with the Zcashd internal wallet. In fact there was a (more difficult to exploit) extension to the original issue, that was only mitigated in the subsequent Zcashd release. In my opinion, the extra time allowed by the fact that the vulnerability wasn’t public did help with developing a more thorough fix. Speaking as a Zcashd developer, I do strongly encourage private disclosure for vulnerabilities like this. However, that is not inconsistent with Sarah Jamie Lewis’ position as I understand it.

The ZecWallet bug, on the other hand, was literally a matter of not having turned on a well-documented configuration option for certificate checking. It is entirely reasonable to raise serious questions about how that oversight happened.

For this thread, however, speaking as a forum moderator, I’d like to strongly suggest that we move on to other issues. Everyone has laid out their position on this one, and the remaining disagreements are not going to be resolved here. I have edited one of the posts above for factual accuracy and flagged another one. I would like to remind everyone that personal attacks are not acceptable. Also, this behaviour pointed out by SJL is deeply concerning:

and should stop, immediately. Don’t do this.

I sadly couldn’t make the call this week (sorting out housing in the aftermath of flooding earlier this summer), however I’ve compiled some answers to questions in the other thread that I hope you will find useful:

zxviews1qd8atlcqqcqqpqqj5kz4d42syywcgnfsc8fkzdsvg9a8zzeqgtgukmv3vtp5w34t37m90k7uwwlp47yn9fjn0qtxxsva4phvzc06lejayq8rpqpprq0a246l4vyjqyukudh37e09lnj5p46x2uje5mpfmade8w8mye8ujghn5llq39zgv9ec2936v05vzvvj325g8zscel73akagflpgsrq204c9aflf2hmh2uejav4uw5ml7677mcwquy7dcr4jljuj23s4pptr5jgm5n88a

I work best with people who require minimal supervision, can hold their own and who have strong, considered principles to guide their work.

I hope the MGRC will seek out as many small dev teams has possible, both to increase the surface area of grants covered and also the increase the decentralization in the ecosystem. There is a balance to be struck between resilience and redundancy; between competition and superfluity.

• It’s amazing the kind of art you can produce for under $5000. Explanatory and educational videos. Posters etc. Definitely something I think the MGRC should consider
• Incentive wise, I really think Zcash has the best team in the domain. I’ve said it before and I will say it again.
• Quantitative measures are difficult. I’ve outlined some security policies I’d put it place in this thread, but I think the true measure will be in usage statistics, or more concretely the number of shielded transactions.
• Lack of demand.
• Layer 2 privacy is a minefield, I’m very skeptical - so much can go wrong, and your anonymity set is rarely great. I would still argue Bitcoin as being the most practically private cryptocurrency simply because of it’s scale, widespread use (in comparison) and the relative accessibility it has in decentralized and local marketplaces. My hope is that Zcash arises as a practical challenger to that title.
• As noted in my first post Open Privacy (of which I am the Executive Director) received a donation from ZF.

Nope. When I was a freelancer I used to buy groceries with Bitcoin. At Open Privacy we used the Zcash donation to fund a Staff Designer position (but not directly paid in Zcash). The wallets are becoming much more usable but there is still a relative lack of direct demand.

• Answered above, but in short, the people and the technology.
• Success - multiple successful grants, public security audits, a process for recognizing great zapps (I really like parts of @jmsjsph proposal around trust badges and the “shielded security seal”), but most importantly as mentioned about I would like to see an increase in shielded use. Failure - a lack of shielded uptick, no new Zapps, and overall lack of movement in the ecosystem.

Hello @sarahjamielewis For my vote, please answer my questions frankly:

1. Are you pro BTC? If yes, Why? If not, Why?
2. What is the largest account size you’ve handled in USD? How many end users did it impact?
3. MGRC will control 8640 ZEC per month or 25920 per quarter, how will this be roughly spent? (provide napkin calculation).
4. MGRC announcement attracts 100s of applicants from all over the world with all random ideas, all matching your goals, how would you evaluate them?
5. KPIs aren’t entirely possible on a privacy preserving payments protocol project’s level, it’s all z2z, how will you evaluate funded team’s impact?
6. DeFi fever made ETH run 2x compared to every cryptocurrency this year, thoughts?
7. What locals, regions, languages, ethnicities, educational backgrounds of people have you worked with? What are your preferences of assembling teams that deliver?
8. We live in a remote world now, how do you evaluate applicants for grants?
9. Projects in Zcash are going to go through a huge change beyond the handful, driven teams funded via Zcash Foundation, thoughts?
10. Zcash is a protocol at its core, ZEC price is volatile. How will you handle a single digit ZEC? ($9 x 8640/month = $77,760) How will you handle a 5 digit ZEC? ($21,000 x 8640/month = $181.44MM) Thoughts…

Are you pro BTC? If yes, Why? If not, Why?

Yes. As mentioned above I used to pay for my groceries with BTC. BTC was first, groundbreaking and it is everywhere. There is no Zcash without BTC - both economically and materialistically. That could change in the future, but there is a long road ahead and the reality of the system needs to be recognized.

What is the largest account size you’ve handled in USD? How many end users did it impact?

I run a non-profit with a yearly budget of ~$200,000 USD. We produce software, research and run workshops for communities. Last year our research contributed to Switzerland cancelling the use of e-voting in major elections for the first time in over a decade.

MGRC will control 8640 ZEC per month or 25920 per quarter, how will this be roughly spent? (provide napkin calculation).

Given an average ZEC price of $50, I would expect 8640 to fund 4-8 medium projects a month. I’d like to see a split between larger blue-sky projects (network privacy, contracts etc.) and smaller focused improvements (security reviews, developing policies, the introduction of the “shielded security seal” etc.)

MGRC announcement attracts 100s of applicants from all over the world with all random ideas, all matching your goals, how would you evaluate them?

We need a standardized application process and rubric for evaluating applications - and follow up processes for those applicants whose ideas are going to stretch and break that standardization. Such a large attraction is also going to require a rethink in the limitations of the interpretation of 1014 as set out by the Zcash Foundation - it will be impossible to effectively evaluate 100s of applications on just 5 hours a month of overhead.

KPIs aren’t entirely possible on a privacy preserving payments protocol project’s level, it’s all z2z, how will you evaluate funded team’s impact?

Total number of shielded transactions and Total number of Zapps. Ecosystem development, number of issues being filed by newcomers, number of fresh pull requests, the buzz on the forums and chat channels. There are lots of side channels to test the effectiveness.

DeFi fever made ETH run 2x compared to every cryptocurrency this year, thoughts?

Fever is a good word. It’s hot, painful and short-term.

What locals, regions, languages, ethnicities, educational backgrounds of people have you worked with? What are your preferences of assembling teams that deliver?

I’ve remotely worked for a large portion of my career, working with teams around the world. I’ve done science outreach in schools, I’ve given lectures and talks in many countries and my current work requires me to keep up with other organizations around the world tackling privacy and security concerns. As noted above, I work best with people who require minimal supervision, can hold their own and who have strong, considered principles to guide their work.

We live in a remote world now, how do you evaluate applicants for grants?

See above. Standardized rubrics and effective side channels.

Projects in Zcash are going to go through a huge change beyond the handful, driven teams funded via Zcash Foundation, thoughts?

We need that change. As exciting as some of the projects that came out of the first wave of funding are, they suffered when it came to quality. Major vulnerabilities undermine the mission and could have been prevented. Security standards and quality seals are not a silver bullet but they leverage the unique tension between the current organizational grounding of Zcash and the projected decentralized future.

Zcash is a protocol at its core, ZEC price is volatile. How will you handle a single digit ZEC? ($9 x 8640/month = $77,760) How will you handle a 5 digit ZEC? ($21,000 x 8640/month = $181.44MM) Thoughts…

This is something I have a lot of experience with at my job at Open Privacy. We receive donations in ZEC as well as BTC and XMR. We have to plan and commit to months of expenses based on our current price knowledge and forecasts. It is something I’ve spent a lot of time thinking about and prototyping tooling something I’ve learned is that there is no right answer. The future is fundamentally unpredictable.

Unlike with my role at Open Privacy, the MGRC is in a position to break the correlation that ZEC has with BTC and begin to chart out a possible future for Zcash. Which is essential before we can speculate about what those kinds of prices really mean.

Good Luck Ms. Lewis.