[cryptome] Re: FOIPA adventures
- From: coderman <coderman@xxxxxxxxx>
- To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>, cpunks <cypherpunks@xxxxxxxxxx>
- Date: Thu, 10 Dec 2015 03:54:12 -0800
On 12/9/15, coderman <coderman@xxxxxxxxx> wrote:
a most recent Glomar:
"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.
Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.
Thank you for your time, and best regards,
Other related posts: