[cryptome] Re: FOIPA adventures
ryacko at gmail.com
Thu Dec 24 14:41:46 PST 2015
Clearly you should make a request for the source code for the the Promis
software as used by the FBI. It's public domain.
On Thu, Dec 10, 2015 at 3:54 AM, coderman <coderman at gmail.com> wrote:
> On 12/9/15, coderman <coderman at gmail.com> wrote:
> > a most recent Glomar:
> > "Disclosure timeline and decision making rationale for disclosure of
> > vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
> > Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
> > as part of the Vulnerabilities Equities Process. Please include
> > timeline for initial discovery with source of discovery, first
> > operational use, and finally, date for vendor notification."
> > -
> > "The request has been rejected, with the agency stating that it can
> > neither confirm nor deny the existence of the requested documents."
> > -
> I reject and demand appeal of your rejection of this request.
> First and foremost, please recognize that the GSF Explorer, formerly
> USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
> is so named, was a purely military operation, using custom-built
> military equipment, on an exceptionally sensitive military mission to
> recover military equipment. Observe that the "Vulnerabilities Equities
> Process" is a public outreach activity communicating with third party
> partners, acting in the public interest regarding software used by
> public citizens and business alike - a scenario at opposite ends and
> means from which this denial blindly overreaches.
> Second, observe that existing precedent supports the release of
> materials responsive to this request. In American Civil Liberties
> Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
> courts have affirmed the public interest as compelling argument for
> favoring the public interest against clearly military efforts. The
> Glomar denial should be well targeted; this targeted falls well
> outside of the the "Vulnerabilities Equities Process", which is a
> public outreach activity communicating with third party partners,
> acting in the public interest, regarding software used by public
> citizens and business alike.
> Third, consider that it is a well established technique in the
> information security industry to identify the origin and nature of a
> defect discovery and disclosure timeline. This information is used for
> myriad of secondary research, analysis, and automation efforts
> spanning numerous industries. The utility of of disclosure timeline
> information and context has decades of rich support and strong
> evidence of public interest benefit, particularly regarding long
> reported and fixed defects, such as this one, which has patches
> available for over a year.
> Fourth, observe that every hour of expert opinion coupled with legal
> review amounts to a non-trivial expenditure of hours which are a sunk,
> throw away cost of FOIA communication. While as a taxpayer I
> appreciate the service of FOIA professionals such as those involved in
> this request, who provide tireless effort the all hundreds of millions
> of US citizens, my personal cost should be recognized. For this reason
> a deference in favor of public interest and disclosure is well
> supported for this request regarding the "Vulnerabilities Equities
> Process", which is a public outreach activity communicating with third
> party partners, acting in the public interest, regarding software used
> by public citizens and business alike.
> Thank you for your time, and best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 5165 bytes
Desc: not available
More information about the cypherpunks