<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Oh - one last thought, for now, about accreditation, generally.<div class=""><br class=""></div><div class="">Accreditation for access will need to be centralized, perhaps not entirely, but substantially.<br class=""><div class=""><br class=""></div><div class="">I ran an email accreditation program (whitelist) a couple of times in my professional life, my experience dictates that as tough as one might want to be on membership, it is ongoing compliance that will determine if such a thing is meaningful.</div><div class=""><br class=""></div><div class="">ICANN compliance can lend their views as to how incredibly difficult such work is.</div><div class=""><br class=""></div><div class="">Gated access will be trivially bypassed in terms of initial access, and abused on an ongoing basis, by those with bad intent, and provide an annoying, or even insurmountable barrier (again, emerging nations) to those who intend to use such access for the benefit of the ecosystem.</div><div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class="Apple-interchange-newline"><br class=""></div><div class="">Neil Schwartzman</div><div class="">Executive Director</div><div class="">Coalition Against Unsolicited Commercial Email</div><div class=""><a href="http://cauce.org" class="">http://cauce.org</a></div><div class="">Tel : (303) 800-6345</div></div><div class="">Twitter : @cauce</div><div class=""><br class=""></div></div><br class="Apple-interchange-newline" style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class="Apple-interchange-newline"></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Jun 8, 2017, at 2:17 PM, Neil Schwartzman <<a href="mailto:neil@cauce.org" class="">neil@cauce.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class="">On Jun 8, 2017, at 11:38 AM, jonathan matkowsky <<a href="mailto:jonathan.matkowsky@riskiq.net" class="">jonathan.matkowsky@riskiq.net</a>> wrote:<br class=""><br class=""><blockquote type="cite" class="">On a side note, a threat researcher or analyst is not the equivalent of an investigator. So focusing on certifying investigators is irrelevant to any issue within the working group. <br class=""></blockquote><br class=""></div><div class="">You are correct Jonathan, if you mean ‘law enforcement investigators’. In some companies, the term is used synonymously with threat researcher. In that context, "certifying investigators, researchers and analysts is irrelevant to any issue within the working group.” would be more apropos.</div><div class=""><br class=""></div><div class="">That said gated access needs some sort of parsing model. which is why I object to it in any form.</div><div class=""><br class=""></div><blockquote type="cite" class="">On Jun 8, 2017, at 10:55 AM, Stephanie Perrin <<a href="mailto:stephanie.perrin@mail.utoronto.ca" class="">stephanie.perrin@mail.utoronto.ca</a>> wrote:<br class=""><br class="">What criteria does an organization like APWG apply, when it admits members and shares data with them? <br class=""></blockquote><br class=""><a href="http://apwg.org/membership/membership/" class="">http://apwg.org/membership/membership/</a><div class=""><div class=""><br class=""></div><div class="">Example of some, but far from all, security initiatives include <a href="http://APWG.org" class="">APWG.org</a>, M3AAWG and <a href="http://FIRST.org" class="">FIRST.org</a> (this latter with very stringent criteria, they do onsite visits of CERTs and SIRTs, etcetera). Membership is subject to proprietary internal regulation specific to these organizations, and may be determined by a vote by existing members, ongoing reviews, etcetera.</div><div class=""><br class=""></div><div class="">The type of data exchanged in almost all cases is deeper on the order of a magnitude than WHOIS data in terms of sensitivity, it may involve materials, discussions of techniques, that would provide benefit to the adversary were they know (or known that we know), or disrupt legal initiatives being prepared, or even live law enforcement cases.</div><div class=""><br class=""></div><div class="">What happens when trust is breached? The member in question is removed.</div><div class=""><br class=""></div><div class="">Simply because someone passes accreditation doesn’t make them impervious to engaging in future abuse; the most recent case being an analyst with the NSA who leaked top secret documents to the press. I know someone who is currently in the process of being accredited for such a job, it is at minimum an 18-month process. Perhaps more. I’ve not spoken to her in a while. Furthermore, Mr. Snowden, I believe, did not have such accreditation, as an outside contractor. So there’s that, too.</div><div class=""><br class=""></div><div class="">N.B.: not all researchers, investigators, and analysts are members of companies or organizations that maintain membership to these groups. Many are professionals without credentials. Many companies are not members. Their abuse ops teams operate without credentials. They access WHOIS constantly to protect their networks, and those of others, for example, feeding the anti-spam mechanisms protecting u of T’s mail systems.<br class=""><br class=""><blockquote type="cite" class=""> When I have questions like this, I often check with experts before I ask. They don't call me naive, they answer my questions<br class=""></blockquote><br class="">The phrase "I believe the <b class="">notion</b> of certifying private cybercrime investigators to be painfully naive” said nothing about you personally; I spoke to the concept, nothing more. you can choose to take personal umbrage but it was not meant in that manner.<br class=""><br class=""><blockquote type="cite" class="">we need a system that is slightly more organized and less open to anti-competitive behaviour than the club-of-folks-who-know-each-other under which we are operating now.<br class=""></blockquote><br class="">I agree when you said "Folks, can we please try to be polite to one another on this list? “, after all, calling the security research industry anti-competitive isn’t impolite. [for non-english speakers, the use of the word “impolite" was intended to be ironic].</div></div><div class=""><br class=""></div><div class="">I do not believe we need anything more than what we have now. WHOIS access is working extremely well.</div><div class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class="Apple-interchange-newline"><br class=""></div><div class="">Neil Schwartzman</div><div class="">Executive Director</div><div class="">Coalition Against Unsolicited Commercial Email</div><div class=""><a href="http://cauce.org" class="">http://cauce.org</a></div><div class="">Tel : (303) 800-6345</div></div><div class="">Twitter : @cauce</div><div class=""><br class=""></div></div><br class="Apple-interchange-newline" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class="Apple-interchange-newline"></div>
</div>
<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>