[Bp_certs] About types of CERTs

excel asama excelasama at yahoo.fr
Wed Jul 23 10:30:29 EDT 2014 

Dear all,

After managing a Net Neutrality project  in Cameroon for some time, and gathered some preoccupations from different stake holders, and thought It wise to share with you:

Cyber crime is one of the direct consequence of not maintaining Net Neutrality and as such, it is important for us to clarify the link between the two concepts. precisely, we may want to redefine the following words, while considering their inter-connection and inter-operability:

	1. Privacy-Transparency-Net Neutrality-Confidentiality and the legal mandate of government to bridge the four when requested by the law.

	2. One of the reason why CSERTS are created is to improve online safety. We all know that Deep Packet Inspection Technology (DPI) is necessary to clean the network and dump any malicious stuff and could as well be used for surveillance. My question here is: what role can CSERTS operators or the International coalition play in keeping the eyes of the "big brother" out of our packets, and what guarantee can we have that DPI will only be used for network Cleansing?
I strongly believe if we look at things this way, we will do more good than just hunting the bad boys in our networks.


_______________________________
ASAMA  A. EXCEL
Netsquared/Techsoup Ambassador-Africa
Founding President, I-Vission International. 
Box 13040, DOUALA-CAMEROON
Tel: (+237) 76 14 26 23
My blog: www.excelasama.wordpress.com
Website:  www.ivission.net

Photos Album: www.flickr.com/ivission
Twitter: www.twitter.com/ivission


Le Mercredi 23 juillet 2014 15h35, Andrew Cormack <Andrew.Cormack at ja.net> a écrit :
 


Just to emphasise the importance of Patrik's steps 5 and 6. Don't start out as a brand new CERT expecting people to send you sensitive information, they won't.

First you have to demonstrate (a) that you can be trusted with information and (b) that you can do something useful with it. Then people may start to share with you, but it's likely to be a slow process. I tend to describe the trust-building process as:
I share a little bit of information with you
If that didn't make my world worse, I might share another little bit of information with you
If that made my world better, I'll probably share more information with you 

So as a new CERT your first products to get steps 1-4 going should be based on information you already have (e.g. if you can monitor your own network and provide reports of what is happening there) plus what is available from public sources (e.g. translating advisories into local language, as JPCERT did). 

Then you'll be welcomed as a useful and reliable member of the community
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Patrik Fältström
> Sent: 16 July 2014 21:25
> To: Carlos M. Martinez
> Cc: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> My personal view, after looking at a few "failed" CERT initiatives is
> that whether a cert is successful or not depends completely (like any
> business) on whether external parties from the cert do believe the cert
> deliver whatever the cert is supposed to deliver.
> 
> I.e. number one recommendation from me is always that the cert is
> defining what "products" the cert is producing. What is the cert doing?
> What is it delivering to what customers?
> 
> Given that certain products are to be delivered, the cert need
> information. Only if the cert manage to gain trust (that they will
> deliver whatever they are to deliver) external parties (peers) will
> start to give them information.
> 
> So, to conclude:
> 
> 1. Define what the cert role in the community is
> 
> 2. Define what services / products the cert produce
> 
> 3. Convince peers (2) is doable
> 
> 4. Deliver (1) and (2)
> 
> 5. Get data that make delivery easier
> 
> 6. By doing (4) gain more trust, and get more data (5), and continue a
> positive continuation
> 
> Forcing people to work with a (national) cert will not work. If people
> have problems, they will, my view, primarily talk with their vendor and
> the vendor support mechanism, which often is part of the cert
> structure.
> 
> I.e. people talk with "national cert" if it helps them. Not if they are
> forced to.
> 
>   Patrik
> 
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org


_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140723/e3852d0a/attachment.htm>

More information about the Bp_certs mailing list