Forwarded from: Darren Reed <darrenrat_private> In some email I received from InfoSec News, sie wrote: > http://www.newsbytes.com/news/01/171173.html > > By Brian McWilliams, Newsbytes > REDMOND, WASHINGTON, U.S.A., > 16 Oct 2001, 1:37 PM CST > Pushed to the brink by recent Internet worm outbreaks, Microsoft > hopes to rally the computer industry against those who improperly > publish information about security vulnerabilities. > > In an editorial at Microsoft's site, Scott Culp, head of the > company's Security Response Center, announced the initiative > against what he called "information anarchy." > > According to Culp, the damage caused by worms such as Code Red and > Nimda can be blamed in part on computer security professionals who > discovered the software flaws exploited by the malicious, > self-propagating programs. Part advisory anouncing the problem, part hacker writing the worms AND PART VENDOR for supplying the faulty software. Maybe part administrator for not patching it, but administrators shouldn't have to do that :) > "Clearly, the publication of exploit details about the > vulnerabilities contributed to their use as weapons ... It's > simply indefensible for the security community to continue arming > cybercriminals," he said. So, lets follow that argument one step further. Microsoft supplied vulnerable software to hundreds of thousands of sites world wide ... It's simply indefensible for vendors to continue providing vulnderable software to customers. > "This is not a call to stop discussing vulnerabilities. Instead, > it is a call for security professionals to draw a line beyond > which we recognize that we are simply putting other people at > risk," said Culp. > "We question the ethics and business value of arming individuals > with the ability to break into computers," said Rouland. Instead we provide people with software that you don't even need to break the DCMA in order to find out what faults (and how) are being checked for. Well, so long as using a packet sniffer to watch the conversation between IIS and its target doesn't infringe the DCMA and I can't see how it could. [...] > Besides acknowledgments in its security bulletins, Microsoft plans > to develop additional means of encouraging security professionals > to adopt its limited-disclosure stance. And for those that don't subscribe to the Microsoft school of thought, what does that have to offer? The only incentive here is not to publish security compromising information under a recognisable name. If the Eeye advisory had of been published using a pseudonym (a) nobody would care who Eeye is (I still don't) and (b) Eeye wouldn't be in the firing line now. > "It's time for the security community to get on the right side of > this issue," he said. It's time the community at large demanded better software quality from vendors. I imagine if it were Sun computers running Solaris or Linux that were in the hundreds of thousands supporting these worms then M$ would be making fun of Unix and not complaining about security exploits, etc. Nevertheless, wind the clock back almost 10 years and it was SunOS that was notorious for falling prey to hackers and I don't recall Sun "crying" about how unfair it was when scripts, etc, were posted in news groups or on lists. "Oh no, it'll cost us more money to do that!", they scream. If your car had as many bugs as M$ Windows does, would you pay however much it is for it new ? And on the other side, if M$ Windows had as few bugs as a new car, would you pay thousands and thousands of dollars for it ? Lets pretend that you could keep and use the same copy of M$ Windows for 10-20 years with the same ease you can cars :-) (I'm assuming that a "new car" or line might be _recalled once_ in its lifetime to fix a serious problem that would be equivalent to a security bug the likes of what we see in IIS regularly). Darren - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:57:46 PDT