Re: [ISN] Microsoft Rallies Industry Against Bug Anarchy

From: InfoSec News (isnat_private)
Date: Thu Oct 18 2001 - 00:46:06 PDT

  • Next message: InfoSec News: "[ISN] Governor Calls for 'Cyber Court'"

    Forwarded from: Darren Reed <darrenrat_private>
    In some email I received from InfoSec News, sie wrote:
    > By Brian McWilliams, Newsbytes
    > 16 Oct 2001, 1:37 PM CST
    > Pushed to the brink by recent Internet worm outbreaks, Microsoft
    > hopes to rally the computer industry against those who improperly
    > publish information about security vulnerabilities.
    > In an editorial at Microsoft's site, Scott Culp, head of the
    > company's Security Response Center, announced the initiative
    > against what he called "information anarchy."
    > According to Culp, the damage caused by worms such as Code Red and
    > Nimda can be blamed in part on computer security professionals who
    > discovered the software flaws exploited by the malicious,
    > self-propagating programs.
    Part advisory anouncing the problem, part hacker writing the worms AND
    PART VENDOR for supplying the faulty software.  Maybe part
    administrator for not patching it, but administrators shouldn't have
    to do that :)
    > "Clearly, the publication of exploit details about the
    > vulnerabilities contributed to their use as weapons ... It's
    > simply indefensible for the security community to continue arming
    > cybercriminals," he said.
    So, lets follow that argument one step further.  Microsoft supplied
    vulnerable software to hundreds of thousands of sites world wide ...
    It's simply indefensible for vendors to continue providing vulnderable
    software to customers.
    > "This is not a call to stop discussing vulnerabilities. Instead,
    > it is a call for security professionals to draw a line beyond
    > which we recognize that we are simply putting other people at
    > risk," said Culp.
    > "We question the ethics and business value of arming individuals
    > with the ability to break into computers," said Rouland.
    Instead we provide people with software that you don't even need to
    break the DCMA in order to find out what faults (and how) are being
    checked for. Well, so long as using a packet sniffer to watch the
    conversation between IIS and its target doesn't infringe the DCMA and
    I can't see how it could.
    > Besides acknowledgments in its security bulletins, Microsoft plans
    > to develop additional means of encouraging security professionals
    > to adopt its limited-disclosure stance.
    And for those that don't subscribe to the Microsoft school of thought,
    what does that have to offer?  The only incentive here is not to
    publish security compromising information under a recognisable name.  
    If the Eeye advisory had of been published using a pseudonym (a)
    nobody would care who Eeye is (I still don't) and (b) Eeye wouldn't be
    in the firing line now.
    > "It's time for the security community to get on the right side of
    > this issue," he said.
    It's time the community at large demanded better software quality from
    vendors.  I imagine if it were Sun computers running Solaris or Linux
    that were in the hundreds of thousands supporting these worms then M$
    would be making fun of Unix and not complaining about security
    exploits, etc.  Nevertheless, wind the clock back almost 10 years and
    it was SunOS that was notorious for falling prey to hackers and I
    don't recall Sun "crying" about how unfair it was when scripts, etc,
    were posted in news groups or on lists.
    "Oh no, it'll cost us more money to do that!", they scream.
    If your car had as many bugs as M$ Windows does, would you pay however
    much it is for it new ?
    And on the other side, if M$ Windows had as few bugs as a new car,
    would you pay thousands and thousands of dollars for it ?  Lets
    pretend that you could keep and use the same copy of M$ Windows for
    10-20 years with the same ease you can cars :-)
    (I'm assuming that a "new car" or line might be _recalled once_ in its
     lifetime to fix a serious problem that would be equivalent to a security
     bug the likes of what we see in IIS regularly).
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:57:46 PDT