[ISN] MS to force IT-security censorship

From: InfoSec News (isnat_private)
Date: Thu Nov 01 2001 - 23:58:32 PST

  • Next message: InfoSec News: "[ISN] Ex-Buddhist monk to reclaim hacking from s'kiddiots"

    Creating, then throttling, security 'partners'
    By Thomas C Greene in Washington
    Posted: 02/11/2001 at 04:43 GMT
    We all know how Microsoft likes to bully its many 'partners', so it
    comes as no surprise that the Beast has decided to apply its
    partnership muscle to silence the software and network security
    research community.
    The company is currently shopping a 'security partnership agreement',
    which would open up reams of MS vulnerability data to those firms
    which capitulate to its censorship demands while leaving all others
    out in the cold, The Register has learned.
    Terms of the partnership agreement include provisions which would
    enjoin partners from releasing 'detailed' vulnerability data over a
    'blackout' period. Our information is in conflict here; we've heard
    that the blackout could be 45 days, a la CERT, or as long as six
    months, or indefinitely, until a fix is developed.
    It's likely that several drafts of the agreement are in circulation,
    and this uncertainty indicates the minimum and maximum periods
    currently under consideration.
    The word 'detailed' is still being debated, we gather. But we can
    guess that the sanitized reports MS itself likes to publish to
    accompany its patches would provide the model. Full disclosure would
    be enjoined until the Beast manages to issue a fix; and it appears
    that the agreement would give the company as long as it likes to
    develop one. Its security partners would be expected to keep silent,
    or issue a well-scrubbed, sanitized advisory in the mean time.
    Just as we saw MS pressuring its partners to rat on system builders
    who request quotes on OS-less 'naked' boxes with a bribery scheme
    http://www.theregister.co.uk/content/archive/18589.html, we can expect
    similar shenanigans to ferret out rogue security vendors which dare
    defy the Redmond Censors and actually offer their customers useful
    Redmond's goal is to ensure forcibly that exploit code doesn't fall
    into the hands of the blackhat development community before they've
    got a fix, but it also means that security vendors won't be able to
    give their customers the means to develop a workaround or a fix to an
    existing vulnerability until Redmond gets off its ass and solves the
    The problem here is obvious: if millions of systems are vulnerable to
    attack, it's pure head-in-the-sand gambling to hope that none of them
    will be exploited during the time it takes Redmond to sort it all out.
    Frankly, if I were paying good money for security services, I'd feel
    cheated if my vendor withheld data which I might be able to use to
    protect myself from attack. I wouldn't consider that a service worth
    paying for. I would do business with security vendors who wouldn't
    withhold crucial information from me on Microsoft's behest.
    Worse, we have here a recipe for establishing a monopoly on
    vulnerability data like the little cabal of greedy insiders who run
    the anti-virus industry, and who control access to information with a
    stranglehold which protects nothing so much as their revenue stream.
    Spin Session 
    It's likely that MS will announce this appalling scheme formally
    during its Trusted Computing Forum in Mountain View, California on 6,
    7 and 8 November.
    The forum "will bring together leaders of the online community to
    address some of the most pressing privacy and security issues we face
    today," the company says.
    And of course, it's all part of Microsoft's touching tradition of
    selfless public service: "The need for a forum such as this is greater
    than ever. The tragic events of September 11, 2001 have made an
    undeniable impact on the industry and the world with regards to
    privacy and security concerns," we're told.
    And who's been invited to speak? Richard Clarke, Presidential Advisor
    for Cyber Security; Brian Arbogast, Vice President of Microsoft's .NET
    Core Platform Services; Craig Mundie, MS Chief Technology Officer;
    Mozelle Thompson, Commissioner, Federal Trade Commission; Stewart
    Baker, Partner, Steptoe and Johnson & former General Counsel, National
    Security Agency; Jerry Berman, Executive Director, Center for
    Democracy and Technology; Rebecca Cohn, member of the California State
    Assembly; Lt. Lenley Duncan, Commander California Highway Patrol
    Network Management Section; and Barry Steinhardt, Associate Director
    of the ACLU.
    Rather a significant stacking of collaborators over skeptics, we must
    If anyone mistook MS Security Manager Scott Culp's recent essay
    ecurity/noarch.asp denouncing full-disclosure proponents as
    'information anarchists' for some simple, earnest opinion piece, they
    can dispense with that illusion.
    The essay was a mere shot across the bow in preparation for the real
    assault, which we predict will ultimately include some RIAA-like
    lobbying consortium to enforce Redmond's will upon the security
    Unless, of course, the security research community has the spine to
    defy the Beast, an outcome we'd like to see, but which we wouldn't bet
    good money on. Though if anyone wants to step up and prove us wrong,
    we'll be the first to applaud. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 02 2001 - 01:51:21 PST