[ISN] Microsoft, researchers tussle over security issues

From: InfoSec News (isnat_private)
Date: Wed Nov 07 2001 - 01:34:11 PST

  • Next message: InfoSec News: "[ISN] Comdex issues laptop reprieve"

    Tuesday, Nov. 6, 2001 
    SAN FRANCISCO (Reuters) - Computer security researchers Tuesday
    accused Microsoft Corp. of trying to avoid taking responsibility for
    fixing holes in its software by making it harder for people who
    discover them to publicize the security breaches.
    Following recent high-profile worms such as Code Red and Nimda,
    Microsoft has embarked on a campaign to get researchers to restrain
    themselves when warning the public about security holes and bugs, a
    practice known as ``disclosure,'' according to several researchers.
    The issue is one of the main topics on the agenda at the
    Microsoft-sponsored conference, ``Trusted Computing Forum 2001,'' in
    Mountain View, Calif., which started Tuesday.
    ``We need to establish some kind of code of conduct; a standard of
    behavior that we all can sign onto,'' said Scott Culp, manager of
    Microsoft's security response center.
    However, researchers said they are worried that Microsoft will use the
    event to push its agenda and create a proposal for practices that
    favor its own position.
    ``I'm boycotting the event this year because of this,'' said Russ
    Cooper of TruSecure Corp., who has defended Microsoft on numerous
    ``We need to have public discussion first to collect the information
    from everybody,'' rather than just the Microsoft partners invited to
    the conference, Cooper said.
    Culp denied the claim, saying Microsoft is merely getting the ball
    rolling in seeking a consensus on best practices that would benefit
    the industry as a whole. ``We have not come to the conference with a
    solution,'' he said.
    In a paper issued last month, Microsoft's Culp accused researchers of
    fomenting ``information anarchy'' by releasing details about how
    vulnerabilities work that are then used by malicious hackers.
    ``Today, too often when somebody finds a security vulnerability they
    release either detailed exploit code or tools that can be used to
    attack users,'' Culp said Tuesday.
    But researchers counter that they need to give network managers a way
    to test for security holes and to provide temporary fixes when
    Microsoft does not act fast enough.
    Otherwise, Microsoft takes weeks, even months, to release patches and
    fixes, they said. The sooner the public knows about vulnerabilities,
    the greater the chance they can fix them before a malicious hacker can
    act, they said.
    ``If we can't disclose then software vendors basically can have bugs
    reported to them and they can sit on them and do as they will,'' said
    Marc Maiffret of eEye Digital Security, who discovered the hole in
    Microsoft's Web server software that allowed Code Red to infect
    thousands of computers.
    Microsoft opposes the common disclosure practices because once
    security information is released to the public the pressure is on them
    to come up with a fix, said Bruce Schneier, chief technology officer
    at Counterpane Internet Security.
    ``What we've learned during the past eight or so years is that full
    disclosure helps much more than it hurts,'' Schneier writes in an
    essay on the issue. ``And far fewer problems are showing up first in
    the hacker underground, attacking people with absolutely no warning.''
    The issue is a sore spot for Microsoft, with critics long complaining
    that the company sacrifices security for convenience and functionality
    in designing its software.
    Although Microsoft has added some security enhancements to its
    recently released Windows XP operating system, a security problem
    forced the company to shut down its Passport single-signon
    authentication service for at least two days just last week.
    The company's .Net plan, which will allow users to access a variety of
    data and services over the Internet and of which Passport is a key
    piece, has raised both security and privacy concerns.
    The balance of personal privacy with national security interests
    following the Sept. 11 attacks is another topic to be addressed at the
    second annual three-day conference this week.
    ``Most of us are saying privacy does have its limits because the more
    private people are the more likely it is that they can represent a
    threat to our public safety,'' said Richard Purcell Sr., director of
    corporate privacy for Microsoft.
    ``We're getting the freaks and geeks together,'' Purcell said of the
    conference. Getting ``the policy driven business management people and
    the technically driven systems management people to work together in a
    much more collaborative way.''
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 06:08:13 PST