http://www.siliconvalley.com/docs/news/tech/050585.htm Tuesday, Nov. 6, 2001 SAN FRANCISCO (Reuters) - Computer security researchers Tuesday accused Microsoft Corp. of trying to avoid taking responsibility for fixing holes in its software by making it harder for people who discover them to publicize the security breaches. Following recent high-profile worms such as Code Red and Nimda, Microsoft has embarked on a campaign to get researchers to restrain themselves when warning the public about security holes and bugs, a practice known as ``disclosure,'' according to several researchers. The issue is one of the main topics on the agenda at the Microsoft-sponsored conference, ``Trusted Computing Forum 2001,'' in Mountain View, Calif., which started Tuesday. ``We need to establish some kind of code of conduct; a standard of behavior that we all can sign onto,'' said Scott Culp, manager of Microsoft's security response center. However, researchers said they are worried that Microsoft will use the event to push its agenda and create a proposal for practices that favor its own position. ``I'm boycotting the event this year because of this,'' said Russ Cooper of TruSecure Corp., who has defended Microsoft on numerous occasions. ``We need to have public discussion first to collect the information from everybody,'' rather than just the Microsoft partners invited to the conference, Cooper said. Culp denied the claim, saying Microsoft is merely getting the ball rolling in seeking a consensus on best practices that would benefit the industry as a whole. ``We have not come to the conference with a solution,'' he said. 'INFORMATION ANARCHY' In a paper issued last month, Microsoft's Culp accused researchers of fomenting ``information anarchy'' by releasing details about how vulnerabilities work that are then used by malicious hackers. ``Today, too often when somebody finds a security vulnerability they release either detailed exploit code or tools that can be used to attack users,'' Culp said Tuesday. But researchers counter that they need to give network managers a way to test for security holes and to provide temporary fixes when Microsoft does not act fast enough. Otherwise, Microsoft takes weeks, even months, to release patches and fixes, they said. The sooner the public knows about vulnerabilities, the greater the chance they can fix them before a malicious hacker can act, they said. ``If we can't disclose then software vendors basically can have bugs reported to them and they can sit on them and do as they will,'' said Marc Maiffret of eEye Digital Security, who discovered the hole in Microsoft's Web server software that allowed Code Red to infect thousands of computers. Microsoft opposes the common disclosure practices because once security information is released to the public the pressure is on them to come up with a fix, said Bruce Schneier, chief technology officer at Counterpane Internet Security. ``What we've learned during the past eight or so years is that full disclosure helps much more than it hurts,'' Schneier writes in an essay on the issue. ``And far fewer problems are showing up first in the hacker underground, attacking people with absolutely no warning.'' 'FREAKS AND GEEKS' The issue is a sore spot for Microsoft, with critics long complaining that the company sacrifices security for convenience and functionality in designing its software. Although Microsoft has added some security enhancements to its recently released Windows XP operating system, a security problem forced the company to shut down its Passport single-signon authentication service for at least two days just last week. The company's .Net plan, which will allow users to access a variety of data and services over the Internet and of which Passport is a key piece, has raised both security and privacy concerns. The balance of personal privacy with national security interests following the Sept. 11 attacks is another topic to be addressed at the second annual three-day conference this week. ``Most of us are saying privacy does have its limits because the more private people are the more likely it is that they can represent a threat to our public safety,'' said Richard Purcell Sr., director of corporate privacy for Microsoft. ``We're getting the freaks and geeks together,'' Purcell said of the conference. Getting ``the policy driven business management people and the technically driven systems management people to work together in a much more collaborative way.'' - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 06:08:13 PST