[ISN] The Freedom to Innovate Includes The Freedom to Obfuscate

From: InfoSec News (isnat_private)
Date: Mon Nov 12 2001 - 01:44:00 PST

  • Next message: InfoSec News: "Re: [ISN] Linux snares security tool"

    Forwarded from: security curmudgeon <jerichoat_private>
    (Full article, nicely-formatted, with referenced hyperlinks)
    The Freedom to Innovate Includes The Freedom to Obfuscate:
    Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability
    Richard Forno 
    11 November 2001: Essay #2001-11
    (c) 2001 by Author. Permission is granted to quote, reprint or
    redistribute provided the text is not altered, and appropriate credit
    is given.
    Summary: Microsoft's newfound emphasis on security and "responsible
    disclosure" is more for PR purposes than true security, and places the
    net at great risk.
    "It will not follow that everything must be suppressed which may be
    abused... if all those useful inventions that are liable to abuse
    should therefore be concealed, there is not any Art or Science which
    may be lawfully professed."         -- Bishop John Wilkins, 1641
    In late October 2001, Microsoft's Security Manager Scott Culp
    published a missive calling for 'responsible disclosure' of security
    vulnerability information on the Internet, claiming it was because of
    the public availability of such information that major Internet
    security problems or cyber-terrorist events could occur. His
    commentary was well-received by large commercial companies and
    security vendors, and panned by nearly everyone else.
    Full disclosure forums serve as a community resource and a much-needed
    check-and-balance against the profit-motivated interests of vendors
    preferring that its customers blindly continue purchasing and
    supporting its line of products, blissfully unaware of the potential
    dangers they are susceptible to each time they boot up or log on.
    Absent this objective and freely available mechanism, the internet
    community is at the mercy of the corporations to decide how, when, or
    if a given security problem will be addressed.
    The scientist who creates the cancer-fighting gene (a good thing)
    could also use that knowledge to develop tailored genetic weapons (a
    bad thing)...It's not about responsible disclosure, it's about vendor
    accountability, quality assurance, and this looney, misguided belief
    that security through obscurity works.
    "Without disclosure, there is no truth.  Without truth, there is no
    accountability."             -- Richard Thieme
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 03:25:41 PST