Forwarded from: security curmudgeon <jerichoat_private> http://www.infowarrior.org/articles/2001-11.html (Full article, nicely-formatted, with referenced hyperlinks) The Freedom to Innovate Includes The Freedom to Obfuscate: Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability Richard Forno 11 November 2001: Essay #2001-11 rfornoat_private (c) 2001 by Author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given. Summary: Microsoft's newfound emphasis on security and "responsible disclosure" is more for PR purposes than true security, and places the net at great risk. "It will not follow that everything must be suppressed which may be abused... if all those useful inventions that are liable to abuse should therefore be concealed, there is not any Art or Science which may be lawfully professed." -- Bishop John Wilkins, 1641 In late October 2001, Microsoft's Security Manager Scott Culp published a missive calling for 'responsible disclosure' of security vulnerability information on the Internet, claiming it was because of the public availability of such information that major Internet security problems or cyber-terrorist events could occur. His commentary was well-received by large commercial companies and security vendors, and panned by nearly everyone else. <.snip.> Full disclosure forums serve as a community resource and a much-needed check-and-balance against the profit-motivated interests of vendors preferring that its customers blindly continue purchasing and supporting its line of products, blissfully unaware of the potential dangers they are susceptible to each time they boot up or log on. Absent this objective and freely available mechanism, the internet community is at the mercy of the corporations to decide how, when, or if a given security problem will be addressed. The scientist who creates the cancer-fighting gene (a good thing) could also use that knowledge to develop tailored genetic weapons (a bad thing)...It's not about responsible disclosure, it's about vendor accountability, quality assurance, and this looney, misguided belief that security through obscurity works. "Without disclosure, there is no truth. Without truth, there is no accountability." -- Richard Thieme - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 03:25:41 PST