[ISN] Microsoft: Finding flaws on our website is OK

From: InfoSec News (alerts@private)
Date: Tue Apr 22 2008 - 01:49:24 PDT


http://www.theregister.co.uk/2008/04/21/microsoft_oks_online_flaw_finding/

By Dan Goodin
The Register
21st April 2008

ToorCon - In a first for a major company, Microsoft has publicly pledged 
not to sue or press charges against ethical hackers who responsibly find 
security flaws in its online services.

The promise, extended Saturday at the ToorCon security conference in 
Seattle, is a bold and significant move. While researchers are generally 
free to attack legally acquired software running on their own hardware, 
they can face severe penalties for probing websites that run on servers 
belonging to others. In some cases, organizations have pursued legal 
action against researchers who did nothing more than discover and 
responsibly report serious online vulnerabilities.

"This is actually really important because online services - that's our 
stuff," Microsoft security strategist Katie Moussouris told several 
hundred researchers. "The philosophy here is if someone is being nice 
enough to point out your fly is down, they're really doing you a favor 
and you should thank them rather than calling the cops and saying you're 
a pervert."

Moussouris said she is pushing to get a provision added to a proposed 
standard that's making its way through the International Organization 
for Standardization that would protect ethical hackers who responsibly 
disclose vulnerabilities in other companies' websites. "If I get my way, 
it'll be in there," she said.

(In a brief exchange after her talk, Moussouris told us she didn't know 
offhand exactly how the proposed standard was designated. We're guessing 
it's this one, though we can't be sure.)

The idea is to make websites safer by taking advantage of the legions of 
independent researchers who stumble upon security bugs. As she put it: 
"Don't hate the finder, hate the vulnerability. We don't actually want 
to discourage people who are trying to help us by being iffy about 
whether we're going to go after them."

As things stand, researchers frequently turn a blind eye to gaping 
security holes on websites for fear of suffering a fate similar to that 
of Eric McCarty. The prospective student at the University of Southern 
California found a flaw in the school's online application system that 
gave him access to other applicants' records. In 2006, he was charged 
with computer intrusion after producing proof of his finding.

"There's definitely a lot of trepidation among legitimate researchers to 
find flaws in public-facing web applications because you never know how 
[companies] are going to react," said Alex Stamos, a founding partner at 
iSEC Partners, a firm that provides penetration-testing services. "That 
hurts us because the only people finding these flaws are the bad guys."

Moussouris's remarks came as she gave a progress report on Microsoft's 
efforts to be more responsive to security researchers. One new 
initiative is a two-day course called Defend the Flag, a modified 
version of Capture the Flag, for its IT employees who are new to 
security. Microsoft is also offering assistance to companies grappling 
with their own security issues and giving a heads-up when it learns of 
vulnerabilities affecting third-party vendors.

Microsoft's security team has also worked hard to strike a balance 
between releasing security patches quickly and making sure the updates 
don't break products that customers rely on.

"We are a huge target, obviously," Moussouris said. "Some of you love 
that about us. We basically face a lot of issues that a lot of vendors 
haven't had to deal with. Not many vendors out there can break the 
[internet] if they mess up their patches." ®



_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 22 2008 - 02:02:12 PDT