In some mail from Renaud Deraison, sie said: > > On Sun, 4 Jul 1999, Vanja Hrustic wrote: > > > I haven't seen this on the Bugtraq, but it's very interesting... > > [snip] > > > So, if I have my custom-developed IDS running, I won't be able to implement > > a pattern for this, because I am not a member of 'Intrusion Detection > > Consortium'? > > And I'm writing a free security auditing tool, and I won't be able to > implement a security check for this, because I'm not a "vendor" ? And your problem with this is ? To me this is a fight you can't win because to corporations you're a "nobody". If I were Microsoft and saw that numerous security flaws were being announced through a commercial group such as X-Force, I might make some sort of arrangement of mutual benefit where security things aren't announced until patches are available in return for sharing knowledge of problems learned internally in a way that is of benefit to those paying people to look for exploits and are otherwise looking for ways in which to increase product value. > (apparently only software vendors are welcomed to the ICSA's IDC -- > they did not reply to my request of being admitted in this consortium > [so that I could get information about this flaw]) And how does having members who are looking for freebies help their bottom line? Information on Internet Security is now a market with value. [...] > What comes to my mind, is that the Microsoft is giving the scoop of the > test of the vulnerability to the ISCA's IDC members. And the problem with that is? What should be important is that the information about the problem became public, allowing people to become aware of the problem and how to fix it. [...] > What does this mean ? You have to _sell_ your security products to have > security informations from the vendors, or else they won't even consider > you are writing security tools ? It's well recognised that Microsoft has a dim view of the "Open Source" movement due to the way it perceives it as being a threat to its own products so getting them to support it seems very unlikely. Anyway, what does it matter to you, if your product is free? It has no value so whether or not it can detect X makes no real difference if there is a patch available to resolve X. [...] > This attitude shows the lack of ethic of several companies which claim > they are interested in security. Because no matter how knowledgeable you > are, you will have to pay to determine if you are vulnerable or not. Now you're catching on. Security is a market of some value, today, not like it was back in the early 90's when things like FWTK/Satan were written and given away. Sure it is security by obscurity, but do you get any more details in patches from Sun that manage to roll out prior to being all over bugtraq? I don't know of any vendor that has a full-disclosure policy, only hackers and other posters to bugtraq. For vendors there may well be legal implications of them giving out information to people who could use that information to break into systems. At least by going through the ICSA they're dealing with a body that is arguably reputable so some sort of due diligence could be argued. Darren p.s. Has anyone tallied up the number of announcements about Microsoft NT security bugs in the last year? I'm wondering if there haven't been more than for say Solaris even though NT has none of the "Unix Security Problems".
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:29 PDT