-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to keep things straight around here...I don't filter anyone's posts, I moderate a mailing list which has a lot of messages from a lot of people dropped on the floor for a lot of reasons. There wasn't 10 minutes between the release of MS99-022 and the time I had Microsoft, on the phone over the disclosure issue. I stated my case, that Microsoft must release "signature" details of internally discovered vulnerabilities to "the public", and was told there was a discussion going to be held on the issue. I believe I stated the case well, and that my intentions and recommendation on how to do this best were heard. It matters not who receives the full details, as long as they get to the public in a timely fashion. I don't feel that full and immediate disclosure is always necessary, or prudent (and neither does eEye), but its crucial that they do get into the public's hands. Neither Microsoft, nor ICSA, can assure anyone that any mechanism for disclosure is going to reduce, or eliminate, public disclosure...therefore any attempts at doing so from the beginning are, as someone else already said, Security By Obscurity. I'm as unhappy as everyone else that Microsoft appear to have chosen this route to the disclosure of internally discovered vulnerabilities. This will become even more obvious over the next few weeks, unfortunately. Although discussions, held recently during the NTBugtraq Party, may have some influence on their future disclosures...we can only hope. If anyone is going to "re-release Microsoft's advisories with full details", that's great. Every worthwhile post is going to make it to NTBugtraq. I will say this though, I do not believe that any such "re-release" can possibly provide us with the information we *need* and *demand* from Microsoft. It goes without saying that Microsoft have, for a very long time, been releasing what we would call "security fixes" within service packs without making any announcements. The fact that they do, now, provide a Security Bulletin is a Good Thing(tm). They say their customers don't want them "telling hackers how to do a better job". I say we can't possible know how good a job they, Microsoft, are doing without knowing more about vulnerabilities. Each Security Bulletin about an internally discovered vulnerability that is released without sufficient "signature" details erodes their credibility amongst the community of users who, possibly, may be the only ones trusted to say "Yes" or "No" to NT deployment in environments requiring security, stability, or integrity. "Trust" doesn't come exclusively from the availability of a fix. Its something earned and enhanced through the dissemination of accurate and timely information. Whether or not you, the individual Bugtraq reader, trust Microsoft or not isn't relevant here. Microsoft is less trustworthy if we, "the public", are not trusted with this information, period. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN4BWGM+Ua7J6A+woEQKPewCg3RS9gsSHHYops2y6PG7E2EnYJhQAoMYQ BvgCqmtjae9+GUvE4BPO7+ce =7SrQ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:31 PDT