November 10th, 2001, 06:31 PM
Microsoft's Anti-disclosure plan
I noticed a nice little Article over at security focus about Microsoft's new anti-disclosure coalition. Some big names involved include Foundstone (hacking exposed authors) and ISS (yes the same ISS that puts all the pretty banner ads on this site ;-).
Microsoft's been trying to limit the release of vulnerabilities for a while now, but this is the first I've seen of big security firms backing them. IMHO this is pathetic and I think it really discredits the firms involved. Don't think I'll be buying the 3rd edition of hacking exposed now either.
Here's the article again, check it out, it's worth the read http://www.securityfocus.com/news/281
November 10th, 2001, 06:47 PM
I don't know. Maybe it's just me but the epidemic of malicious worms were simply a worm that had variations done to it. What concerns me about this is the idea that we'll hide all vulnerabilities from administrators and users, and if we release anything at all it will be vague. That means that as an administrator something could be wrong with my server and I'd never know it.
from the article in question
But Culp criticized the practice in an essay published on a Microsoft Web site last month, and blamed "information anarchy" for the epidemic of malicious worms that have struck the Internet in the last year. "It's high time the security community stopped providing blueprints for building these weapons," Culp wrote.
I might as well join a police force and never wear a bullet proof vest. And even if I do wear a bullet proof vest, no one told me that "cop killer" ammo can go through it.
To me it just seems like a cop-out by Microsoft. I think they don't want the rep that they earned, which is an OS that lacks security. They are slowly overcoming that but it takes time. This will not add to their image, IMHO.
As for the others, not quite sure why they are jumping on the bandwagon for. Perhaps to get exposure? I suspect that ISS is supporting MS because MS put ISS RealSecure into ISA. But that's all assumption and conjecture on my part.
November 10th, 2001, 07:10 PM
Re: Information Polezi strike again !!!!!
The reason that I feel very strongly against such a thing is that it is clearly intended to please someone who does not know who *really* discovers these exploitable flaws in software/services.
So, much like I stated in another similar post on this site. The attackers still have the information, and they will share it within their circle. /*they gifted [$color]-Hats are the ones that discover a lot or most of the exploits anyway */ Yet the Sys-Admins and other security concerned of the world don't get to play and systems fall seriously behind in their security measures.
Can we get somebody who knows what the hell they are doing to make these kinds of decisions on our /* IT pro's */ behalf please.
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
November 10th, 2001, 10:26 PM
What do you expect it's Microsoft. There always doing covert ****.
November 11th, 2001, 02:11 AM
This could cause even more companies to make a switch from Microsoft to Linux, as they are not really going to know what areas of their system the patches for security issues are going to effect, and it could bring down critical systems...
Currently, I'm on a haitus from applying any microsoft patches, as I applied the latest security updates to my home network, and then it no longer worked...
\"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
But when you\'re good and crazy, hehe, the skies the limit!!\"
November 11th, 2001, 02:17 AM
Okay. Bad idea:
"You can never criticize our products! Just don't talk about it and it won't be a problem."
"Tell the companies first so that they can have a head-start in making a fix, then release full info maybe a month later."
It'll be great as long as Microsoft doesn't try to squelch any criticism just because it *is* criticism... It's doomed.
But, really, I think that giving the responsible software companies a head-start is what it seems to be about, and I think that's perfectly okay.
[HvC]Terr: L33T Technical Proficiency
November 11th, 2001, 11:43 AM
My view is,this is just another example of a large business entity trying to exercise contol over the general public.My views on public disclosure are stated in another current thread here at AntiOnline.
\"He who fights with monsters should look to it that he,himself,does not become a monster....when you gaze long into the abyss,the abyss also gazes into you\"
November 13th, 2001, 10:25 PM
And the reply :)
Bruce Schneier wrote an excellent counter-argument to all of this. It's long but it is definately worth the read. I highly recommend checking it out.