Microsoft's Anti-disclosure plan

Printable View

November 10th, 2001, 07:31 PM
Chris

Microsoft's Anti-disclosure plan

I noticed a nice little Article over at security focus about Microsoft's new anti-disclosure coalition. Some big names involved include Foundstone (hacking exposed authors) and ISS (yes the same ISS that puts all the pretty banner ads on this site ;-).

Microsoft's been trying to limit the release of vulnerabilities for a while now, but this is the first I've seen of big security firms backing them. IMHO this is pathetic and I think it really discredits the firms involved. Don't think I'll be buying the 3rd edition of hacking exposed now either.

Here's the article again, check it out, it's worth the read http://www.securityfocus.com/news/281
November 10th, 2001, 07:47 PM
MrLinus

Quote:

from the article in question
But Culp criticized the practice in an essay published on a Microsoft Web site last month, and blamed "information anarchy" for the epidemic of malicious worms that have struck the Internet in the last year. "It's high time the security community stopped providing blueprints for building these weapons," Culp wrote.

I don't know. Maybe it's just me but the epidemic of malicious worms were simply a worm that had variations done to it. What concerns me about this is the idea that we'll hide all vulnerabilities from administrators and users, and if we release anything at all it will be vague. That means that as an administrator something could be wrong with my server and I'd never know it.

I might as well join a police force and never wear a bullet proof vest. And even if I do wear a bullet proof vest, no one told me that "cop killer" ammo can go through it.

To me it just seems like a cop-out by Microsoft. I think they don't want the rep that they earned, which is an OS that lacks security. They are slowly overcoming that but it takes time. This will not add to their image, IMHO.

As for the others, not quite sure why they are jumping on the bandwagon for. Perhaps to get exposure? I suspect that ISS is supporting MS because MS put ISS RealSecure into ISA. But that's all assumption and conjecture on my part.
November 10th, 2001, 08:10 PM
UberC0der

Re: Information Polezi strike again !!!!!

The reason that I feel very strongly against such a thing is that it is clearly intended to please someone who does not know who *really* discovers these exploitable flaws in software/services.

So, much like I stated in another similar post on this site. The attackers still have the information, and they will share it within their circle. /*they gifted [$color]-Hats are the ones that discover a lot or most of the exploits anyway */ Yet the Sys-Admins and other security concerned of the world don't get to play and systems fall seriously behind in their security measures.

Can we get somebody who knows what the hell they are doing to make these kinds of decisions on our /* IT pro's */ behalf please.
November 10th, 2001, 11:26 PM
freeOn

What do you expect it's Microsoft. There always doing covert ****.
November 11th, 2001, 03:11 AM
Matty_Cross

This could cause even more companies to make a switch from Microsoft to Linux, as they are not really going to know what areas of their system the patches for security issues are going to effect, and it could bring down critical systems...
Currently, I'm on a haitus from applying any microsoft patches, as I applied the latest security updates to my home network, and then it no longer worked...
November 11th, 2001, 03:17 AM
Terr

Okay. Bad idea:
"You can never criticize our products! Just don't talk about it and it won't be a problem."

Good idea:
"Tell the companies first so that they can have a head-start in making a fix, then release full info maybe a month later."

It'll be great as long as Microsoft doesn't try to squelch any criticism just because it *is* criticism... It's doomed. :D

But, really, I think that giving the responsible software companies a head-start is what it seems to be about, and I think that's perfectly okay.
November 11th, 2001, 12:43 PM
ronin13

My view is,this is just another example of a large business entity trying to exercise contol over the general public.My views on public disclosure are stated in another current thread here at AntiOnline.
November 13th, 2001, 11:25 PM
Chris

And the reply :)

Bruce Schneier wrote an excellent counter-argument to all of this. It's long but it is definately worth the read. I highly recommend checking it out.

http://www.zdnet.com/zdnn/stories/co...824251,00.html