Full Disclosure mailing list archives
Organization for Internet Safety (OIS) formally announced
From: sockz () email com (sockz loves you)
Date: Wed, 02 Oct 2002 00:12:17 -0500
You'll have to forgive me for not jumping in on this debate sooner. I was holding a going away party for a friend who's moving to China to teach Business English last night when I first read PHC's post. Woke up this morning to find my phone is down and the network is being patched... no internet, and the email address I post from doesn't support WAP :( shitty morning. But enough of my ranting... I've been watching OIS for a while now. Someone pointed me in their direction when the idea was still in its nacent form. And to be frank, it's a very good idea indeed. It solves one of the main problems of the security industry's current system: ie, who's on the recieving end of 0-day information. "The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face." "Once the word is out to some, the risk of exploit increases dramatically, but many people still don't know about the problem." (source: http://www.oisafety.org/about.html) Die-hard whitehats will espouse in rebuttal that if admins are lazy then they should be punished by compromised security. A lie that only serves to further the paranoia and make those who are well- entrenched in the security industry look like gods. Most of you would have to be lying if you said you never considered how the use of "proof of concept" code in advisories could actually do more harm than good. "OIS is concerned about Internet safety as a whole. It may be true that a small number of sophisticated administrators can make beneficial use of "proof of concept" code, but its publication puts the vast number of internet users at serious risk." (source: http://www.oisafety.org/about.html) The OIS makes logical sense. Current systems in the security industry have vulnerability information thrown deep into the wild. OIS addresses that problem by directing that vuln info towards the people who can actually do something with it: responsible and serious vendors who are concerned about image and profit. PHC is right when they praise microsoft. The OIS is a good business move. It's one of the smartest move any company in the industry has made this year. By eliminating "proof of concept" code as far as microsoft products go... you secure a WIDE RANGE of products attached to the internet... simply because of the wide use of MS products. You also reduce the number of script kiddies/leeches who use proof of concept code, and you reduce the probability of your share price dropping should a major vulnerability be found. the OIS could even make internet stocks more stable because the company has greater control over the flow of information about its products and their weak points, making profits easier to predict. thats just an estimate though, i'm not a stock broker. hell, i haven't even spent more than two years studying the stockmarket. I support OIS whole-heartedly. It takes the power out of the hands of list owners and puts it back into the hands of software developers... the only people who can actually do something about the problem. ----- Original Message ----- From: phc () hushmail com Date: Tue, 1 Oct 2002 05:47:09 -0700 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Organization for Internet Safety (OIS) formally announced -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PHC is very happy about this move by Microsoft and other companies such as Symantec/SecurityFocus. The FAQ is a 180 degree turn on what they promoted in the past in order to stuff their pockets and tend to their bottom line, but at least their new self-serving and highly lucrative endeavour no longer conflicts with our own interests. Get rid of 'proof of concept' code. Idiots shouldn't have this spoonfed to them on the lists. Keep up the good work Microsoft. We were all pulling for you. And SecurityFocus, congratulations on deceiving the public sheep for so long... convincing them you had the innocent Netizen's interests at heart while your profit margin widened as a result of your mastery of capitalizing on insecurity, scare tactics, and FUD. Little did they know how corrupt and criminal you were, but at least now that you've jumped into bed with Symantec and Microsoft you can unashamedly spread your corporate wings and soar without fear of reprisal by those who knew what you were up to all along. It is a glorious day indeed. We're looking forward to a few months from now when there'll be only tumbleweeds blowing across The Land of Bugtraq, and when Dug Song can go back to his monkey stomp parachute float drops from Crip monuments in Detroit (Dug Song hacks). cu On Mon, 30 Sep 2002 19:48:42 -0700 "Steven M. Christey" <coley () linus mitre org> wrote:
For those of you who care about vulnerability disclosure issues, the "Organization for Internet Safety" (OIS) formally announced its existence. This is the same group of security and software companies that has been discussed in past months. The founding members are: @stake, BindView, Caldera International (The SCO Group), Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, and Symantec. Note that my employer, MITRE, is not a member of OIS. This often causes confusion because I have been involved in writing documents that OIS may use as part of their own policies. Some articles are at: http://www.theregister.co.uk/content/55/27312.html http://www.eweek.com/article2/0,3959,558881,00.asp The OIS home page is at: http://www.oisafety.org A FAQ is at: http://www.oisafety.org/about.html The FAQ should be of high interest to anybody who does vulnerability research. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlgEARECABgFAj2Zmy4RHHBoY0BodXNobWFpbC5jb20ACgkQ0rw64nEc6GJLvACgjiBp d39siuZjFZhs8T6o8H52zDcAn0ofQyvCBJX3yZe3i5QU7odkp24v =hv4E -----END PGP SIGNATURE----- Get your free encrypted email at https://www.hushmail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Current thread:
- Organization for Internet Safety (OIS) formally announced Steven M. Christey (Sep 30)
- Organization for Internet Safety (OIS) formally announced Isaak Bloodlore (Sep 30)
- Organization for Internet Safety (OIS) formally announced Ben Laurie (Oct 01)
- Organization for Internet Safety (OIS) formally announced Georgi Guninski (Oct 01)
- <Possible follow-ups>
- Organization for Internet Safety (OIS) formally announced phc () hushmail com (Oct 01)
- Re: Organization for Internet Safety (OIS) formally announced Anonymous (Oct 01)
- Organization for Internet Safety (OIS) formally announced sockz loves you (Oct 01)