Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more...

[Anders Langworthy <hades () psilanthropy org>]

J.A. Terranson wrote:
> This "story" really just reflects what has been going on in the real world
> for some time now.

Yes.  Another incident from two years ago that demonstrates this 
philosophy quite well:

[From http://www.eweek.com/article2/0,1759,921855,00.asp]
[FEDS MOVE TO SECURE NET]

"The most significant move is the development of a private, 
compartmentalized network that will be used by federal agencies and 
private-sector experts to share information during large-scale security 
events...

"Sachs...pointed to last week's handling of the critical vulnerability 
in the Sendmail Mail Transfer Agent package as a prime example of how 
such back-channel communication between vendors, researchers and the 
government can help protect end users. Researchers at Internet Security 
Systems Inc., in Atlanta, discovered the vulnerability in mid-February 
and immediately notified officials at the White House and the Department 
of Homeland Security.

The government quietly spread the word among federal agencies and, along 
with ISS, began contacting the affected vendors. After the vendors 
developed patches, the fixes were deployed quickly on critical 
government, military and private-sector machines before the official 
announcement of the vulnerability."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/