Re: Hacker watchdog group in the works

[InfoSec News <isn () c4i org>]

Forwarded from: Robert G. Ferrell <rferrell () texas net>

> MOUNTAIN VIEW, Calif. -- Microsoft and five security companies
> announced on Thursday that they would create an organization to
> promote the responsible publishing of information about software
> flaws.

Sorry, but "Microsoft" and "responsible" in the same sentence pegged
my incongruity meter.

My inherent distrust of vendor-initiated and/or moderated forums
devolves from the simple fact that vendors (understandably) want to
downplay the severity and potential consequences of vulnerabilities
discovered in their products.  As a consequence, while we might get
the bare bones facts about a security flaw and maybe even a fix, we
aren't likely to get anything like the exhaustive analysis of the
engineering issues underlying a particular vulnerability that now
frequently accompanies announcements by independent security analysts.  
This in effect means that we simply have to trust the vendors to kiss
it and make everything all better, despite the fact that they're the
same ones who shipped the product with the flaw in the first place.

I don't know about you folks, but applying the traditional Redmond
'black box' principle to security gives me the heebie-jeebies.

Cheers,

RGF

Robert G. Ferrell
rferrell () texas net



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.