Re: Fwd: Information on MS99-022

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from Renaud Deraison, sie said:
> On Sun, 4 Jul 1999, Vanja Hrustic wrote:
>
> > I haven't seen this on the Bugtraq, but it's very interesting...
>
> [snip]
>
> > So, if I have my custom-developed IDS running, I won't be able to implement
> > a pattern for this, because I am not a member of 'Intrusion Detection
> > Consortium'?
>
> And I'm writing a free security auditing tool, and I won't be able to
> implement a security check for this, because I'm not a "vendor" ?

And your problem with this is ?  To me this is a fight you can't win
because to corporations you're a "nobody".  If I were Microsoft and
saw that numerous security flaws were being announced through a commercial
group such as X-Force, I might make some sort of arrangement of mutual
benefit where security things aren't announced until patches are available
in return for sharing knowledge of problems learned internally in a way
that is of benefit to those paying people to look for exploits and are
otherwise looking for ways in which to increase product value.

> (apparently only software vendors are welcomed to the ICSA's IDC --
>  they did not reply to my request of being admitted in this consortium
>  [so that I could get information about this flaw])

And how does having members who are looking for freebies help their
bottom line?  Information on Internet Security is now a market with
value.

[...]
> What comes to my mind, is that the Microsoft is giving the scoop of the
> test of the vulnerability to the ISCA's IDC members.

And the problem with that is?  What should be important is that the
information about the problem became public, allowing people to become
aware of the problem and how to fix it.

[...]
> What does this mean ? You have to _sell_ your security products to have
> security informations from the vendors, or else they won't even consider
> you are writing security tools ?

It's well recognised that Microsoft has a dim view of the "Open Source"
movement due to the way it perceives it as being a threat to its own
products so getting them to support it seems very unlikely.

Anyway, what does it matter to you, if your product is free?  It has no
value so whether or not it can detect X makes no real difference if there
is a patch available to resolve X.

[...]
> This attitude shows the lack of ethic of several companies which claim
> they are interested in security. Because no matter how knowledgeable you
> are, you will have to pay to determine if you are vulnerable or not.

Now you're catching on.  Security is a market of some value, today, not
like it was back in the early 90's when things like FWTK/Satan were written
and given away.  Sure it is security by obscurity, but do you get any more
details in patches from Sun that manage to roll out prior to being all
over bugtraq?  I don't know of any vendor that has a full-disclosure policy,
only hackers and other posters to bugtraq.  For vendors there may well be
legal implications of them giving out information to people who could use
that information to break into systems.  At least by going through the ICSA
they're dealing with a body that is arguably reputable so some sort of due
diligence could be argued.

Darren

p.s. Has anyone tallied up the number of announcements about Microsoft
NT security bugs in the last year?  I'm wondering if there haven't been
more than for say Solaris even though NT has none of the "Unix Security
Problems".