Re: Re: Microsoft to give holes info to Uncle Samfirst

["Bruce Ediger" <eballen1 () qwest net>]

On Sat, 12 Mar 2005, Feher Tamas wrote:

> If Microsoft gives fixes info to Uncle Sam first, it gives
> USA the exploits first.

Note that this may have gone on for some time, and MSFT is not the
only culpable vendor:

Cambridge security researcher Ross Anderson says in his paper "Security
in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore":

---
The US government prefers vulnerabilities in some products to be reported
to authority first, so that they can be exploited by law enforcement or
intelligence agencies for a while.  Vendors are only encouraged to ship
patches once outsiders start exploiting the hole too.
---

I found this paper at http://www.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf

Anderson offers no support for the above statement in his paper.

On a more anecdotal level, just after the 1988 Internet Worm,
I participated in a discussion at a US defense contractor where a
fellow with several clearances claimed that the NSA had dossiers on
each operating system, and they knew all the holes in each of them,
"Even in VMS".
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/