IP: MS to force IT-security censorship

[David Farber <dave () farber net>]

> http://www.theregister.co.uk/content/4/22614.html
>
> Creating, then throttling, security 'partners'
> By Thomas C Greene in Washington
> Posted: 02/11/2001 at 04:43 GMT
>
> We all know how Microsoft likes to bully its many 'partners', so it
> comes as no surprise that the Beast has decided to apply its
> partnership muscle to silence the software and network security
> research community.
>
> The company is currently shopping a 'security partnership agreement',
> which would open up reams of MS vulnerability data to those firms
> which capitulate to its censorship demands while leaving all others
> out in the cold, The Register has learned.
>
> Terms of the partnership agreement include provisions which would
> enjoin partners from releasing 'detailed' vulnerability data over a
> 'blackout' period. Our information is in conflict here; we've heard
> that the blackout could be 45 days, a la CERT, or as long as six
> months, or indefinitely, until a fix is developed.
>
> It's likely that several drafts of the agreement are in circulation,
> and this uncertainty indicates the minimum and maximum periods
> currently under consideration.
>
> The word 'detailed' is still being debated, we gather. But we can
> guess that the sanitized reports MS itself likes to publish to
> accompany its patches would provide the model. Full disclosure would
> be enjoined until the Beast manages to issue a fix; and it appears
> that the agreement would give the company as long as it likes to
> develop one. Its security partners would be expected to keep silent,
> or issue a well-scrubbed, sanitized advisory in the mean time.
>
> Just as we saw MS pressuring its partners to rat on system builders
> who request quotes on OS-less 'naked' boxes with a bribery scheme
> http://www.theregister.co.uk/content/archive/18589.html, we can expect
> similar shenanigans to ferret out rogue security vendors which dare
> defy the Redmond Censors and actually offer their customers useful
> information.
>
> Redmond's goal is to ensure forcibly that exploit code doesn't fall
> into the hands of the blackhat development community before they've
> got a fix, but it also means that security vendors won't be able to
> give their customers the means to develop a workaround or a fix to an
> existing vulnerability until Redmond gets off its ass and solves the
> problem.
>
> The problem here is obvious: if millions of systems are vulnerable to
> attack, it's pure head-in-the-sand gambling to hope that none of them
> will be exploited during the time it takes Redmond to sort it all out.
>
> Frankly, if I were paying good money for security services, I'd feel
> cheated if my vendor withheld data which I might be able to use to
> protect myself from attack. I wouldn't consider that a service worth
> paying for. I would do business with security vendors who wouldn't
> withhold crucial information from me on Microsoft's behest.
>
> Worse, we have here a recipe for establishing a monopoly on
> vulnerability data like the little cabal of greedy insiders who run
> the anti-virus industry, and who control access to information with a
> stranglehold which protects nothing so much as their revenue stream.
>
> Spin Session
>
> It's likely that MS will announce this appalling scheme formally
> during its Trusted Computing Forum in Mountain View, California on 6,
> 7 and 8 November.
>
> The forum "will bring together leaders of the online community to
> address some of the most pressing privacy and security issues we face
> today," the company says.
>
> And of course, it's all part of Microsoft's touching tradition of
> selfless public service: "The need for a forum such as this is greater
> than ever. The tragic events of September 11, 2001 have made an
> undeniable impact on the industry and the world with regards to
> privacy and security concerns," we're told.
>
> And who's been invited to speak? Richard Clarke, Presidential Advisor
> for Cyber Security; Brian Arbogast, Vice President of Microsoft's .NET
> Core Platform Services; Craig Mundie, MS Chief Technology Officer;
> Mozelle Thompson, Commissioner, Federal Trade Commission; Stewart
> Baker, Partner, Steptoe and Johnson & former General Counsel, National
> Security Agency; Jerry Berman, Executive Director, Center for
> Democracy and Technology; Rebecca Cohn, member of the California State
> Assembly; Lt. Lenley Duncan, Commander California Highway Patrol
> Network Management Section; and Barry Steinhardt, Associate Director
> of the ACLU.
>
> Rather a significant stacking of collaborators over skeptics, we must
> observe.
>
> If anyone mistook MS Security Manager Scott Culp's recent essay
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s
> ecurity/noarch.asp denouncing full-disclosure proponents as
> 'information anarchists' for some simple, earnest opinion piece, they
> can dispense with that illusion.
>
> The essay was a mere shot across the bow in preparation for the real
> assault, which we predict will ultimately include some RIAA-like
> lobbying consortium to enforce Redmond's will upon the security
> community.
>
> Unless, of course, the security research community has the spine to
> defy the Beast, an outcome we'd like to see, but which we wouldn't bet
> good money on. Though if anyone wants to step up and prove us wrong,
> we'll be the first to applaud.


For archives see:
http://www.interesting-people.org/archives/interesting-people/