Microsoft, researchers tussle over security issues

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/tech/050585.htm

Tuesday, Nov. 6, 2001 

SAN FRANCISCO (Reuters) - Computer security researchers Tuesday
accused Microsoft Corp. of trying to avoid taking responsibility for
fixing holes in its software by making it harder for people who
discover them to publicize the security breaches.

Following recent high-profile worms such as Code Red and Nimda,
Microsoft has embarked on a campaign to get researchers to restrain
themselves when warning the public about security holes and bugs, a
practice known as ``disclosure,'' according to several researchers.

The issue is one of the main topics on the agenda at the
Microsoft-sponsored conference, ``Trusted Computing Forum 2001,'' in
Mountain View, Calif., which started Tuesday.

``We need to establish some kind of code of conduct; a standard of
behavior that we all can sign onto,'' said Scott Culp, manager of
Microsoft's security response center.

However, researchers said they are worried that Microsoft will use the
event to push its agenda and create a proposal for practices that
favor its own position.

``I'm boycotting the event this year because of this,'' said Russ
Cooper of TruSecure Corp., who has defended Microsoft on numerous
occasions.

``We need to have public discussion first to collect the information
from everybody,'' rather than just the Microsoft partners invited to
the conference, Cooper said.

Culp denied the claim, saying Microsoft is merely getting the ball
rolling in seeking a consensus on best practices that would benefit
the industry as a whole. ``We have not come to the conference with a
solution,'' he said.

'INFORMATION ANARCHY'

In a paper issued last month, Microsoft's Culp accused researchers of
fomenting ``information anarchy'' by releasing details about how
vulnerabilities work that are then used by malicious hackers.

``Today, too often when somebody finds a security vulnerability they
release either detailed exploit code or tools that can be used to
attack users,'' Culp said Tuesday.

But researchers counter that they need to give network managers a way
to test for security holes and to provide temporary fixes when
Microsoft does not act fast enough.

Otherwise, Microsoft takes weeks, even months, to release patches and
fixes, they said. The sooner the public knows about vulnerabilities,
the greater the chance they can fix them before a malicious hacker can
act, they said.

``If we can't disclose then software vendors basically can have bugs
reported to them and they can sit on them and do as they will,'' said
Marc Maiffret of eEye Digital Security, who discovered the hole in
Microsoft's Web server software that allowed Code Red to infect
thousands of computers.

Microsoft opposes the common disclosure practices because once
security information is released to the public the pressure is on them
to come up with a fix, said Bruce Schneier, chief technology officer
at Counterpane Internet Security.

``What we've learned during the past eight or so years is that full
disclosure helps much more than it hurts,'' Schneier writes in an
essay on the issue. ``And far fewer problems are showing up first in
the hacker underground, attacking people with absolutely no warning.''

'FREAKS AND GEEKS'

The issue is a sore spot for Microsoft, with critics long complaining
that the company sacrifices security for convenience and functionality
in designing its software.

Although Microsoft has added some security enhancements to its
recently released Windows XP operating system, a security problem
forced the company to shut down its Passport single-signon
authentication service for at least two days just last week.

The company's .Net plan, which will allow users to access a variety of
data and services over the Internet and of which Passport is a key
piece, has raised both security and privacy concerns.

The balance of personal privacy with national security interests
following the Sept. 11 attacks is another topic to be addressed at the
second annual three-day conference this week.

``Most of us are saying privacy does have its limits because the more
private people are the more likely it is that they can represent a
threat to our public safety,'' said Richard Purcell Sr., director of
corporate privacy for Microsoft.

``We're getting the freaks and geeks together,'' Purcell said of the
conference. Getting ``the policy driven business management people and
the technically driven systems management people to work together in a
much more collaborative way.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.