Hacker watchdog group in the works

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7823586.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com 
November 8, 2001, 10:05 p.m. PT 

MOUNTAIN VIEW, Calif. -- Microsoft and five security companies
announced on Thursday that they would create an organization to
promote the responsible publishing of information about software
flaws.

While many of the details have yet to be hammered out, the move marks
the beginning of what could be the widespread emergence of ethical
rules for security research.

"There has been a need for industry convergence around a code of
conduct for releasing exploits," said Eddie Schwartz, senior vice
president and chief operating officer for security services firm
Guardent, a founding member of the group. "We are going to form an
organization to help us deal with the vulnerabilities. Ultimately, we
want to develop some standards for releasing these things."

The move, announced at Microsoft's Trusted Computing conference, had
been widely expected.

In early October, Scott Culp, the manager of Microsoft's security
response center, published an essay on the harm done by the unethical
release of vulnerability information. In addition, the company had
been using the Trusted Computing conference as a sounding board for
several proposals, said several attendees.

Along with Microsoft and Guardent, security companies @Stake,
Bindview, Foundstone and Internet Security Systems also supported the
announcement, Schwartz said. The formal announcement for the group is
expected within a month, and more partners would be added, he said.

"This is not just Microsoft initiative," Schwartz stressed. "We want
the Ciscos and Suns and security vendors to join as well."

Vulnerability disclosure has been an emotional topic in the software
security industry for some time. The latest announcement has already
sparked controversy: Russ Cooper, a software security expert and
editor of security mailing list NTBugTraq, published his own
guidelines for an independent security group, called the Responsible
Disclosure Forum. Cooper boycotted Microsoft's conference largely
because he distrusts the software giant's motives.

For the most part, however, Cooper and Microsoft agree on the problems
that fully disclosing software flaws can create.

"You either participate in the Responsible Disclosure Forum, or you're
a black hat bent on being malicious, end of story," he wrote in the
introduction to the guidelines. "Too much money, too many individuals
and too much of the world's communication rely on responsible
disclosure for it to be continued to be seen as a discussion worth
debating."

The Microsoft-supported guidelines tentatively give software makers 30
days to patch their products after being informed of a flaw. It also
requires members to respond to a report of a security hole promptly
and keep the original author advised of their progress.

"This is something we talked about 11 months ago (at a previous
security conference) and we have some real traction now," Microsoft's
Culp said.

Not everyone agrees that full and open discussion of security issues
is bad, however.

While he didn't oppose Microsoft's thrust to limit the release of
programs that indiscriminately exploit software flaws, Matt Blaze, a
security researcher at ATT Labs, worried that the industry might
overcompensate out of fear of being seen to support malicious hackers
and online vandals.

"Since I do that (discover security vulnerabilities) for a living, I'm
a bit concerned," he said. "As a researcher in this area, I depend on
the open exchange of information."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.