Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The Freedom to Innovate Includes The Freedom to Obfuscate

From: InfoSec News <isn () c4i org>
Date: Mon, 12 Nov 2001 03:44:00 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>

http://www.infowarrior.org/articles/2001-11.html
(Full article, nicely-formatted, with referenced hyperlinks)

The Freedom to Innovate Includes The Freedom to Obfuscate:
Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability
? 
Richard Forno 
11 November 2001: Essay #2001-11
rforno () infowarrior org

(c) 2001 by Author. Permission is granted to quote, reprint or
redistribute provided the text is not altered, and appropriate credit
is given.

Summary: Microsoft's newfound emphasis on security and "responsible
disclosure" is more for PR purposes than true security, and places the
net at great risk.

"It will not follow that everything must be suppressed which may be
abused... if all those useful inventions that are liable to abuse
should therefore be concealed, there is not any Art or Science which
may be lawfully professed."???????? -- Bishop John Wilkins, 1641

In late October 2001, Microsoft's Security Manager Scott Culp
published a missive calling for 'responsible disclosure' of security
vulnerability information on the Internet, claiming it was because of
the public availability of such information that major Internet
security problems or cyber-terrorist events could occur. His
commentary was well-received by large commercial companies and
security vendors, and panned by nearly everyone else.

<.snip.>

Full disclosure forums serve as a community resource and a much-needed
check-and-balance against the profit-motivated interests of vendors
preferring that its customers blindly continue purchasing and
supporting its line of products, blissfully unaware of the potential
dangers they are susceptible to each time they boot up or log on.
Absent this objective and freely available mechanism, the internet
community is at the mercy of the corporations to decide how, when, or
if a given security problem will be addressed.

The scientist who creates the cancer-fighting gene (a good thing)
could also use that knowledge to develop tailored genetic weapons (a
bad thing)...It's not about responsible disclosure, it's about vendor
accountability, quality assurance, and this looney, misguided belief
that security through obscurity works.

"Without disclosure, there is no truth.? Without truth, there is no
accountability."???????????? -- Richard Thieme

? 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: