Re: Microsoft Rallies Industry Against Bug Anarchy

[InfoSec News <isn () c4i org>]

Forwarded from: Darren Reed <darrenr () reed wattle id au>

In some email I received from InfoSec News, sie wrote:
> http://www.newsbytes.com/news/01/171173.html
>
> By Brian McWilliams, Newsbytes
> REDMOND, WASHINGTON, U.S.A.,
> 16 Oct 2001, 1:37 PM CST

> Pushed to the brink by recent Internet worm outbreaks, Microsoft
> hopes to rally the computer industry against those who improperly
> publish information about security vulnerabilities.
>
> In an editorial at Microsoft's site, Scott Culp, head of the
> company's Security Response Center, announced the initiative
> against what he called "information anarchy."
>  
> According to Culp, the damage caused by worms such as Code Red and
> Nimda can be blamed in part on computer security professionals who
> discovered the software flaws exploited by the malicious,
> self-propagating programs.

Part advisory anouncing the problem, part hacker writing the worms AND
PART VENDOR for supplying the faulty software.  Maybe part
administrator for not patching it, but administrators shouldn't have
to do that :)

> "Clearly, the publication of exploit details about the
> vulnerabilities contributed to their use as weapons ... It's
> simply indefensible for the security community to continue arming
> cybercriminals," he said.

So, lets follow that argument one step further.  Microsoft supplied
vulnerable software to hundreds of thousands of sites world wide ...
It's simply indefensible for vendors to continue providing vulnderable
software to customers.

> "This is not a call to stop discussing vulnerabilities. Instead,
> it is a call for security professionals to draw a line beyond
> which we recognize that we are simply putting other people at
> risk," said Culp.

> "We question the ethics and business value of arming individuals
> with the ability to break into computers," said Rouland.

Instead we provide people with software that you don't even need to
break the DCMA in order to find out what faults (and how) are being
checked for. Well, so long as using a packet sniffer to watch the
conversation between IIS and its target doesn't infringe the DCMA and
I can't see how it could.

[...]
> Besides acknowledgments in its security bulletins, Microsoft plans
> to develop additional means of encouraging security professionals
> to adopt its limited-disclosure stance.

And for those that don't subscribe to the Microsoft school of thought,
what does that have to offer?  The only incentive here is not to
publish security compromising information under a recognisable name.  
If the Eeye advisory had of been published using a pseudonym (a)
nobody would care who Eeye is (I still don't) and (b) Eeye wouldn't be
in the firing line now.

> "It's time for the security community to get on the right side of
> this issue," he said.

It's time the community at large demanded better software quality from
vendors.  I imagine if it were Sun computers running Solaris or Linux
that were in the hundreds of thousands supporting these worms then M$
would be making fun of Unix and not complaining about security
exploits, etc.  Nevertheless, wind the clock back almost 10 years and
it was SunOS that was notorious for falling prey to hackers and I
don't recall Sun "crying" about how unfair it was when scripts, etc,
were posted in news groups or on lists.

"Oh no, it'll cost us more money to do that!", they scream.

If your car had as many bugs as M$ Windows does, would you pay however
much it is for it new ?

And on the other side, if M$ Windows had as few bugs as a new car,
would you pay thousands and thousands of dollars for it ?  Lets
pretend that you could keep and use the same copy of M$ Windows for
10-20 years with the same ease you can cars :-)

(I'm assuming that a "new car" or line might be _recalled once_ in its
 lifetime to fix a serious problem that would be equivalent to a security
 bug the likes of what we see in IIS regularly).

Darren



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.