Kevin Poulsen, SecurityFocus 2001-11-09
Five computer security firms join Microsoft to set an official standard for limiting disclosure of software security holes
Colapse all |
Post comment
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous (1 replies)
Anonymous (1 replies)
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous
Anonymous
Who?
Who are these people who are siding up with Micro$oft? How come we don't see some big names like HP, Symantec, Mcaffe or other large virus protection, security and hardware manufactureres?
More like M$ and a few little puppets jumping to their tune. M$ will promise to do better and it wil...
[ more ] [ reply ]
Who are these people who are siding up with Micro$oft? How come we don't see some big names like HP, Symantec, Mcaffe or other large virus protection, security and hardware manufactureres?
More like M$ and a few little puppets jumping to their tune. M$ will promise to do better and it wil...
[ more ] [ reply ]
What about the admins?
2001-11-09
ferretzero
ferretzero
Sys Admins are truly the ones who end up testing and verifying that the systems they manage are patched and not vulnerable. Very few companies have the luxury of their own Information Security team and don't have the budget to obtain a Managed Security service contract with an IS vendor.
With ...
[ more ] [ reply ]
With ...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous
Anonymous
I agree with this article. The information cartel that Microsoft is trying to build with some (very few) security companies is a bad scheme. Worse than that, try to imagine how this limited-disclosure plan would interact with stuff like DMCA, SSSCA, PATRIOT Act, USA Act, and the next wave of simil...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
russell handorf
russell handorf
script kiddies will no longer exist, however what about the hacker community deciding to no longer disclose bugs also? it's only going to put the 'whitehats' at disadvantage (IDS/Firewall configs). i'm a stong supporter of full disclosure because it presents that there is truth to the bug vs some ki...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Angus Blitter
Angus Blitter
We are entering a technological Dark Ages. Driving legitimate research underground, and further exempting technology vendors from any kind of product liability exposure. History will brand our current "visionaries" as profiteers and opportunists. This self serving power-play will conspire to stagnat...
[ more ] [ reply ]
[ more ] [ reply ]
30 days makes no difference
2001-11-09
Anonymous
Anonymous
Waiting 30 days might give vendors longer to release a patch, but it will not make a difference. Most of the recent worms such as Nimda and Code Red used holes that already had patches released. The issue is not about time and patches. It is about design decisions. A very public service such as ...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous
Anonymous
Security through Obscurity never works. Microsoft is blaming the world for their bad security focus. They would probably claim that they need to put non-secure products on the market to keep "innovating". This is a load of crap.
Instead of shushing vulnerabilities, how about hold Microsoft acc...
[ more ] [ reply ]
Instead of shushing vulnerabilities, how about hold Microsoft acc...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
I am Stunned
I am Stunned
at the membership of this 'coalition'
what is happening? The patriot act, the MS settlement, and now this?
Are we not rewarding MS to continue releasing pathetically coded products with its own 'coalition' group being formed to help it avoid embarrasment and subsequent market response? I am st...
[ more ] [ reply ]
what is happening? The patriot act, the MS settlement, and now this?
Are we not rewarding MS to continue releasing pathetically coded products with its own 'coalition' group being formed to help it avoid embarrasment and subsequent market response? I am st...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
kishg (at) optonline (dot) com [email concealed]
kishg (at) optonline (dot) com [email concealed]
It is simply a matter of time before this is circumvented by the numerous security researchers on the web. It has been amply proven that security by obscurity does not work and yet Microsoft fails to see this. System administrators cannot effectively close security holes if they do not know how the ...
[ more ] [ reply ]
[ more ] [ reply ]
Shocking developments
2001-11-09
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]> (2 replies)
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]> (2 replies)
I'm somewhat shocked to see the names of the companies that have joined forces with Microsoft in this endeavor to hide information from users.
Mark Loveless has posted exploit code on his NMRC site. The tools offered up by the RAZOR team can be used by admins as well as attackers.
This most d...
[ more ] [ reply ]
Mark Loveless has posted exploit code on his NMRC site. The tools offered up by the RAZOR team can be used by admins as well as attackers.
This most d...
[ more ] [ reply ]
Shocking developments
2001-11-09
Greggory Peck
Greggory Peck
I'm not very surprised at the list of companies supporting the "censorship", Microsoft has always thrown its weight around enough to wet an appetite and make people see things their way.
My question I suppose is where are the checks and balances? Now what is to keep a small network of security...
[ more ] [ reply ]
My question I suppose is where are the checks and balances? Now what is to keep a small network of security...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Steve
Steve
Microsoft is just shooting themselves in the foot by doing this. By letting security people find these holes they know who's doing what and how. All this means is that some cracker who has nothing better to do will find the next exploit, will put it out for everyone and their dog to use and MS will ...
[ more ] [ reply ]
[ more ] [ reply ]
MS knows exactly what they're doing.
2001-11-09
Anonymous
Anonymous
Does anyone really think MS doesn't know security through obscurity doesn't work? They know it, but this is probably one of the finest poker hands I've ever seen.
MS has some very big companies on their side. They know that they will drive the exploit makers underground. Once they're underground...
[ more ] [ reply ]
MS has some very big companies on their side. They know that they will drive the exploit makers underground. Once they're underground...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Tommy Ward
Tommy Ward
Looks like one step closer to outlawing security research by anyone other than "legitimate" (corporate) entities. So they form a club and require membership dues of $5-10 K / year...this will provide barrier to entry for anyone except large vendors. Then, with standards in place which set these str...
[ more ] [ reply ]
[ more ] [ reply ]
Download Utilities now, while you can
2001-11-09
anonymous
anonymous
Though a previous poster is correct in stating that
these companies haven't released an advisory in some time,these companies or their employees host sites which offer auditing utilities. The only way these companies can ensure that their utilities and those of their employees are used for "good" p...
[ more ] [ reply ]
these companies haven't released an advisory in some time,these companies or their employees host sites which offer auditing utilities. The only way these companies can ensure that their utilities and those of their employees are used for "good" p...
[ more ] [ reply ]
Be careful what you wish for.
2001-11-09
Surreal
Surreal
>Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems
> Basically these 5 concerns hardly publish exploits anyway.
They're hoping to emulate the success of the Antivirus secret society - McAfee, "Norton", et. al.
1, MS feeds them NDA information.
2, Figure out a minim...
[ more ] [ reply ]
> Basically these 5 concerns hardly publish exploits anyway.
They're hoping to emulate the success of the Antivirus secret society - McAfee, "Norton", et. al.
1, MS feeds them NDA information.
2, Figure out a minim...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
nogrhi
nogrhi
Clearly, this behavior should not come as a surprise to anyone. I accomplishes nothing for those of us (admins) who must work to defend against attacks. It does much for the defense of the M$ image.
Microsoft markets a large portion of its work to the 'instant gratification' masses. If the u...
[ more ] [ reply ]
Microsoft markets a large portion of its work to the 'instant gratification' masses. If the u...
[ more ] [ reply ]
Such a policy for disclosure already exists
2001-11-09
Dumky (1 replies)
Dumky (1 replies)
There is a disclosure policy available on the web:
http://www.wiretrip.net/rfp/policy.html
It details a reasonable protocol for the person who discovers a security flaw to follow with the vendor.
A good read and I think a good solution for moderated full-disclosure.
See you,
Dumky...
[ more ] [ reply ]
http://www.wiretrip.net/rfp/policy.html
It details a reasonable protocol for the person who discovers a security flaw to follow with the vendor.
A good read and I think a good solution for moderated full-disclosure.
See you,
Dumky...
[ more ] [ reply ]
Such a policy for disclosure already exists
2001-11-10
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
Dumky,
> There is a disclosure policy available on the web:
> http://www.wiretrip.net/rfp/policy.html
Good point. Which is why many of are probably shocked at the developments...last July at BH and DefCon, I saw several of the people employed by some of the listed companies chatting w/ RFP...
[ more ] [ reply ]
> There is a disclosure policy available on the web:
> http://www.wiretrip.net/rfp/policy.html
Good point. Which is why many of are probably shocked at the developments...last July at BH and DefCon, I saw several of the people employed by some of the listed companies chatting w/ RFP...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous
Anonymous
Does anyone see the irony of a firm that teaches people how to hack and another firm that wrote perhaps the most well known hacker tool ever (l0phtcrack) not supporting full disclosure? Seems to me, if I dont hire one of these firms then I have no way of being up to date on the latest vuls in a time...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Anonymous
Anonymous
This announcement has more to do with marketing and economics then security or "information anarchy". The bottom line is that Microsoft produces buggy insecure products because they prefer to spend resources on adding new "features" to products rather then QA'ing, Security Research or redesigning co...
[ more ] [ reply ]
[ more ] [ reply ]
Re:Microsoft Reveals Anti-Disclosure Plan
2001-11-09
Uhh
Uhh
Like it matters. Microsoft's software is so crappy that it doesn't take public broadcast for malicious people to exploit it. Regardless of whether exploits (for IIS) are publicized or not, the crackers will find them, and will exploit them, because Microsoft takes WAY too long in releasing a stable ...
[ more ] [ reply ]
[ more ] [ reply ]
...on second thought...Kudos!
2001-11-09
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]> (1 replies)
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]> (1 replies)
Kudos to the companies who signed up with Microsoft! If you think about it, it was an excellent business decision...you know, 'business', as in making money. Lots of it.
Anyone of these companies could have decided separately or amongst themselves, without Microsoft, to establish and adhere to ...
[ more ] [ reply ]
Anyone of these companies could have decided separately or amongst themselves, without Microsoft, to establish and adhere to ...
[ more ] [ reply ]
RE: ...on second thought...Kudos!
2001-11-10
Gregarious Monk
Gregarious Monk
Yeah, right...
And these companies will make all this money from bugs that M$ will tell them about in advance, right?
So, if these bugs are known by these people first, and they're all in a "coalition" doesn't that make M$ liable for its crap? The members won't make squat, because M$ will turn i...
[ more ] [ reply ]
And these companies will make all this money from bugs that M$ will tell them about in advance, right?
So, if these bugs are known by these people first, and they're all in a "coalition" doesn't that make M$ liable for its crap? The members won't make squat, because M$ will turn i...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-10
Anonymous
Anonymous
Without the public embrassment Mircosoft would not fix ANY of their security holes. People we are two week to a month away from a total meltdown of all Windows NT, 2000, XP system due to the fact that Microsoft can not even do a printf command right.
I am Sisyphus as it is my job to provide firewa...
[ more ] [ reply ]
I am Sisyphus as it is my job to provide firewa...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-10
Anonymous
Anonymous
If the USA wants secure copmuting infastructure, safe from "terrorist" attacks, they will resist this initiative, which would seem to be doomed anyway.
Any safety gained would be illusory. The assumption is that one of the "coalition" companies will find all the vulnerabilities... With the greate...
[ more ] [ reply ]
Any safety gained would be illusory. The assumption is that one of the "coalition" companies will find all the vulnerabilities... With the greate...
[ more ] [ reply ]
microsoft TERRIBLE SOFTWARE anyway
2001-11-10
Anonymous
I understand what they are trying to do, and appreicate
the fact that they want to limit the information sent
out about these security bugs.
Too bad that it seems microsoft just wants to cover
up for the terrible, shoddy, buggy, bloated, lax
software they write.
Also, nothing would prev...
[ more ] [ reply ]
Anonymous
I understand what they are trying to do, and appreicate
the fact that they want to limit the information sent
out about these security bugs.
Too bad that it seems microsoft just wants to cover
up for the terrible, shoddy, buggy, bloated, lax
software they write.
Also, nothing would prev...
[ more ] [ reply ]
Managed Security Services Industry?
2001-11-10
Dogsend
Dogsend
Could this be the start of a Managed Security Industry?
Only those who are members of this new club can claim to offer the latest up to date security services and make you safe.
If you are part of a small security consulting firm, or a small company Admin that can't afford managed security se...
[ more ] [ reply ]
Only those who are members of this new club can claim to offer the latest up to date security services and make you safe.
If you are part of a small security consulting firm, or a small company Admin that can't afford managed security se...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-10
Anonymous
something definitly comes to my mind, most of (not to say all) juicy informations available on the bugtraq and all others interesting sources whatever they are (papers, ezine, exploits etc..) usually come from independant security [club of]? researchers and by any mean from commercial vendors lik...
[ more ] [ reply ]
Anonymous
something definitly comes to my mind, most of (not to say all) juicy informations available on the bugtraq and all others interesting sources whatever they are (papers, ezine, exploits etc..) usually come from independant security [club of]? researchers and by any mean from commercial vendors lik...
[ more ] [ reply ]
So what would force Microsoft to patch these holes if exploits are not published?
2001-11-10
Rafal Sybilla-Leszczynski (1 replies)
Rafal Sybilla-Leszczynski (1 replies)
So what would force Microsoft to patch these holes if exploits are not published? Nothing. And it seems that this is what Microsoft want....
[ more ] [ reply ]
[ more ] [ reply ]
So what would force Microsoft to patch these holes if exploits are not published?
2001-11-12
Anonymous
Anonymous
There are plenty of sites like bugtracker that would find the information on a hacker site and then publish it. This would then make the companies part of this organization look very bad in the publics opinion. Sort of like the governments withholding of information over the years. It would also par...
[ more ] [ reply ]
[ more ] [ reply ]
Read the fine print
2001-11-11
Anonymous
Anonymous
The difference with this plan, is that it is a strategy to both engage security vendors and affected software vendors. Some of the posts here are correct, there are 'responsible' disclosure policies out there. However, vendors do not subscribe to these policies, only the people that discover the v...
[ more ] [ reply ]
[ more ] [ reply ]
Full disclosure will survive
2001-11-11
Ben - Canberra AUS
Ben - Canberra AUS
The problem that Microsoft now face is twofold.
The first is that admitting responsibility will inevitably open them up to litigation. How long would it take for an organisation once attacked to try to seek some kind of compensation from MS? Once they have admitted responsibility the floodgates ...
[ more ] [ reply ]
The first is that admitting responsibility will inevitably open them up to litigation. How long would it take for an organisation once attacked to try to seek some kind of compensation from MS? Once they have admitted responsibility the floodgates ...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-12
Anonymous
Anonymous
A new day. Well, they all sold out long ago and forget where their roots are. Getting on the bandwagon with Microsoft- have you no shame? You have now become an opensource foe and spit in the face of all those who helped make it what it is.
So much progress made in the last 20 years- ppl actually r...
[ more ] [ reply ]
So much progress made in the last 20 years- ppl actually r...
[ more ] [ reply ]
So, green light to sue?
2001-11-12
Anonymous
Anonymous
It seems to me that in the very litigous United States this plan is a good way to get put out of business.
Consider,
- company/person X finds a flaw and advises M$ of it
- the rest of us get the promised limited disclosure
- I hear about the bug, but details are too sketchy for me to i...
[ more ] [ reply ]
Consider,
- company/person X finds a flaw and advises M$ of it
- the rest of us get the promised limited disclosure
- I hear about the bug, but details are too sketchy for me to i...
[ more ] [ reply ]
Microsoft have no server monopoly: this may reduce their share
2001-11-12
Kirsten Bayes (kirruth@hushmail)
Kirsten Bayes (kirruth@hushmail)
As ever, some good comments above.
My thought is that even though they have the desktop monopoly, Microsoft are a long way from having a monopoly on servers or the data centre.
In the end, if a vendor can't or won't provide timely, detailed information about its products (in any area of intere...
[ more ] [ reply ]
My thought is that even though they have the desktop monopoly, Microsoft are a long way from having a monopoly on servers or the data centre.
In the end, if a vendor can't or won't provide timely, detailed information about its products (in any area of intere...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-12
hogridr
hogridr
Well I guess we are officially taking computer security back into the dark ages. What will this accomplish? Nothing. If anything this is the worst mistake Microsoft has ever made. Simply look at the latest twenty vulnerabilities listed for Microsoft on SecurityFocus. Were any of them discovered...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-12
GluffiS
GluffiS
Whats best. Knowing the holes and be able to do a workaround or not knowing and be hacked all the time. I rather know what holes I have and knowing so I can make a descision to take system offline waiting for a fix. The more I learn about the 'Open' society the less I want to use windows. It is be...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-12
TheDoctor
TheDoctor
IMO One simple mode to M$ resolve this are:
1) Stop the develop and audit your source code;
2) Make one single API, now we have the API of the day;
3) To new aditional feature is necessary massives tests and source code audit;
This is one police used one ANY software design. Why M$ are diferen...
[ more ] [ reply ]
1) Stop the develop and audit your source code;
2) Make one single API, now we have the API of the day;
3) To new aditional feature is necessary massives tests and source code audit;
This is one police used one ANY software design. Why M$ are diferen...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan ISS nad Snort
2001-11-12
Anymouse
It is well known that Snort is better, quicker, and more up to date than the ISS IDS. It is also a fact that Nessus runs neck and neck with the ISS scanner.
Now why would anyone but a manager pay ISS's high prices with its limiting license when they can get the equivelant or better free? ...
[ more ] [ reply ]
Anymouse
It is well known that Snort is better, quicker, and more up to date than the ISS IDS. It is also a fact that Nessus runs neck and neck with the ISS scanner.
Now why would anyone but a manager pay ISS's high prices with its limiting license when they can get the equivelant or better free? ...
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-13
Anonymous
Anonymous
Net Net (no pun intended) this is a thinly veiled attempt by MS to once again sacrifice its customers to cover its own shortcomings. It will not stop the publication of vulnerabilities, it will just ensure the bad guys get the info before the paying customers (cannon fodder). Wouldnt it just be easi...
[ more ] [ reply ]
[ more ] [ reply ]
Microsoft Reveals Anti-Disclosure Plan
2001-11-13
Brian Mac
Brian Mac
With limited or no disclosure nobody will be able to determine if they NEED a patch or not. This leaves things open for Microsoft to trick people into getting some 'patch' only to find out later it adds some totally different 'feature' that they didn't want.
With no exploit code, nobody will be ...
[ more ] [ reply ]
With no exploit code, nobody will be ...
[ more ] [ reply ]
[ more ] [ reply ]