>Members of the organization will commit to a 30-day "grace >period" in which only vague information about a >vulnerability is made public. The bylaws will also include >an agreement that any security software produced by >members of the group will be engineered in such a way that >it can only be used for lawful purposes.

2 things spring to mind here.

1) _Nothing_ can be "engineered solely for lawful purposes",

if for no other reason than the law can be a moving target.

Even a hammer can be used in a smash and grab. I offer

the min/max-er playerbase of many popular online

MUDs as evidence of how far people can push rules, and

divert tools and constructs to unintended ends. And these

are often people who see what they do as part of the game,

as opposed

2) In the telcomms industry, there are guidelines set out

by vendors and the various carriers to ensure that

problems of various severities are addressed within

certain timeframes. These guidelines make customers

responsible for things like the fabled 5 nines of reliability, etc, while placing stringent requirements on

vendors to fix problems in a timely fashion. In the

analogous situation we have here, we'd basically have

the vendors dictating to the carriers that they may still

have to meet thier requirements to thier customers, but

the vendors are going to do as they see fit. Lucent doesn't

tell Sprint, or Worldcom, "Trust us".

I equate Microsoft's push to anti-disclosure to the

telecoms vendors saying to customers "lets throw RQMS

out the window". The problem is, while telecoms can

leverage contracts and regulation to thier side, the PC

world simply has no real recourse (As the EULA often says,

NO WARRANTY OF FITNESS TO ANY PARTICULAR PURPOSE) of applying pressure to vendors to fix security bugs, except

full disclosure.

Nevermind the most compelling argument to me, personally.

That I don't want to be denied info that the black hats

know. I can't control what they learn, or when, but I can

control what I know. To use a war metaphor, no war was

won upon a paucity of information. I certainly don't want

the vendors armchair-generaling the front line battles;

they should be providing the logistics, rather than

strategy.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8653#8653