I agree with this article. The information cartel that Microsoft is trying to build with some (very few) security companies is a bad scheme. Worse than that, try to imagine how this limited-disclosure plan would interact with stuff like DMCA, SSSCA, PATRIOT Act, USA Act, and the next wave of similar legislation in preparation that we don't know about yet.

I am definetely a white hat. I am an independant researcher and a computer security professionnal. I have never done anything illegal in terms of intrusion, copyright-stealing or whatever, but with these laws, and the interactions between them, it will become clear that some concepts and ideas will merge. So, 2-3 years from now, we could see a 15 year old who find a big hole on Outlook GZ (fake name of course) and takes the gut to publish it online. Not only he would violate the information disclosure policy put in place by force by Microsoft, but since the exploit permits the attacker to execute code on a (tentatively?) protected machine, this would hit also the DMCA for "circumventing an access device". Since our teenager already face two possibly-criminal charges for something he thought was completely legal (albeit thrilling), it is not hard to imagine how all this can be nicely packaged in a terrorist scheme (ok, let's say the teenager is actually 24 and of non-white ethnicity) and lock him up for a veeeerryy long time behing bars.

This can not go on.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8657#8657