I can hardly say that Microsoft is the only company that does NOT want exploits published, and for that, there are several reasons, one of which is the fact that this puts unnecessary blame and a scutinzing eye upon Microsoft to produce more secure, more competent software. Microsoft (lately) has been "under the gun" by the end-user community, hence why Microsoft is pushing their TCPA environment. In some regards, (I personally think that) their security flaws may be staged, just to demonstrate to people that they are working towards something better, when in fact, they are doing nothing with the current version of their software. Microsoft promises a more secure future, one in which it will be dictated by a consortium of companies, all of whom agree with Microsoft's approach to secured computing, yet do not include any of the "open source" vendors, software manufacturers, or service providers. To me, this tends to be a bit one-sided. Developers from the "open source" community tend to be fairly quick about fixing their problems (at least from problems that I've encountered on more than my fair share of freeware/shareware/GPLware software used over the past 15 years), and rely (almost completely) upon those who either participate, or at least review, their discussions and forums -- openly.

Insofar as to reporting the exploits and their code, I would tend to agree with the other individuals on the discussion group. This puts everyone on the same "playing field"; thus both black and white hats know what the other side is doing, or will about to do. The one gent stated that publishing the exploit (and its code) might have saved 20 minutes (or so) of extra time. If so, then what advantage would it be to NOT to publish the exploits (and its code)? The ONLY group that benefits from this are the software and/or hardware vendors, manufacturers and service providers, who want to do nothing more than another "spindoctored" attempt in stating that their environments, software and hardware releases have been patched, or are secured. For all of the vendors who have made claim to that -- and didn't do anything to fix the problem, exploit or vulnerability, except hope that it goes away -- I would be rich based upon the false promises made by these vendors.

Looking back over the past several years, and watching everything unfold, the root argument to all of this can be summed up quite simply as: full disclosure versus no disclosure. Those who are in power want to remain in power (and in control); thus, the manufacturers of hardware or software, the vendors who support them, and the service providers who use them -- all want censorship to include the very few who are in control -- which are the minority.

So... what next? Censorship of the ENTIRE Internet? Honestly, you can't.

The "genie's been let out of the bottle" (so to speak), and it will be very difficult in censoring what has already started, unless you create a whole new world -- perhaps an Internet Version 2.0? NSF is already using Internet V2.0, and my guess is that TCPA (and/or DRM) in the next 30 years will be utilizing Internet V2.0, not Internet V1.0.

So -- guess the "star-bellied Sneeches" are at it again, and this time, ensuring that they keep their stars on their bellies, and no one else either has the means, nor the information, to creating or duplicating similar stars on their bellies (the Sneeches that don't have any stars are considered inferior by those that do have stars).

-r

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7511/23828#23828