Interesting points, and they will probably come to pass, however, they will probably be independant of one another.

The link between Charney and DRM OS is a little thin, but the link between DRM/OS and the DMCA is worth investigating. I look forward to reading stories on it.

Your mention of the Gang of Six is interesting, as I don't think that the disclosure policies of these companies will affect the flow of information. Not because the policies are thoughtful, or anything other than a market gag order from microsoft, but because these companies will not be discovering new vulnerabilities in large enough quantities to really make a dent in the availability of vulnerability information.

The reason for this is that there is no market incentive for these companies to discover new vulnerabilities. The time and clue required to find new vulnerabilities is far too expensive to maintain a solid vulnerability research effort. The few new vulnerabilities that are discovered in the course of internal testing and client engagements are already irrepairably tangled in NDA's and indemnification agreements.

I've always said that R&D is what you do on your own time and your employer takes credit for. That's what those intellectual property and non-compete agreements you signed on your way in the door were for.

I think the policies of these companies are the least of your concern, as from a research perspective, they do not have the resources to spend time on some vendors crappy code to maintain street cred on Bugtraq and at Blackhat. Unfortunately, despite some of the brilliant folks at these companies and others, the companies are not in the business of public service.

Street cred means something very different on Wall St than it does in IRC, and these companies aren't terribly interested in being cool on IRC if there is such a thing.

Even though credibility has been known to mutate into dollars after a couple of iterations, it is diffucult to show the direct link between informing the public of vulnerabilities (let alone clue) and making bazillions of dollars.

It's the same problem that the dot.com's faced, which was that they had all this brilliantly creative content that would enrich the lives and cultures of their consumers, but the revenue models ended up based on the utterly unglamourous process of delivering up page clicks to even blander consumer grade electronics resellers.

It seems to be far more profitable to run a company with
a vast number of average level consultants who can consistantly deliver a base level of service to a small set of verticals, whose problems are pretty much the same every where you go.

It's mind-numbingly mundane, but that is how money is made.

I'll stop ranting like a crazy-man and go back to the issue of Microsoft, disclosure policies and the Gang of Six. The disclosure debate is a symptom of a much larger problem which encompasses the DMCA, manufacturer liability, privacy, civil liberties and the economy.

Charneys appointment is not so much an indicator of Microsofts commitment to intellectual property rights, or their support of the DMCA, as it is of something much more interesting. They are preparing for war.

Cheers,


-batz

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/59/10465#10465