[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] MS to force IT-security censorship
- To: debate@lists.fitug.de
- Subject: [FYI] MS to force IT-security censorship
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Sat, 3 Nov 2001 17:55:42 +0100
- Comments: Sender has elected to use 8-bit data in this message. If problems arise, refer to postmaster at sender's site.
- Delivered-To: mailing list debate@lists.fitug.de
- List-Help: <mailto:debate-help@lists.fitug.de>
- List-Id: <debate.lists.fitug.de>
- List-Post: <mailto:debate@lists.fitug.de>
- List-Subscribe: <mailto:debate-subscribe@lists.fitug.de>
- List-Unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
- Mailing-List: contact debate-help@lists.fitug.de; run by ezmlm
- Organization: NONE
- Priority: normal
http://www.theregister.co.uk/content/4/22614.html
------------------------------ CUT ---------------------------------
MS to force IT-security censorship
By Thomas C Greene in Washington
Posted: 02/11/2001 at 04:43 GMT
We all know how Microsoft likes to bully its many 'partners', so it
comes as no surprise that the Beast has decided to apply its
partnership muscle to silence the software and network security
research community.
The company is currently shopping a 'security partnership agreement',
which would open up reams of MS vulnerability data to those firms
which capitulate to its censorship demands while leaving all others
out in the cold, The Register has learned.
Terms of the partnership agreement include provisions which would
enjoin partners from releasing 'detailed' vulnerability data over a
'blackout' period. Our information is in conflict here; we've heard
that the blackout could be 45 days, a la CERT, or as long as six
months, or indefinitely, until a fix is developed.
It's likely that several drafts of the agreement are in circulation,
and this uncertainty indicates the minimum and maximum periods
currently under consideration.
The word 'detailed' is still being debated, we gather. But we can
guess that the sanitized reports MS itself likes to publish to
accompany its patches would provide the model. Full disclosure would
be enjoined until the Beast manages to issue a fix; and it appears
that the agreement would give the company as long as it likes to
develop one. Its security partners would be expected to keep silent,
or issue a well-scrubbed, sanitized advisory in the mean time.
Just as we saw MS pressuring its partners to rat on system builders
who request quotes on OS-less 'naked' boxes with a bribery scheme, we
can expect similar shenanigans to ferret out rogue security vendors
which dare defy the Redmond Censors and actually offer their
customers useful information.
Redmond's goal is to ensure forcibly that exploit code doesn't fall
into the hands of the blackhat development community before they've
got a fix, but it also means that security vendors won't be able to
give their customers the means to develop a workaround or a fix to an
existing vulnerability until Redmond gets off its ass and solves the
problem.
The problem here is obvious: if millions of systems are vulnerable to
attack, it's pure head-in-the-sand gambling to hope that none of them
will be exploited during the time it takes Redmond to sort it all
out.
Frankly, if I were paying good money for security services, I'd feel
cheated if my vendor withheld data which I might be able to use to
protect myself from attack. I wouldn't consider that a service worth
paying for. I would do business with security vendors who wouldn't
withhold crucial information from me on Microsoft's behest.
Worse, we have here a recipe for establishing a monopoly on
vulnerability data like the little cabal of greedy insiders who run
the anti-virus industry, and who control access to information with a
stranglehold which protects nothing so much as their revenue stream.
Spin Session It's likely that MS will announce this appalling scheme
formally during its Trusted Computing Forum in Mountain View,
California on 6, 7 and 8 November.
The forum "will bring together leaders of the online community to
address some of the most pressing privacy and security issues we face
today," the company says.
And of course, it's all part of Microsoft's touching tradition of
selfless public service: "The need for a forum such as this is
greater than ever. The tragic events of September 11, 2001 have made
an undeniable impact on the industry and the world with regards to
privacy and security concerns," we're told.
And who's been invited to speak? Richard Clarke, Presidential Advisor
for Cyber Security; Brian Arbogast, Vice President of Microsoft's
.NET Core Platform Services; Craig Mundie, MS Chief Technology
Officer; Mozelle Thompson, Commissioner, Federal Trade Commission;
Stewart Baker, Partner, Steptoe and Johnson & former General Counsel,
National Security Agency; Jerry Berman, Executive Director, Center
for Democracy and Technology; Rebecca Cohn, member of the California
State Assembly; Lt. Lenley Duncan, Commander California Highway
Patrol Network Management Section; and Barry Steinhardt, Associate
Director of the ACLU.
Rather a significant stacking of collaborators over skeptics, we must
observe.
If anyone mistook MS Security Manager Scott Culp's recent essay
denouncing full-disclosure proponents as 'information anarchists' for
some simple, earnest opinion piece, they can dispense with that
illusion.
The essay was a mere shot across the bow in preparation for the real
assault, which we predict will ultimately include some RIAA-like
lobbying consortium to enforce Redmond's will upon the security
community.
Unless, of course, the security research community has the spine to
defy the Beast, an outcome we'd like to see, but which we wouldn't
bet good money on. Though if anyone wants to step up and prove us
wrong, we'll be the first to applaud. ®
------------------------------ CUT ---------------------------------
--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de