From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/02/01

Message-ID:  <>
Date:         Fri, 2 Nov 2001 17:39:23 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Call to arms - INFORMATION ANARCHY

I'm working on a bigger piece that talks to many of these issues, but I
wanted to throw out a few comments in the heat of the discussion. Sorry for
the noise folks, filter on the subject line to avoid the conversation.

1. Its one thing to prove to a Vendor they have a problem in their code. Its
another to be the reason that the Vendor's customers are subjected to
malicious attacks that take advantage of your disclosure. This is the heart
of the issue, and its not resolved by keeping "Full Disclosure" alive.

2. Acknowledging that there is a majority of people in the world who choose
to use software which they cannot modify themselves (to avoid a disclosed
vulnerability) should translate into a responsibility on behalf of the
discloser. *IT DOESN'T*. Its all too easy to lay the blame at the feet of
the Vendor for a vulnerability without accepting responsibility for your
proof-of-concept code or detailed description.

3. A dramatic minority of people who use software pay any attention to
vulnerability announcements. They find out about the attack, without ever
hearing about the vulnerability (or even the patch/workaround). This must
not be under-estimated, but it is frequently. People don't care much about
what we say, they care about what the Vendor says. If the Vendor doesn't
alert them (and Microsoft's Security Bulletins go to, maybe, 1% of their
customers), customers will go merrily along without a care in the world.

Ergo, your disclosure leads to them being exploited rather than them being
fixed, pretty much guaranteed.

So, a couple of things need to change for *anything* to be effective;

a) The media has to do a better job of informing *the masses* of
vulnerabilities. If the average person was more aware of how insecure their
computers were, and why it mattered to them, it might trickle up the food
chain and translate into purchasing decisions by OEM's and Corporations that
feed the feature versus security mentality of many Vendors.

b) There needs to be a great emphasis placed on researchers doing things to
prevent "script kiddiez". The average consumer doesn't need to be portscan'd
daily, have a trojan dropped on their system, or have their machine's
rendered unusable in order to convince Microsoft to provide better security.
It doesn't work. It hasn't worked. It's not going to work. All it does is
make everyone ticked off at security research in general.

c) There needs to be far less talk in the press about vulnerabilities
leading to privacy disclosures. Face it folks, the average person doesn't
care about privacy disclosures unless it has to do with Health or Legal
issues. The constant harping on privacy issues has led to an antipathy
towards security issues in general for the public.

d) There needs to be some method of Vendors and Security Researchers to some
sort of responsible expectations. An RFC isn't going to do that, and neither
will massive disclosures of vulnerabilities. An independent party,
Governmental or Private, acting in an oversight and authoritative focal
point is the only way. Problem is that most of those researchers who've
become quiet are trying to make money from their work (a Good Thing) and
need to be seen as better than everyone else. So the Security Industry would
be against any sort of governing body as that would make their Angel
Investors lose interest...

Russ - NTBugtraq Editor

Delivery co-sponsored by Trend Micro, Inc.
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy: