Sv: Call to arms - INFORMATION ANARCHY

From: micro***.product.security@HUSHMAIL.COM
Date: 11/03/01 

Message-ID:  <200111030006.fA306iJ89891@mailserver1.hushmail.com>
Date:         Fri, 2 Nov 2001 16:06:44 -0800
From: micro***.product.security@HUSHMAIL.COM
Subject:      Sv: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Russ <Russ.Cooper@RC.ON.CA> wrote:

> d) There needs to be some method of Vendors and Security Researchers to some
> sort of responsible expectations. An RFC isn't going to do that, and neither
> will massive disclosures of vulnerabilities. An independent party,
> Governmental or Private, acting in an oversight and authoritative focal
> point is the only way. Problem is that most of those researchers who've
> become quiet are trying to make money from their work (a Good Thing) and
> need to be seen as better than everyone else. So the Security Industry would
> be against any sort of governing body as that would make their Angel
> Investors lose interest...

What you need is a government or private watchdog to penalise companies like Microsoft everytime they release their cheap code.

Software should be certified just like everything. Certified "fit for human consumption" Certified UL or CSA, CUL, CE, FCC, or VCCI whatever. Almost everything is certified including firewalls, AV products etc. Ask Russ, he should know :-(

Let's get an independent party, Governmental or Private, acting in an oversight and authoritative focal point to stamp their approval on software. Forget about fining Microsoft, have this independent stamp "FIT FOR HUMAN CONSUMPTION" on the software or "REJECTED!"

This will surely shame the drek-mongers like Microsoft into pulling up their socks.

On the other hand, it is very clear to many that the Microsoft's enjoy the bug hunters, in fact they feed them. Why? cheap out-sourced code checkers. Working for free. They're big enough to shrug off the bad publicity, but just love the free work the bug hunters are doing.

Including the independent party, Governmental or Private, acting in an oversight and authoritative focal point.

hellNbak@nmrc.org wrote:

>Make no mistake about it - Full Disclosure is in clear
>and present danger of being stomped out by vendors like Microsoft.

This will not happen in a million years.

Culp is a noted whiner and mouth piece for a company is equally as big a whiner.

They can both p*ss off for all anyone cares.

>To add to the problems, we have groups and people like Georgi Guninski,
>who while releasing some very interesting research and proof-of-concept
>code, refuse to do it in a responsible manner, giving the vendors all the
>ammunition they need to attack the full disclosure community.

More nonsense. "the vendors all the ammunition they need to attack"

F*ck them. Guninski or anyone else for that matter is, and will also be very welcome to do as he or they see fit with whatever it is they find. Be it to "hoard" it, O-day release it, or notify ONLY the vendor and no one else.

They day you or anyone out there tries to dictate what any one of us do with our machines, is the day the earth ends. And that ain't gonna happen.

maybe?

Over and out.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wm8EARECAC8FAjvjNScoHG1pY3Jvc2hpdC5wcm9kdWN0LnNlY3VyaXR5QGh1c2htYWls
LmNvbQAKCRD+Gd7DNQYTGmsoAKC6DcRdNNtNQe/VQkSFAxisKC/NlQCcCS0BDF7s+WWh
BgYJ6dDUdHs8q9c=
=CTEb
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate