From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/03/01

Message-ID:  <>
Date:         Fri, 2 Nov 2001 21:40:26 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Call to arms - INFORMATION ANARCHY

Edward Livengood suggested that disclosure is needed due to IDS products.
Let's get something straight, IDS and disclosures are chicken and the egg.
IDS didn't exist until full disclosure was popular, and can't exist without
it, but the benefits of IDS haven't been proven to be worthy of forcing the
continued support of full disclosure.

Many in the Anti-Virus community (Nick Fiztgerald for one) insist that
signature-based detection is the totally wrong approach. IDS is
signature-based detection (for the most part).

George Carlson and Rick Schneider suggested that there's a truism, "if I
know lots of others do also". Wrong assumption. Consider that most Vendors
do "extensive" testing prior to releasing a new product. The testing usually
involves smart users, stupid users, doing things the way they're supposed to
work, and doing things in a way not described. Despite this, lots of people
find problems never seen before.

Besides, there's no proof to this urban legend, nor is there likely ever to

Rick made another point, black hats, not script kiddiez, are our major
problem. While this is true, the directed attack is always going to be more
damaging than the scatter attack, the fact is that our security is more
focused to the en-masse attack scenario. Who's worried about getting a new
virus from a black hat, or are we more worried about someone bringing it in
from their home DSL-connected machine? We've more parameters in NT/W2K to
handle syn-floods than we do to handle protecting any given service. Our IDS
logs are filled to the brim with scatter attacks, so much so that finding
the concerted effort amongst the duhs is near impossible.

So why can't we focus on our biggest threat? Its not due to the skill of the
noise, but the noise itself. Should give pause to think about new solutions.

Then there's Carter Mobley's suggestion of a Netscape-like Bug Bounty
program out of Microsoft. And the silence would be enforced how Carter? By
contract? You think you couldn't make more money by being sued by Microsoft
for disclosing a security issue to the public? Not going to happen.
Microsoft have long offered a bounty, its just not cash, people are more
inclined to be wooed by the media than by Microsoft. Besides, what's the
best thing that came out of Netscape's Bug Bounty program...Georgi Guninski?


Delivery co-sponsored by Trend Micro, Inc.
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy: