From: Scott, Richard (Richard.Scott@BESTBUY.COM)
Date: 11/03/01

Message-ID:  <>
Date:         Fri, 2 Nov 2001 20:28:02 -0600
From: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY


Microsoft claims that we are in a state of
"Information Anarchy" and that the research community must be stopped. Do we
really want to return to the olden days when vendors knew they could ignore
security issues?

We have had the lame, media-created defacement wars between script kiddies -
now it is time to wage a true war that will demonstrate our skills, and more
importantly, demonstrate to the vendors, the corporations, and the world,
what they are forcing into the underground.

Why would we not want to go back to those days? Microsoft wouldn;t be
selling their "firewall" seurity accelorator server, securty products would
be non existant and the research would not be read.
It's quite amusing how people are too quick to bite the hand that feeds
them... Script kiddies have by far made security sales increase much faster
than anything that Mitnick did. If I speak to head executives, show them
web defacements, relate that to their brand image, investment is made. If
I, however, told them the story of Mitnick, nothing would be made of it.
Microsoft wants to security element to go away for two reasons:

1) It's not productive
2) It's not profitable

It's not productive because the software they have to release has to have
bug fixes and security developed in to them. Security patches released and
supported. this isn't great, and resources could be spent elsewhere.

As far as I know, most decent security products on the market is not
developed by MS. And I do not see this trend changing.
If MS could enter the market, it would not critise full disclosure.. as it
would be a sales mechanism to drive revenue.
Security has been a pain in the ass for MS, but I don't see it crippling the
company, I think it's just annoying it.

If we went in to the dark old ages where exploits were kept underground, the
same attack would occur, but maybe with more unknow quantities. Maybe, if
the license agreements changed, then customers could force bug fixes, and/or
sure MS for insecure products. This isn't really changing and full
disclosure helps many people understand exactly what to loook out for and
how to prevent related attacks.

Besides, I think people should have their right for freedom of speech and
publish what ever they want. Of course, if the vendors do not wish them to,
they can either pay them, support them or threaten them.


Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
  • SecurityFocus Microsoft Newsletter #75
    ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
  • SecurityFocus Microsoft Newsletter #120
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
  • SecurityFocus Microsoft Newsletter #117
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Software Enceladus Server Suite Directory Traversal... ... An attacker is able to traverse outside of the established web root by ...
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...