Re: Call to arms - INFORMATION ANARCHY

From: Scott, Richard (Richard.Scott@BESTBUY.COM)
Date: 11/03/01


Message-ID:  <D9C570D94236D4118DAE00508BCF3DA8022197D2@cs14mail.bestbuy.com>
Date:         Fri, 2 Nov 2001 20:28:02 -0600
From: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


<snip>

Microsoft claims that we are in a state of
"Information Anarchy" and that the research community must be stopped. Do we
really want to return to the olden days when vendors knew they could ignore
security issues?

We have had the lame, media-created defacement wars between script kiddies -
now it is time to wage a true war that will demonstrate our skills, and more
importantly, demonstrate to the vendors, the corporations, and the world,
what they are forcing into the underground.
<snip>

Why would we not want to go back to those days? Microsoft wouldn;t be
selling their "firewall" seurity accelorator server, securty products would
be non existant and the research would not be read.
It's quite amusing how people are too quick to bite the hand that feeds
them... Script kiddies have by far made security sales increase much faster
than anything that Mitnick did. If I speak to head executives, show them
web defacements, relate that to their brand image, investment is made. If
I, however, told them the story of Mitnick, nothing would be made of it.
Microsoft wants to security element to go away for two reasons:

1) It's not productive
2) It's not profitable

It's not productive because the software they have to release has to have
bug fixes and security developed in to them. Security patches released and
supported. this isn't great, and resources could be spent elsewhere.

As far as I know, most decent security products on the market is not
developed by MS. And I do not see this trend changing.
If MS could enter the market, it would not critise full disclosure.. as it
would be a sales mechanism to drive revenue.
Security has been a pain in the ass for MS, but I don't see it crippling the
company, I think it's just annoying it.

If we went in to the dark old ages where exploits were kept underground, the
same attack would occur, but maybe with more unknow quantities. Maybe, if
the license agreements changed, then customers could force bug fixes, and/or
sure MS for insecure products. This isn't really changing and full
disclosure helps many people understand exactly what to loook out for and
how to prevent related attacks.

Besides, I think people should have their right for freedom of speech and
publish what ever they want. Of course, if the vendors do not wish them to,
they can either pay them, support them or threaten them.

Cheers
r.,