Re: Call to arms - INFORMATION ANARCHY

From: James D. Stallard (cds@CIONLNE.COM)
Date: 11/04/01 

Message-ID:  <000001c16552$53862b30$6400000a@leafgrove.com>
Date:         Sun, 4 Nov 2001 17:01:17 -0000
From: "James D. Stallard" <cds@CIONLNE.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Before we scream foul and decry the original article that started this
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/colu
mns/security/noarch.asp) we should consider what is trying to be
achieved and by whom.

Microsoft and indeed all vendors (we have to assume that Scott Culp
represents the official MS Line) are proposing that the negative
publicity associated with exploits of non-secure code can and should be
reduced. On the face of little more than a public relations exercise.
However Mr. Culp has much to say that is reasonable and sensible and
therein is the power of his article. It is however equally true (and
Microsoft must understand this) that the publication of exploits and
exploit code will not go away, simply because there is profit to be made
in proving that a given research organisation is better than another.
After all I would buy a service from a white hat company that had
published many exploits as I would want to harness this expertise for my
own benefit. Also I would apply the patches to my kit because I consider
myself employed to be on the ball and I take pride in my work.

What is required is a sensible solution to the argument of full
disclosure rather than screams on either side regarding the morals and
issues of releasing to the general community. I have to say I
particularly like the suggestion of Carter Mobley; the Vendor pays the
researcher for their silence and their expertise for a given period and
the exploit code is never released.

Ironically enough the recent spate of IIS based worms has been
excacerbated by another vendor type - the managed hosting provider. I
have seen several cases where entire managed floors of thousands of
servers were not patched because the job was too large and the original
TAs did not consider the need for automated installation. This attitude
caused merry hell when the first version of CodeRed came to town and the
resulting mess took months to clean up. Most of these service providers
still have no automated rollout and therefore the problem will re-occur.

A few points therefore:
1. The vendor will not be able to stop the flood of exploit code without
purchasing silence.
2. The sysadmins who do not patch will eventually be caught out and the
Managed Hosting Providers who cannot deal with patching their clients'
servers will lose business.
3. We will continue to do our jobs and be thankful that we are all doing
our little bit to protect as best we can.
4. Script kiddies will increase in number but likely reduce in
effectiveness as point 2 occurs.
5. Blackhats will forever be a problem, but we are many and they are few
and there is safety in numbers.

Of course, what will probably happen is that the outcry will die out and
we will return to the status quo. There are worse ways to go.

Regards

James D. Stallard - Jobseeker

Quantcast