INFORMATION ANARCHY = As good as it gets?

From: Raymond Pritchett (darksided@DARKSIDED.COM)
Date: 11/03/01 

Message-ID:  <000001c16425$4d9baca0$6cc94242@xpert>
Date:         Sat, 3 Nov 2001 00:06:31 -0500
From: Raymond Pritchett <darksided@DARKSIDED.COM>
Subject:      INFORMATION ANARCHY = As good as it gets?
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Full-Disclosure is the best CURRENT method for securing systems, however
in utopia Full-Disclosure would not be necessary for securing systems.

I know this is not utopia.

The security community has for a long time assisted peons in IT like
myself providing an information backbone to securely manage enterprise
systems, and in essence making things better has been the ultimate goal
of those who are involved in Full-Disclosure. Scott Culp gave me the
impression he completely dismissed the contribution the security
community currently makes through Full-Disclosure, which is where my red
flags were raised.

I do not disagree with a lot of the points made by Scott Culp in his
article; however I do disagree with his premise that companies like
Microsoft can provide a better solution if we just trust them to, and
that the lack of Full-Disclosure is a better alternative to no
disclosure at all. He offered a pretty blatant opinion, and many others
have followed his lead by offering opinions of their own, however
neither Scott Culp nor any of the other opinions raised offered any
viable alternatives that address the issues.

If Microsoft's objective is to work with industry leaders to build an
"industry wide consensus on this issue," then that is where the "Call to
Arms" must take place for the security community if security is to truly
remain the ultimate goal.

This campaign from Microsoft is purely a publicity campaign at this
point, and from Scott Culp's article it seems pretty clear to me that
the Full-Disclosure community should get ready, the publicity angle
appears to be that You are public enemy #1. If Microsoft or any other
large company puts out the cash to create a public opinion frenzy on the
subject, making Full-Disclosure the bane of data security in the current
terrorist threat environment, the consequences are scary.

It would be nice if all parties could discuss a real alternative to
Full-Disclosure, of coarse that means the industry would have to change
the way they think about security, and the Full-Disclosure community
would have redefine their purpose. The government ideas were tossed
around as a 3rd party broker, but as a Senior Consultant for a
government agency let me just ask which government do you trust to do
it? This list alone is represented from citizens of dozens of
governments, and all equally have agenda's just like any corporation
would. Which 3rd party is above influence from the entire global
industry?

Industry leaders can create think tanks to determine the best way to
secure systems without Full-Disclosure, but one of the first questions
any think tank should ask is "With all the Agenda's of the various
parties, is Full-Disclosure as good as it gets?"

The fact is, I make a fortune thanks to companies like Microsoft, their
security vulnerabilities, and the fact Full-Disclosure may lead to
possible exploitation hacks in the future. Even though every single
server system I have been responsible for has never fallen prey to a
vulnerability in the past (thanks to vigilance and researched
information provided by methods such as Full-Disclosure), with an issue
like this even my peon IT guy agenda should be measured.

Raymond Pritchett
Network/Systems Consultant

"Never argue with an idiot. They drag you down to their level, then beat
you with experience."

                                 -Dilbert's Rules of Order

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
Sent: Friday, November 02, 2001 4:42 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Call to arms - INFORMATION ANARCHY

The following message was received from the poster. I'm sending it on
that
person's behalf.

> Please read the attached text file and help support this cause.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> "I don't intend to offend, I offend with my intent"
>
> hellNbak@nmrc.org
> http://www.nmrc.org/~hellnbak

A Step Towards Information Anarchy: A Call To Arms
by hellNbak <hellNbak@nmrc.org>

Recently, Scott Culp of Microsoft's Security Response Team released the
following paper:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/colum
ns/s
ecurity/noarch.asp.

Since the suspiciously timed release of this paper, rumors are that
Microsoft has been contacting the management of various research groups
to
discuss with them their disclosure policies and how to fall into the new
Microsoft line of thinking. Unfortunately, I have not been privy to any
of
these discussions with Microsoft, but one can only guess that their
intentions are not pure. I am not going to write another rant on why I
think Microsoft is out to lunch and how I know for a fact that they
would
like to force legitimate security research into the grave and return to
the
days of not spending money on security, but I am going to write a rant
on
what I think the research community needs to do to help Microsoft and
all
vendors see the light. Make no mistake about it - Full Disclosure is in
clear and present danger of being stomped out by vendors like Microsoft.

Back in the day, groups like ADM, Rhino9, L0pht, and w00w00 would
responsibly release advisories with complete details and
proof-of-concept
code. Security was improving, vendors continued to get the message that
their software had better be secure, and that they would be forced to
deal
with serious security issues. Or did they? Unfortunately, it seems the
only message that the software vendors learned was that security issues
are
expensive, and while money should be spent convincing the public that
the
vendors care about security issues, the full disclosure community needs
to
be crushed so that things can go back to business as usual. To
Microsoft
and vendors like them, security is not a technical or a developmental
issue;
it is merely a marketing issue that can be - and is - leveraged for
press
time.

Unfortunately, today, Rhino9 is no longer and ADM has been quite quiet -
keeping things to themselves no doubt. L0pht is now a consulting
organization and w00w00 has also been very, very quiet. To add to the
problems, we have groups and people like Georgi Guninski, who while
releasing some very interesting research and proof-of-concept code,
refuse
to do it in a responsible manner, giving the vendors all the ammunition
they
need to attack the full disclosure community.

So how do we fix what seems to be broken beyond repair? How do we take
the
power away from the software vendors and return it to the research
community? My answer is: INFORMATION ANARCHY. Microsoft likened
researchers - not criminal hackers or script kiddies - to terrorists
holding
software companies at ransom and being irresponsible by releasing
proof-of-concept code. Microsoft claims that we are in a state of
"Information Anarchy" and that the research community must be stopped.
Do we
really want to return to the olden days when vendors knew they could
ignore
security issues? I say no; it has to stop and the only way to stop it
is to
demonstrate to Microsoft and the world what _true_ Information Anarchy
is.
I propose that everyone who is involved in security research and
supports
full disclosure steps up research efforts and releases those issues that
they have been sitting on. Let's flood the security department of every
vendor with new issues. Let's show the world what they would miss and
what
information could just as easily have stayed in the underground rather
than
be posted to Bugtraq or Vulnwatch.

Before you go out and start releasing all your zero-days, I do caution
this
with the recommendation that we all put in the effort to coordinate with
vendors before releasing the advisories. I do not mean you should sit
on
something for 90 days until the vendor decides to fix it, but I do think
that the vendor should be notified and given a set amount of time (30
days
to fix and 5 to respond, perhaps) to respond properly. While we need to
be
direct with our actions, we do need to exercise caution and
responsibility.

Show your support for this movement; help us take the power back from
the
vendors. I am offering my free time to help anyone with a security
issue to
report it to the vendor and craft an advisory. I am also asking
everyone
in the research community who supports full disclosure to release
advisories
in support of what I am calling Information Anarchy 2K01.

We have had the lame, media-created defacement wars between script
kiddies -
now it is time to wage a true war that will demonstrate our skills, and
more
importantly, demonstrate to the vendors, the corporations, and the
world,
what they are forcing into the underground.

I am not asking anyone to do anything illegal, I do not want to see any
supportive defacements or hacks but I do want to see some supportive
advisories and research efforts. Microsoft just spent the last few
years
fighting for their "freedom to innovate" and now they are trying to take
ours.

For information, help, or comments please email hellnbak@nmrc.org.

========================================================================
====
Delivery co-sponsored by Trend Micro, Inc.
========================================================================
====
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www
.a
ntivirus.com/smex2000_rebate