Re: Call to arms - INFORMATION ANARCHY - pause

From: Frank Bass (tomega@KNOLOGY.NET)
Date: 11/03/01


Message-ID:  <002c01c16487$7b658d60$9342d618@knology.net>
Date:         Sat, 3 Nov 2001 08:49:19 -0800
From: Frank Bass <tomega@KNOLOGY.NET>
Subject:      Re: Call to arms - INFORMATION ANARCHY - pause
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Russ,

We seem to be digressing ourselves towards anarchy. After 35 years in this
security business I think I might have a useful perspective.

We have a number of "customers" needing portions of, or all of the
information collected by security researchers. Thus far, we have not been
very organized in the collection and dissemination process. Our "customers"
include other researchers, vendors, users, and System Administrators. The
needs of these customers are somewhat different. SAs don't need full code
disclosures directly. What they need is a combination of workarounds and
solutions. Users don't need code. They need "use-type" information.
Product vendors, on the other hand, need everything if they are to "fix" the
problems.

What we all need is a formalization of our processes and a place where
everyone can get what they need - depending upon their perspective. We also
need our informal communication channels standardized and attached to a
vulnerability-source site.

I would recommend the following:

1. Establish a formal process for reporting researched vulnerabilities. We
need a process similar to what the CERT site provides. Every CERT notice
has a formal format and its guiding information is very clear.

2. Establish formal communication channels once the vulnerabilities have
been identified. Information needs to flow regularly to other researchers,
vendors, SAs, and users.

3. Provide a formal Internet site where the "users" mentioned in #2 above
can go to obtain their "type" of information. For example, an SA can go to
the site and get workaround and solutions data with configuration
information as necessary. If an SA wants to get more involved in a
vulnerability, they can get the code and examine it at their leisure.
Vendor "type" information can be formatted so that it appeals to their
perspective. And so on.

The one thing we must stop doing is "playing around" with this stuff. I
think we have gone by the period of free-wheeling entrepreneurs and we need
to formalize our processes. I especially believe vendors would like to see
more structured responses to these problems. It will enhance our
professionalism.

Remember, the more people hear about these problems the more pressure they
exert on the vendor community.
----- Original Message -----
From: Russ <Russ.Cooper@RC.ON.CA>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Friday, November 02, 2001 7:13 PM
Subject: Re: Call to arms - INFORMATION ANARCHY - pause

> Pause, think, come back Sunday. No more messages on this subject until
then.
>
> Again, if you don't want to see this thread please filter on the subject
> line (or look for Information Anarchy in the message).
>
> Microsoft and @Stake will be marketing this idea next week during
> Microsoft's "Trusted Computing 2001" conference. Weld Pond as a Microsoft
> poster boy, quite an interesting image eh?
>
> Cheers,
> Russ - NTBugtraq Editor
>