Re: Call to arms - INFORMATION ANARCHY - pause

From: Frank Bass (tomega@KNOLOGY.NET)
Date: 11/03/01

Message-ID:  <002c01c16487$7b658d60$>
Date:         Sat, 3 Nov 2001 08:49:19 -0800
From: Frank Bass <tomega@KNOLOGY.NET>
Subject:      Re: Call to arms - INFORMATION ANARCHY - pause


We seem to be digressing ourselves towards anarchy. After 35 years in this
security business I think I might have a useful perspective.

We have a number of "customers" needing portions of, or all of the
information collected by security researchers. Thus far, we have not been
very organized in the collection and dissemination process. Our "customers"
include other researchers, vendors, users, and System Administrators. The
needs of these customers are somewhat different. SAs don't need full code
disclosures directly. What they need is a combination of workarounds and
solutions. Users don't need code. They need "use-type" information.
Product vendors, on the other hand, need everything if they are to "fix" the

What we all need is a formalization of our processes and a place where
everyone can get what they need - depending upon their perspective. We also
need our informal communication channels standardized and attached to a
vulnerability-source site.

I would recommend the following:

1. Establish a formal process for reporting researched vulnerabilities. We
need a process similar to what the CERT site provides. Every CERT notice
has a formal format and its guiding information is very clear.

2. Establish formal communication channels once the vulnerabilities have
been identified. Information needs to flow regularly to other researchers,
vendors, SAs, and users.

3. Provide a formal Internet site where the "users" mentioned in #2 above
can go to obtain their "type" of information. For example, an SA can go to
the site and get workaround and solutions data with configuration
information as necessary. If an SA wants to get more involved in a
vulnerability, they can get the code and examine it at their leisure.
Vendor "type" information can be formatted so that it appeals to their
perspective. And so on.

The one thing we must stop doing is "playing around" with this stuff. I
think we have gone by the period of free-wheeling entrepreneurs and we need
to formalize our processes. I especially believe vendors would like to see
more structured responses to these problems. It will enhance our

Remember, the more people hear about these problems the more pressure they
exert on the vendor community.
----- Original Message -----
From: Russ <Russ.Cooper@RC.ON.CA>
Sent: Friday, November 02, 2001 7:13 PM
Subject: Re: Call to arms - INFORMATION ANARCHY - pause

> Pause, think, come back Sunday. No more messages on this subject until
> Again, if you don't want to see this thread please filter on the subject
> line (or look for Information Anarchy in the message).
> Microsoft and @Stake will be marketing this idea next week during
> Microsoft's "Trusted Computing 2001" conference. Weld Pond as a Microsoft
> poster boy, quite an interesting image eh?
> Cheers,
> Russ - NTBugtraq Editor

Relevant Pages

  • Call to arms - INFORMATION ANARCHY
    ... A Step Towards Information Anarchy: ... Scott Culp of Microsoft's Security Response Team released the ... Microsoft line of thinking. ... clear and present danger of being stomped out by vendors like Microsoft. ...
  • Re: Call to arms - INFORMATION ANARCHY
    ... Call to arms - INFORMATION ANARCHY ... The "Call to Arms" is long overdue - I see the script kiddies and worms in ... vendors" and talk about Microsoft. ...