Re: Call to arms - INFORMATION ANARCHY - closing
From: Russ (Russ.Cooper@RC.ON.CA)Date: 11/05/01
- Previous message: NetArchitect Old Mail: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F23CA89@muskie.rc.on.ca> Date: Mon, 5 Nov 2001 00:12:05 -0500 From: Russ <Russ.Cooper@RC.ON.CA> Subject: Re: Call to arms - INFORMATION ANARCHY - closing To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, the 50+ message thread on this is closed now.
FYI, Microsoft is hosting an event called the Trusted Computing Forum 2001
next week which is about security. During that event its expected that a
draft proposal will be made towards an RFC defining vulnerability disclosure
standards. Expect to see this mentioned in the news over the next week.
I'm against an RFC, we haven't properly defined the issues that an RFC might
cover to get to the point of even discussing a draft RFC. RFCs are also
inherently useless at enforcing anything, and in this regard we need
something more tangible if we expect to effect change. Simply stating that
Vendors need to respond to vulnerability disclosures, or expect to lose
customers, should be sufficient. What an RFC can do beyond this is extremely
questionable to me.
I'm boycotting the event because of this, and my belief that the venue will
be used to announce to the media the proclamation of a new paradigm for
vulnerability disclosure. I know that Elias Levy over a SecurityFocus (who
runs Bugtraq), and I, have no idea just what the proposal is going to be.
The fact that the two largest forums for discussion of these issues have
been kept in the dark while others, including Microsoft, set about defining
a new standard just wreaks of a media ambush.
Hellnbak's radical proposal offered a great opportunity to air some of the
issues that, IMO, haven't even been thoroughly considered, and afforded us a
chance to remind people of some of the preconceived notions that some might
hold...that are contrary to my belief of customer opinion.
Vendors don't need to be encouraged, and researchers don't need to be
threatened. Customers need to be listened to and given relief they can use
to prevent the attacks they're suffering from (and the attacks that will
come). Customers need to be the focus, not Vendors or Researchers...that's
another thing that RFCs have proven pretty useless at doing.
Its my list, so I get the last word (above). Any further discussion will
come from me, or principles directly involved in any proposals put forward
to the industry. It may not be a topic you want to hear any more about, but
since it directly involves NTBugtraq, and by extension you the subscriber,
I'm going to keep it in your minds. Feel free to send me any feedback you
might have.
I will promise that there won't be any more 50+ message threads about the
topic any time soon...;-]
Cheers,
Russ - NTBugtraq Editor
Hear the one about secure password changes for AD? Neither did I.
- Previous message: NetArchitect Old Mail: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
