Complete.Org: Mailing Lists: Archives: discussion: November 2001:
[aclug-L] FW: A matter of interpretation

[aclug-L] FW: A matter of interpretation

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	"Aclug Discussion" <discussion@xxxxxxxxx>
Subject:	[aclug-L] FW: A matter of interpretation
From:	"Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date:	Tue, 13 Nov 2001 13:45:05 -0600
Reply-to:	discussion@xxxxxxxxx


LINUX SECURITY --- November 13, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
______________________________________________________________________

HIGHLIGHTS

* Depending on whom you ask, you'll get a different opinion on the full 
  disclosure issue and Microsoft's latest assault on those making their 
  products' flaws public is turning up the heat.

_____________________________________________________________________

The Full Disclosure Debate Gets Warm
By Jamie Reid

Security pundits and professionals have been asking whether publishing 
a vulnerability's explicit details is worth the price of having that 
information exploited by someone who doesn't necessarily have the skill 
or understanding to either develop the vulnerability, or to appreciate 
the consequences of their actions. One would think that the most 
reasonable solution would be to distribute the vulnerability 
information to the vendor and members of the security community, who 
would then pass it along to their customers in a timely fashion. 

If only it were that simple. 

A major problem that arose with this idea is that "vendor", "security 
community", "customer", and "timely fashion" are all relative to the 
interpretation of whoever is proposing the solution. In the 
collaborative world of open source software, the vendor can be anyone 
from RedHat to the kid in her basement that wrote a patch to fix 
another problem, which caused the vulnerability in question. 

The security community has been bickering among themselves about who is 
a member and who isn't, and, though the CISSP community is becoming 
more visible, this issue isn't going to be resolved anytime soon. With 
the propagation of open source software, the lines between user, 
developer, vendor, and customer have blurred, and might better be 
described as a continuum rather than separate entities. 

In a recent editorial on Microsoft's TechNet, Scott Culp (known by many 
as the human behind security@xxxxxxxxxxxxx) attempted to rebrand full 
disclosure as "Information Anarchy". What seemed to be a reasoned plea 
for prudence on the part of those who discover vulnerabilities, has 
been taken as a shot fired over the bow of those who would publish 
their findings, regardless of the participation of the vendor in 
publicizing or fixing the vulnerabilities. 

On November 2nd, Thomas C. Greene of The Register alleged that Culps 
editorial is the first step in Microsoft's new strategy of creating 
partnerships with researchers. Microsoft will provide internal 
vulnerability and other data to them in exchange for their silence, 
with the ultimate goal of keeping vulnerability information out of the 
hands of the public, and ensuring that customers are dependant solely 
on Microsoft for fixes. This can also be interpreted as an effort by 
Microsoft to put their valuable intellectual property on the table in 
exchange for the ability to protect their customers from malicious 
hackers. Though it may seem charitable of Microsoft to tip its hand to 
researchers who have made a close guess at what cards the company is 
holding, this charity comes with what many see as a Faustian bargain.  

This is a debate of principle, between the interests of a business and 
its user community. From a business perspective, a customer going 
public with a product flaw before giving you a chance to fix it would 
be a nightmare. From a customer perspective, it would be a betrayal to 
find out that a product your livelihood depends upon has dangerous 
defects that were actively covered up by your vendor and may never be 
fixed. By your very use of the product and by signing an 
indemnification agreement with the vendor, you have no recourse except 
lengthy posts to Slashdot, mailing lists (or if you are lucky, your 
column), with run-on sentences, bad spelling, poor grammar, venom and 
vitriol, that ultimately make you seem like more of a crank than a 
crusader. 

This debate is still in its very beginnings.

____________________________________________________________________


About the author(s)
-------------------
Jamie Reid is a Network Security Consultant in Toronto. He can be 
reached at jreid@xxxxxxxxxx.
____________________________________________________________________

ADDITIONAL RESOURCES

Full Disclosure: How Much Security Info Is Too Much?
http://itw.itworld.com/GoNow/a14724a46249a76028222a3

Exposing InfoSecurity Hype
http://itw.itworld.com/GoNow/a14724a46249a76028222a0

Full Disclosure is a necessary evil
http://itw.itworld.com/GoNow/a14724a46249a76028222a5

Do security holes demand full disclosure?
http://itw.itworld.com/GoNow/a14724a46249a76028222a1

Full Disclosure: Effective or Excuse?
http://itw.itworld.com/GoNow/a14724a46249a76028222a4

Microsoft's Responsible Vulnerability Disclosure, The New Non-Issue     
http://itw.itworld.com/GoNow/a14724a46249a76028222a2
___________________________________________________________________

ITWORLD.COM NEWSLETTER ARCHIVE

Index of Linux Security
http://www.itworld.com/nl/lnx_sec/

Educating Executives
http://www.itworld.com/nl/lnx_sec/12052000/

Taking Back Your Box
http://www.itworld.com/nl/lnx_sec/11282000/
_______________________________________________________________________

_______________________________________________________________________

CUSTOMER SERVICE

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter 
- When finished, click submit

Questions? Please e-mail customer service at: mailto:support@xxxxxxxxxxx
________________________________________________________________________

CONTACTS

* Editorial: Andrew Santosusso, Newsletter Editor, 
  andrew_santosusso@xxxxxxxxxxx
* Advertising: Clare O'Brien, Vice President of Sales, 
  clare_obrien@xxxxxxxxxxx
* Career Corner: Janis Crowley, Vice President/General Manager, IDG 
  Recruitment Solutions, janis_crowley@xxxxxxxxxxxxx
* Other inquiries: Jodie Naze, Senior Product Marketing Manager, 
  jodie_naze@xxxxxxxxxxx

____________________________________________________________________

PRIVACY POLICY

ITworld.com has been TRUSTe certified 
http://www.itworld.com/Privacy/

Copyright 2001 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] FW: A matter of interpretation, Dale W Hodge <=
- [aclug-L] linux clusters, Abdul basit, 2001/11/13

Prev by Date: [aclug-L] Re: IBM and Linux
Next by Date: [aclug-L] linux clusters
Previous by thread: [aclug-L] Lindows
Next by thread: [aclug-L] linux clusters
Index(es):
- Date
- Thread