|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Call to arms - INFORMATION ANARCHY (fwd)
|
This was posted to the Vuln-Dev list at SecurityFocus today. I found
it very interesting.
--
Marc Soda
ASPRE, Inc.
marc@aspre.net
http://www.aspre.net/
---------- Forwarded message ----------
Date: Fri, 2 Nov 2001 11:02:27 -0500 (EST)
From: hellNbak <hellnbak@nmrc.org>
To: submissions@packetstormsecurity.org
Cc: vuln-dev@securityfocus.com, bugtraq@securityfocus.com,
ntbugtraq@listserv.ntbugtraq.com
Subject: Call to arms - INFORMATION ANARCHY
Please read the attached text file and help support this cause.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I don't intend to offend, I offend with my intent"
hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A Step Towards Information Anarchy: A Call To Arms
by hellNbak <hellNbak@nmrc.org>
Recently, Scott Culp of Microsoft's Security Response Team released the
following paper:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/noarch.asp.
Since the suspiciously timed release of this paper, rumors are that
Microsoft has been contacting the management of various research groups
to discuss with them their disclosure policies and how to fall into the
new Microsoft line of thinking. Unfortunately, I have not been privy to
any of these discussions with Microsoft, but one can only guess that
their intentions are not pure. I am not going to write another rant on
why I think Microsoft is out to lunch and how I know for a fact that they
would like to force legitimate security research into the grave and
return to the days of not spending money on security, but I am going to
write a rant on what I think the research community needs to do to help
Microsoft and all vendors see the light. Make no mistake about it - Full
Disclosure is in clear and present danger of being stomped out by vendors
like Microsoft.
Back in the day, groups like ADM, Rhino9, L0pht, and w00w00 would
responsibly release advisories with complete details and proof-of-concept
code. Security was improving, vendors continued to get the message that
their software had better be secure, and that they would be forced to
deal with serious security issues. Or did they? Unfortunately, it seems
the only message that the software vendors learned was that security
issues are expensive, and while money should be spent convincing the
public that the vendors care about security issues, the full disclosure
community needs to be crushed so that things can go back to business as
usual. To Microsoft and vendors like them, security is not a technical
or a developmental issue; it is merely a marketing issue that can be -
and is - leveraged for press time.
Unfortunately, today, Rhino9 is no longer and ADM has been quite quiet -
keeping things to themselves no doubt. L0pht is now a consulting
organization and w00w00 has also been very, very quiet. To add to the
problems, we have groups and people like Georgi Guninski, who while
releasing some very interesting research and proof-of-concept code,
refuse to do it in a responsible manner, giving the vendors all the
ammunition they need to attack the full disclosure community.
So how do we fix what seems to be broken beyond repair? How do we take
the power away from the software vendors and return it to the research
community? My answer is: INFORMATION ANARCHY. Microsoft likened
researchers - not criminal hackers or script kiddies - to terrorists
holding software companies at ransom and being irresponsible by releasing
proof-of-concept code. Microsoft claims that we are in a state of
"Information Anarchy" and that the research community must be stopped.
Do we really want to return to the olden days when vendors knew they
could ignore security issues? I say no; it has to stop and the only way
to stop it is to demonstrate to Microsoft and the world what _true_
Information Anarchy is. I propose that everyone who is involved in
security research and supports full disclosure steps up research efforts
and releases those issues that they have been sitting on. Let's flood
the security department of every vendor with new issues. Let's show the
world what they would miss and what information could just as easily have
stayed in the underground rather than be posted to Bugtraq or Vulnwatch.
Before you go out and start releasing all your zero-days, I do caution
this with the recommendation that we all put in the effort to coordinate
with vendors before releasing the advisories. I do not mean you should
sit on something for 90 days until the vendor decides to fix it, but I do
think that the vendor should be notified and given a set amount of time
(30 days to fix and 5 to respond, perhaps) to respond properly. While we
need to be direct with our actions, we do need to exercise caution and responsibility.
Show your support for this movement; help us take the power back from the
vendors. I am offering my free time to help anyone with a security issue
to report it to the vendor and craft an advisory. I am also asking
everyone in the research community who supports full disclosure to
release advisories in support of what I am calling Information Anarchy
2K01.
We have had the lame, media-created defacement wars between script
kiddies - now it is time to wage a true war that will demonstrate our
skills, and more importantly, demonstrate to the vendors, the
corporations, and the world, what they are forcing into the underground.
I am not asking anyone to do anything illegal, I do not want to see any
supportive defacements or hacks but I do want to see some supportive
advisories and research efforts. Microsoft just spent the last few years
fighting for their "freedom to innovate" and now they are trying to take
ours.
For information, help, or comments please email hellnbak@nmrc.org.
|
|