| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jftucker at gmail.com (James Tucker) Subject: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... This is a long thread consisting of a wonderful amount of dis-information. You're all doing the US intelligence services a massive favour, well done. Frankly, there is no evidence to suggest that any of you 'know' anything real about the exchange of information between governments and Microsoft. If you don't know, why are you speaking? Some facts to add to the fray: - Microsoft source code is available in certain organisations outside of Microsoft. - Given source code, patches for exploits / workarounds can be developed locally in good time. - If there is no (releasable) patch ready, there is no good reason to inform the world of the existence of an exploit, unless some particular notes about defense are included. - Deception is one of the most important parts of preemptive national infrastructure protection, deception leads to mis- and dis-information meaning even some of those who make the decisions don't really know the whole story. - Critical infrastructures in well planned government organisations are almost un-identifiable. Now some food for thought: - Does the US Government (one of the most hated in the world) operate on US soil? Would that be a good or a bad idea in terms of security? And what about in terms of deception? Do you know the answer? Could you ever _know_ the answer? - Does the govm't need MS to send them any information? Do they ask for it anyway to 'keep up appearances'? - Lawful requirements. It can be construed that any citizen should be under lawful duty to inform the relevant authorities of all dangers which may have been created, controlled or observed by that citizen wherever there may be a potential danger to any major infrastructure. I don't see where this thread is going, or really where it could go. You can mail Microsoft's already busy security group if you want, but mass mailing isn't a good solution, didn't you learn from your experiences of bullying that such actions never work, especially against the giants. You have to make them see the error of their ways, and this requires a consistent argument. The MVP program should be the target of this argument, along with politicians. I entrust infrastructure security to the professionals whom are employed for that task. I trust in my government to employ the right people, and to take the necessary actions to try and ensure my safety. They may have flaws or holes in places, but it is for that reason I do not attempt to suppress them. Clearly there is a massive lack of trust of the US government, this seems particularly strange in a country which claims to be the leader of democracy. If an exploit is leaked as a result of pre-announcement information exchange between the US government and MS, then it is leaked that is all. It is a more important fact that there exists some path for information flow, than the information itself Once leaked please remember that this is only as bad as the person receiving the leak "discovering" it. In any case, if no patch is yet available, there is nothing which can be done to prevent the exploit (barring workarounds). This is the potential time for dangerous disclosure, as is evident from the full-disclosure policy. The race is on between the patching team and the exploit coder. Critical infrastructure needs to be safe during this time but how critical, maybe like government critical? What classifies critical infrastructure, well Vladis had it mostly right, but please don't forget to add that anything holding critical information can also be critical infrastructure. This can include simple things such as a revealing letter or a simple user password. There are many ways to exploit the real world, and attacks of governments don't tend to be limited to virtual or logical structures. Your $0.02, as I dont deal in $. :-)
Powered by blists - more mailing lists