lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000b01c768c2$c4dc3b20$641f6a41@MyBabies>
Date: Sat, 17 Mar 2007 18:33:30 -0000
From: "Mark Litchfield" <Mark@...software.com>
To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>,
	<full-disclosure@...ts.netsys.com>
Subject: Conflict of Interest - My summary

One point of view that was raised whereby it could possibly be determined 
that an OS vendor providing security applications to protect it's OS was a 
conflict of interest is as follows:

"IMHO I think the fear has always been that as long as an OS was closed 
source, that company owning that OS could write or have inside knowledge of 
vulnerability information that would benefit or promote that security 
product more than another company. This could almost be classified like 
insider trading."

Whilst this statement is somewhat true, many of the security vendors offer 
up many other enterprise solutions to their customers that are not all about 
protecting the end user from an 'attack'.

Whilst the install base may not be as big as that of an OS Vendor, many of 
these enterprise solutions can be critical to the daily operation of a 
business.  So any vulnerabilities found in these products, these security 
vendors can mitigate the risk at day zero by applying IPS / IDS signatures 
to their existing product range in the absence of a patch.

Are they likely to share this zero day information with their competition, I 
think not.

Also, is it really such a bad thing that an OS vendor who offers up Security 
Applications can immediately protect its customer base at almost day zero 
when a vulnerability has been reported to secure@...tever.com by adding the 
protection capability within its Secuirity Apps.  At this point the vendor 
knows their customers in the interim are protected, whilst they get down to 
examining the area of code for the flaw, determine if there are any more 
vulnerabilities and then produce a patch.

Another good example is Oracle, they have their Database Vault, which is 
'designed' to add an additional layer of security to protect their database 
and their customer.  This is clearly a responsible approach, but I do not 
hear any complaints or shouts of a conflict of interest by those that 
produce 'Database IDS / IPS' solutions.

There will always be the argument that an OS vendor should not charge for 
the OS and then charge for the additional security protection, but for some 
vendors, they may have no other alternative as it may pave the way for a 
lawyers banquet which they would most likely lose in the end.  (I am no 
laywer, but one could easily forsee, every security vendor filing Anti-Trust 
law suits, they would have to, they need to protect their business and their 
shareholders)

There will also, always be the arguement from security vendors that (and 
lets be honest about it, they are only talking about Microsoft here), that 
MS should share zero day vulnerabilities with them so that they can offer 
the same level of protection within their security solutions.  This is 
unlikely to ever happen (would they share their zero days with MS ?)  Of all 
the applications out there, do they get zero day information from any other 
vendor such as Sun, IBM, HP, Apple etc, again I think not.

My original email, was to get a wider well informed view of opinions on the 
subject to determine if my belief was right / wrong.

So I guess my opinion in conclusion still stands, that ANY software vendor 
who looks to add additional layers of security (free or not), it (IMHO) is 
not a conflict of interest and serves the end user well.  By what ever means 
necessary, it should be the responsibility of the vendor to include / offer 
increased 'peace of mind'.

Thanks to all those that contributed

All the best

Mark 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ