lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 20 Mar 2007 09:51:16 +0530
From: "crazy frog crazy frog" <i.m.crazy.frog@...il.com>
To: "Mark Litchfield" <Mark@...software.com>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	full-disclosure@...ts.netsys.com
Subject: Re: Conflict of Interest - My summary

my summary:
conflict of interest==fear of loosing the business!

On 3/18/07, Mark Litchfield <Mark@...software.com> wrote:
> One point of view that was raised whereby it could possibly be determined
> that an OS vendor providing security applications to protect it's OS was a
> conflict of interest is as follows:
>
> "IMHO I think the fear has always been that as long as an OS was closed
> source, that company owning that OS could write or have inside knowledge of
> vulnerability information that would benefit or promote that security
> product more than another company. This could almost be classified like
> insider trading."
>
> Whilst this statement is somewhat true, many of the security vendors offer
> up many other enterprise solutions to their customers that are not all about
> protecting the end user from an 'attack'.
>
> Whilst the install base may not be as big as that of an OS Vendor, many of
> these enterprise solutions can be critical to the daily operation of a
> business.  So any vulnerabilities found in these products, these security
> vendors can mitigate the risk at day zero by applying IPS / IDS signatures
> to their existing product range in the absence of a patch.
>
> Are they likely to share this zero day information with their competition, I
> think not.
>
> Also, is it really such a bad thing that an OS vendor who offers up Security
> Applications can immediately protect its customer base at almost day zero
> when a vulnerability has been reported to secure@...tever.com by adding the
> protection capability within its Secuirity Apps.  At this point the vendor
> knows their customers in the interim are protected, whilst they get down to
> examining the area of code for the flaw, determine if there are any more
> vulnerabilities and then produce a patch.
>
> Another good example is Oracle, they have their Database Vault, which is
> 'designed' to add an additional layer of security to protect their database
> and their customer.  This is clearly a responsible approach, but I do not
> hear any complaints or shouts of a conflict of interest by those that
> produce 'Database IDS / IPS' solutions.
>
> There will always be the argument that an OS vendor should not charge for
> the OS and then charge for the additional security protection, but for some
> vendors, they may have no other alternative as it may pave the way for a
> lawyers banquet which they would most likely lose in the end.  (I am no
> laywer, but one could easily forsee, every security vendor filing Anti-Trust
> law suits, they would have to, they need to protect their business and their
> shareholders)
>
> There will also, always be the arguement from security vendors that (and
> lets be honest about it, they are only talking about Microsoft here), that
> MS should share zero day vulnerabilities with them so that they can offer
> the same level of protection within their security solutions.  This is
> unlikely to ever happen (would they share their zero days with MS ?)  Of all
> the applications out there, do they get zero day information from any other
> vendor such as Sun, IBM, HP, Apple etc, again I think not.
>
> My original email, was to get a wider well informed view of opinions on the
> subject to determine if my belief was right / wrong.
>
> So I guess my opinion in conclusion still stands, that ANY software vendor
> who looks to add additional layers of security (free or not), it (IMHO) is
> not a conflict of interest and serves the end user well.  By what ever means
> necessary, it should be the responsibility of the vendor to include / offer
> increased 'peace of mind'.
>
> Thanks to all those that contributed
>
> All the best
>
> Mark
>
>


-- 
---------------------------------------
http://www.secgeeks.com
get a blog on secgeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secgeeks.com/node/feed
Submit you security articles,send them to secgeek@...geeks.com

http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ