[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e92364c305031305138ea9b8@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: Reuters: Microsoft to give holes info to Uncle
Sam first - responsible vendor notification may not be a good
idea any more...
This is a long thread consisting of a wonderful amount of
dis-information. You're all doing the US intelligence services a
massive favour, well done.
Frankly, there is no evidence to suggest that any of you 'know'
anything real about the exchange of information between governments
and Microsoft. If you don't know, why are you speaking?
Some facts to add to the fray:
- Microsoft source code is available in certain organisations outside
of Microsoft.
- Given source code, patches for exploits / workarounds can be
developed locally in good time.
- If there is no (releasable) patch ready, there is no good reason to
inform the world of the existence of an exploit, unless some
particular notes about defense are included.
- Deception is one of the most important parts of preemptive national
infrastructure protection, deception leads to mis- and dis-information
meaning even some of those who make the decisions don't really know
the whole story.
- Critical infrastructures in well planned government organisations
are almost un-identifiable.
Now some food for thought:
- Does the US Government (one of the most hated in the world) operate
on US soil? Would that be a good or a bad idea in terms of security?
And what about in terms of deception? Do you know the answer? Could
you ever _know_ the answer?
- Does the govm't need MS to send them any information? Do they ask
for it anyway to 'keep up appearances'?
- Lawful requirements. It can be construed that any citizen should be
under lawful duty to inform the relevant authorities of all dangers
which may have been created, controlled or observed by that citizen
wherever there may be a potential danger to any major infrastructure.
I don't see where this thread is going, or really where it could go.
You can mail Microsoft's already busy security group if you want, but
mass mailing isn't a good solution, didn't you learn from your
experiences of bullying that such actions never work, especially
against the giants. You have to make them see the error of their ways,
and this requires a consistent argument. The MVP program should be the
target of this argument, along with politicians.
I entrust infrastructure security to the professionals whom are
employed for that task. I trust in my government to employ the right
people, and to take the necessary actions to try and ensure my safety.
They may have flaws or holes in places, but it is for that reason I do
not attempt to suppress them. Clearly there is a massive lack of trust
of the US government, this seems particularly strange in a country
which claims to be the leader of democracy.
If an exploit is leaked as a result of pre-announcement information
exchange between the US government and MS, then it is leaked that is
all. It is a more important fact that there exists some path for
information flow, than the information itself Once leaked please
remember that this is only as bad as the person receiving the leak
"discovering" it. In any case, if no patch is yet available, there is
nothing which can be done to prevent the exploit (barring
workarounds). This is the potential time for dangerous disclosure, as
is evident from the full-disclosure policy. The race is on between the
patching team and the exploit coder. Critical infrastructure needs to
be safe during this time but how critical, maybe like government
critical? What classifies critical infrastructure, well Vladis had it
mostly right, but please don't forget to add that anything holding
critical information can also be critical infrastructure. This can
include simple things such as a revealing letter or a simple user
password. There are many ways to exploit the real world, and attacks
of governments don't tend to be limited to virtual or logical
structures.
Your $0.02, as I dont deal in $. :-)
Powered by blists - more mailing lists