“Your Ignorance is Our Strength
A good article in The Register on Mico$oft’s “Security through Obscurity” initiative. It basically says that M$ is trying to keep others from revealing security problems with its products, under the guise of keeping hackers from finding out.
Elias Levy, security expert and former moderator of the BUGTRAQ list considers this Framework is akin to developing an “Information Cartel” with the result of improving the image of software vendors by withholding potentially embarrassing information that could adversely-impact sales. Simple Nomad also noted that the controversial Digital Millennium Copyright Act (DMCA) could be invoked by Microsoft and target independent researchers and non-Framework members publishing vulnerability information about its products, just as Adobe did this past summer. In this case, the company would join Adobe in using law and criminal procedure as poor replacements for quality control and effective software testing. Perhaps by joining the Framework, you are immune from DMCA liability provided you only report your vulnerabilities to Microsoft? Will security researchers be forced to join the Framework or be litigated out of business?
[…] Releasing better products would go a long way in preventing the constant patch triage that Microsoft admins face on a weekly basis. The problem is not the periodic misuse of vulnerability information in the public domain, but the delusional position of Microsoft that their products aren’t to blame for these recurring, high-profile security incidents. Novices can write code to exploit Microsoft products because Microsoft makes it so easy for them to do. If the software monopoly effectively addressed the underlying root causes of its software problems instead of merely treating each symptom as it was reported, today’s novices would not have historical blueprints to learn from in building new attacks that exploit similar historical vulnerabilities in Microsoft’s products. Code Red was not a “new” exploit but the latest in a series of buffer overflow problems affecting IIS for years.
[…] Under Microsoft’s Framework, the preferred method of dealing with this is to keep folks in the dark and only issue the barest shred of useful information, if they chose to release it at all. Something somewhere, at some time, is going to attack you. Beyond that, we can’t tell you more because we either don’t know or don’t want to give anyone any ideas. Trust us, we will get back to you as soon as possible.
Well, at least the government is cracking down on these guys, breaking their monopoly and making sure they treat the public fair– … uh, what’s that? Oh. Sorry. Never mind.