Security Research (Was: Scarfo "keylogger", PGP )
David Jablon
dpj at world.std.com
Wed Oct 17 02:40:33 EDT 2001
About that MS security response initiative ...
I think, if you view their security response team as a completely
separate independent entity from the MS development team,
you'll find that they're making a valiant attempt at doing an
impossible job.
Scott Culp is just trying to rally the security community to be
self-policing with regard to publishing detailed exploit instructions.
Not a bad idea at all. And in this regard, this seems to be
handled in a light handed manner ... so far.
When I take off my conspiracy theory glasses, I don't
even see any particularly offensive ideas in his manifesto:
http://www.microsoft.com/technet/columns/security/noarch.asp
Surely we can all agree that Scott has got the toughest job
in the world. :-) Maybe we can give him a break and offer some
constructive feedback.
But personally, I don't think there's much hope of changing the way
that particular company behaves, or for that matter, much of the rest
of the industry too.
Not until vendors are held legally accountable for negligent design.
Maybe someday, somehow, there will be a class action law suit.
(I saw a recent infosec conference flyer that had some silly quote
about the annual cost of viruses or something being in the
$100,000,000,000 range. :-)
Or maybe one of our new draconian laws will be turned around to
make vendors criminally responsible for promoting cyber terrorism!
Surely that'll make 'em think twice before opening that new back door,
or creating yet-another "auto-launch a hidden executable" feature.
-- David
At 08:52 PM 10/16/01 -0400, Steven M. Bellovin wrote:
>Microsoft? See their view of how to deal with security at
>http://www.newsbytes.com/news/01/171173.html -- I wonder if they
>think it should apply to crypto research, too?
>
>Of course, why should I be surprised at this? Some crypto research is
>already banned by the DMCA; why not ban even more?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list