Microsoft, in a never-ending battle to maintain its security image, is once again trying to push through a dubious initiative with help from consulting firms and security vendors like @Stake, Bindview, Foundstone, ISS and Guardent. The stated purpose of the group is to develop an RFC that will be submitted to the IETF in the hopes that it will become a document following a standards track. If that happens, then researchers who do not follow the RFC standard will not only be subjected to that ultimate Internet insult, "You're not standards compliant," but they will also be what Microsoftıs Scott Culp calls an "information anarchist." Pretty soon thereafter, I bet these non-compliant security researchers will simply be called criminals. Wait, that already happened.
Why make a big stink about this? Maybe you're thinking it sounds like a good idea. On the surface, I would agree. But the security research community has already made efforts to self-regulate, and it has made efforts to give vendors an opportunity to develop a patch for a security problem before going public with it. Both eEye Digital Security and hacker Marc Slemko, for example, worked with Microsoft, holding off before going public with discovered vulnerabilities until Microsoft developed a patch. So why do we need a watchdog group to make sure that happens?
Consider who's driving this bus -- Microsoft. And think about what has happened in the last few months. The company has been hit with a slew of very bad publicity at a time when it was trying to launch Windows XP and gain buy-in for Passport. Because of security bugs in IIS, Outlook, IE, and Outlook Express, people running Microsoft products have been actively attacked. It must have come as a real shock for Microsoft to hear Gartner Groupıs John Pescatore recommend that organizations hit by Nimda should investigate alternatives to IIS.
And in a spectacular development, Marc Slemko actively attacked Passport (http://alive.znep.com/~marcs/passport/), the online shopping service, where you are supposed to put all your personal and financial information. Slemkoıs research indicates that even with Microsoft's much publicized commitment to improving security with the Security Technology Protection Program (http://www.microsoft.com/security/), the company has done little to actually make products and services more secure.
This RFC security initiative is nothing but a marketing ploy designed to bolster Microsoft's security image without forcing the company to do anything concrete about the problem -- you know, like making secure software and services. When the popular press gets a hold of a story where corporations large and small (as well as individuals) are being dragged to their knees because of an attack against IIS, Outlook and IE, that makes Microsoft look bad. People don't get a warm-fuzzy, and they may not want to buy such products. Press like this is just bad for business. Microsoft's stance is that if there were no full disclosure methodology in place, then these attacks would not have taken place because the exploit code would not have been available.
Hogwash.
The companies that have signed on with Microsoft certainly have a financial stake here. If security vendors can keep you in the dark about network security, the more likely you are to go to them for services. You see, in developing a final RFC, these vendors will probably demand that details concerning security vulnerabilities should not be published. Those companies will attempt to kill full disclosure. Again, this sounds like a perfectly reasonable stance. Why do we need to know the details of the attack? Full disclosure only gives people the tools to attack us. Certainly, there is an element of truth there. Then again, one of the best ways to ensure that security patches are properly in place and functioning as expected is to run the exploit code to see what happens.
Think about this. Software vendors (and there are a lot of them) can't make secure software in the first place, so how can you trust them to make insecure software any more secure? Patches can introduce regression bugs, open new holes, or only fix the problem in a limited way. Sure, you can hire any of the above-mentioned consultants to make sure your network is secure. And undoubtedly Bindview or ISS will be more than willing to sell you products to do just that. Take a look at Greg Shipleyıs IDS review or vulnerability assessment review, and you will find that these products are still not fully reliable.
Maybe I am just spitting windward. Maybe in a few years, this security RFC will be developed, and the industry can then pummel independent security researchers into silence. Maybe the bad press will go away, and vendors will show us how good they are by protecting us from knowing exactly how vulnerable our networks are. When we call in consultants, we can just turn our heads and cough, knowing everything will just work out. Of course, maybe in a few years I will be swimming off Cemetery Beach in Grand Cayman, and I won't have to say "I told you so."
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labsı and covers all security-related topics. A member of the editorial staff since 1996, Mike has made presentations at NetWorld+Interop and The Internet Security Conference on various aspects of VPNs. Mike can be reached at mfratto@nwc.com.
REPORTS
ANALYTICS
Follow 
