Return-Path: <sentto-279987-3801-1005105077-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 06 Nov 2001 20:15:08 -0800 (PST) Received: (qmail 32416 invoked by uid 510); 7 Nov 2001 04:13:03 -0000 Received: from n18.groups.yahoo.com (216.115.96.68) by 204.181.12.215 with SMTP; 7 Nov 2001 04:13:03 -0000 X-eGroups-Return: sentto-279987-3801-1005105077-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.55] by n18.groups.yahoo.com with NNFMP; 07 Nov 2001 03:51:20 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 7 Nov 2001 03:51:17 -0000 Received: (qmail 69754 invoked from network); 7 Nov 2001 03:51:16 -0000 Received: from unknown (216.115.97.167) by m11.grp.snv.yahoo.com with QMQP; 7 Nov 2001 03:51:16 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 7 Nov 2001 03:51:16 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA73pLB07858 for iwar@onelist.com; Tue, 6 Nov 2001 19:51:21 -0800 Message-Id: <200111070351.fA73pLB07858@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 6 Nov 2001 19:51:21 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:'White.Hat'.Hackers.Threaten.Information.Anarchy] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit 'White Hat' Hackers Threaten Information Anarchy By Brian McWilliams, Newsbytes, 11/6/2001 <a href="http://www.newsbytes.com/news/01/171900.html">http://www.newsbytes.com/news/01/171900.html> Responding to an effort by Microsoft [NASDAQ:MSFT] to squelch the full disclosure of software vulnerabilities, a group of "white hat" hackers is putting out a call to other experts, asking them to deluge software vendors with bug reports. "Let's flood the security department of every vendor with new issues. Let's show the world what they would miss and what information could just as easily have stayed in the underground," wrote a security researcher who uses the nickname "HellNbak," in an announcement posted to several security mailing lists last week. So far, only one prominent organization has signed on to the "Information Anarchy 2K01" initiative - a group known as Nomad Mobile Research Center, of whom HellNbak is a member. The call to arms comes as Microsoft convened its Trusted Computing conference in Mountain View, Calif., today, and is expected Wednesday to further its push for an industry consensus against disclosing details on security vulnerabilities. That effort to block security experts from publishing "exploits" was formally launched last month with the publication of an essay by Scott Culp, the head of Microsoft's security response center, entitled "It's Time to End Information Anarchy." The company is expected to put forth a formal proposal this week in the form of a request for comment with the Internet Engineering Task Force, an industry standards-setting body. Sources said Microsoft also has recently been lobbying senior management at major security consulting firms over the issue, and at least one unspecified company has agreed to adopt Microsoft's vision of "responsible" disclosure. "If companies don't start taking a more responsible approach, some of the ramifications could be bad," including new laws criminalizing the release of exploit code, said Chris Klaus, founder and chief technology officer for Internet Security Systems. According to Klaus, ISS has long considered the public release of "proof of concept" programs that exploit software holes "the equivalent of giving burglar tools to everyone." But if Microsoft succeeds in shutting off open discussions of security vulnerabilities, the conversation will merely go underground to the world of "thieves, spies, and never-do-wells," according to Richard Forno, chief technology officer for Shadowlogic, a Virginia-based security consulting firm. "HellNbak is correct. ... We need this public discourse, without which the Internet community is placed in serious, uninformed, corporate-controlled jeopardy," said Forno. Among those scheduled to present at the Microsoft conference is Chris Wysopal, director of research and development for AtStake, a security consulting firm that includes former members of L0pht, a group that in the past has released several tools that exploit security weaknesses. Wysopal, who also uses the hacker nickname "Weld Pond," said he will outline his views on the need for vulnerability reporting standards. At present, AtStake's disclosure policy specifies that the firm may release full technical details, including "non-gratuitous" exploit code, 12 days after notifying a vendor of a security vulnerability, according to a statement of the policy at the AtStake site. While HellNbak reported that he has seen considerable interest from independent security consultants, the Information Anarchy proposal is unlikely to have its intended effect, according to Elias Levy, chief technology officer for SecurityFocus. "He is calling for people to release vulnerabilities, but he is also calling for people to do so responsibly. So I fail to see how that is any different than what we do today," said Levy. The Information Anarchy proposal is online here: <a href="http://www.securityfocus.com/archive/82/224378">http://www.securityfocus.com/archive/82/224378> ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/bAmslD/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST