Re: Fwd: Information on MS99-022

[Russ.Cooper () RC ON CA (Russ)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to keep things straight around here...I don't filter anyone's
posts, I moderate a mailing list which has a lot of messages from a
lot of people dropped on the floor for a lot of reasons.

There wasn't 10 minutes between the release of MS99-022 and the time I
had Microsoft, on the phone over the disclosure issue. I stated my
case, that Microsoft must release "signature" details of internally
discovered vulnerabilities to "the public", and was told there was a
discussion going to be held on the issue. I believe I stated the case
well, and that my intentions and recommendation on how to do this best
were heard.

It matters not who receives the full details, as long as they get to
the public in a timely fashion. I don't feel that full and immediate
disclosure is always necessary, or prudent (and neither does eEye),
but its crucial that they do get into the public's hands. Neither
Microsoft, nor ICSA, can assure anyone that any mechanism for
disclosure is going to reduce, or eliminate, public
disclosure...therefore any attempts at doing so from the beginning
are, as someone else already said, Security By Obscurity.

I'm as unhappy as everyone else that Microsoft appear to have chosen
this route to the disclosure of internally discovered vulnerabilities.
This will become even more obvious over the next few weeks,
unfortunately. Although discussions, held recently during the
NTBugtraq Party, may have some influence on their future
disclosures...we can only hope.

If anyone is going to "re-release Microsoft's advisories with full
details", that's great. Every worthwhile post is going to make it to
NTBugtraq. I will say this though, I do not believe that any such
"re-release" can possibly provide us with the information we *need*
and *demand* from Microsoft.

It goes without saying that Microsoft have, for a very long time, been
releasing what we would call "security fixes" within service packs
without making any announcements. The fact that they do, now, provide
a Security Bulletin is a Good Thing(tm). They say their customers
don't want them "telling hackers how to do a better job". I say we
can't possible know how good a job they, Microsoft, are doing without
knowing more about vulnerabilities.

Each Security Bulletin about an internally discovered vulnerability
that is released without sufficient "signature" details erodes their
credibility amongst the community of users who, possibly, may be the
only ones trusted to say "Yes" or "No" to NT deployment in
environments requiring security, stability, or integrity.

"Trust" doesn't come exclusively from the availability of a fix. Its
something earned and enhanced through the dissemination of accurate
and timely information.

Whether or not you, the individual Bugtraq reader, trust Microsoft or
not isn't relevant here. Microsoft is less trustworthy if we, "the
public", are not trusted with this information, period.

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN4BWGM+Ua7J6A+woEQKPewCg3RS9gsSHHYops2y6PG7E2EnYJhQAoMYQ
BvgCqmtjae9+GUvE4BPO7+ce
=7SrQ
-----END PGP SIGNATURE-----