About that MS security response initiative ... I think, if you view their security response team as a completely separate independent entity from the MS development team, you'll find that they're making a valiant attempt at doing an impossible job.
Scott Culp is just trying to rally the security community to be self-policing with regard to publishing detailed exploit instructions. Not a bad idea at all. And in this regard, this seems to be handled in a light handed manner ... so far. When I take off my conspiracy theory glasses, I don't even see any particularly offensive ideas in his manifesto: http://www.microsoft.com/technet/columns/security/noarch.asp Surely we can all agree that Scott has got the toughest job in the world. :-) Maybe we can give him a break and offer some constructive feedback. But personally, I don't think there's much hope of changing the way that particular company behaves, or for that matter, much of the rest of the industry too. Not until vendors are held legally accountable for negligent design. Maybe someday, somehow, there will be a class action law suit. (I saw a recent infosec conference flyer that had some silly quote about the annual cost of viruses or something being in the $100,000,000,000 range. :-) Or maybe one of our new draconian laws will be turned around to make vendors criminally responsible for promoting cyber terrorism! Surely that'll make 'em think twice before opening that new back door, or creating yet-another "auto-launch a hidden executable" feature. -- David At 08:52 PM 10/16/01 -0400, Steven M. Bellovin wrote: >Microsoft? See their view of how to deal with security at >http://www.newsbytes.com/news/01/171173.html -- I wonder if they >think it should apply to crypto research, too? > >Of course, why should I be surprised at this? Some crypto research is >already banned by the DMCA; why not ban even more? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
