Text 6019, 76 rader
Skriven 2005-07-14 12:41:08 av Geo (1:379/45)
   Kommentar till text 6001 av John Beckett (1:379/45)
Ärende: Re: Unleash Sasser worm - infect 1 million - get 30 hours community ser
===============================================================================
From: "Geo" <georger@nls.net>

No, I'm claiming that they could have taken control of almost every windows
computer that connects to the internet at any time since the "information
anarchy" program started allowing Microsoft to take 188 days to patch the most
critical of exploits. Prior to that their window from discovery/publishing to
patch was at most 2 weeks. But now with standard patch times taking roughly
half a year there is always a root exploit or two that they know about that is
unpatched. At the momemt there are 4 for windows and several more for other
very common windows programs and those are just the ones eeye discovered, not
the full batch of all known root level exploits for windows.

As for Rich's attitude about eeye being irresponsible, this article about the
"information anarchy" program shows eeye's initial stance on things pretty
clearly.

http://www.securityfocus.com/news/281

"What's being created here is an information cartel," says Elias Levy, former
moderator of the Bugtraq security mailing list, a standard outlet for
'full disclosure' security information. "It actually benefits security
vendors to have limited vulnerability information, because it makes them look
better in the eyes of their customers," says Levy. (Levy is CTO of
SecurityFocus).

Under the plan, member companies would share detailed information during the
30-day grace period with law enforcement agencies, infrastructure protection
organizations, and "other communities in which enforceable frameworks exist to
deter onward uncontrolled distribution." The last category would allow member
companies to share details with clients under a non-disclosure agreement, and
to share details with one another. "They're not going to ban it among
themselves," says Levy. "They might be willing to limit the public access to
this information, but I highly doubt that they'll limit it among each other."

Marc Maiffret, co-founder of eEye Digital Security, agrees, and charges that
the coalition was formed for the commercial advantage of its members, rather
than the well-being of the Internet.

"If it becomes hard to release vulnerabilities, that's a good way for Microsoft
to get rid of some embarrassment," says Maiffret.

Maiffret's company is responsible for discovering some of the most serious
Microsoft security holes in recent years -- vulnerabilities in the company's
IIS web server product that allow attackers to gain remote control of the
system. He says eEye cooperates with vendors, and doesn't release advisories
until a company has had a chance to produce patches for the security hole. But
Maiffret rejects the idea of holding back on technical details, and warns that
the new coalition may alienate independent security researchers.

"People have to do it Microsoft's way or they'll have this group telling them
that they're acting irresponsibly," says Maiffret. "It's going to drive people
into the underground, and could lead to more people breaking into computers."


Geo.

"John Beckett" <FirstnameSurname@compuserve.com.omit> wrote in message
news:nf1cd1pblvdmv4gpcp55g3671etghdujsm@4ax.com...
> "Rich" <@> wrote in message news:<42d5ef53@w3.nls.net>:
> > You made a claim that 95% of computers are vulnerable to the point that
eeye could own them.
>
> I thought Geo's claim was that if eeye had not been publishing the bugs
> they had found (and just kept them to themselves) over the last couple of
> years, then eeye could have owned 95% of the Windows computers connected
> to the Internet now.
>
> Assuming that no one filled this hypothetical vacuum left by eeye saying
> nothing, Geo's claim looks very credible to me (with pointless argument
> about whether it's really 95% or 85% etc).
>
> John
>

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)