You'll have to forgive me for not jumping in on this debate sooner.
I was holding a going away party for a friend who's moving to China
to teach Business English last night when I first read PHC's post.
Woke up this morning to find my phone is down and the network is
being patched... no internet, and the email address I post from
doesn't support WAP :( shitty morning.

But enough of my ranting...

I've been watching OIS for a while now. Someone pointed me in
their direction when the idea was still in its nacent form. And to
be frank, it's a very good idea indeed. It solves one of the main
problems of the security industry's current system: ie, who's on
the recieving end of 0-day information.

"The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face."

"Once the word is out to some, the risk of exploit increases dramatically, but many people still don't know about the problem."

(source: http://www.oisafety.org/about.html)

Die-hard whitehats will espouse in rebuttal that if admins are lazy
then they should be punished by compromised security. A lie that
only serves to further the paranoia and make those who are well-
entrenched in the security industry look like gods. Most of you
would have to be lying if you said you never considered how the use
of "proof of concept" code in advisories could actually do more
harm than good.

"OIS is concerned about Internet safety as a whole. It may be true that a small number of sophisticated administrators can make beneficial use of "proof of concept" code, but its publication puts the vast number of internet users at serious risk."

(source: http://www.oisafety.org/about.html)

The OIS makes logical sense. Current systems in the security
industry have vulnerability information thrown deep into the wild.
OIS addresses that problem by directing that vuln info towards the
people who can actually do something with it: responsible and
serious vendors who are concerned about image and profit.

PHC is right when they praise microsoft. The OIS is a good business
move. It's one of the smartest move any company in the industry has
made this year. By eliminating "proof of concept" code as far as
microsoft products go... you secure a WIDE RANGE of products
attached to the internet... simply because of the wide use of MS
products. You also reduce the number of script kiddies/leeches who
use proof of concept code, and you reduce the probability of your
share price dropping should a major vulnerability be found. the
OIS could even make internet stocks more stable because the company has greater control over the flow of information about its products
and their weak points, making profits easier to predict. thats
just an estimate though, i'm not a stock broker. hell, i haven't
even spent more than two years studying the stockmarket.

I support OIS whole-heartedly. It takes the power out of the hands
of list owners and puts it back into the hands of software
developers... the only people who can actually do something about
the problem.

----- Original Message -----
From: phchushmail.com
Date: Tue, 1 Oct 2002 05:47:09 -0700
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Organization for Internet Safety (OIS) formally announced

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PHC is very happy about this move by Microsoft and other companies
such as Symantec/SecurityFocus.

The FAQ is a 180 degree turn on what they promoted in the past in order to
stuff their pockets and tend to their bottom line, but at least their new
self-serving and highly lucrative endeavour no longer conflicts with our own
interests. Get rid of 'proof of concept' code. Idiots shouldn't have this
spoonfed to them on the lists.

Keep up the good work Microsoft. We were all pulling for you.

And SecurityFocus, congratulations on deceiving the public sheep for so
long... convincing them you had the innocent Netizen's interests at heart
while your profit margin widened as a result of your mastery of capitalizing
on insecurity, scare tactics, and FUD. Little did they know how corrupt and
criminal you were, but at least now that you've jumped into bed with
Symantec and Microsoft you can unashamedly spread your corporate wings and
soar without fear of reprisal by those who knew what you were up to all
along.

It is a glorious day indeed. We're looking forward to a few months from now
when there'll be only tumbleweeds blowing across The Land of Bugtraq, and
when Dug Song can go back to his monkey stomp parachute float drops from
Crip monuments in Detroit (Dug Song hacks).

cu

On Mon, 30 Sep 2002 19:48:42 -0700 "Steven M. Christey" <coleylinus.mitre.org> wrote:
>
>For those of you who care about vulnerability disclosure issues,
>the
>"Organization for Internet Safety" (OIS) formally announced its
>existence. This is the same group of security and software companies
>that has been discussed in past months.
>
>The founding members are: stake, BindView, Caldera International
>(The
>SCO Group), Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI,
>and Symantec.
>
>Note that my employer, MITRE, is not a member of OIS. This often
>causes confusion because I have been involved in writing documents
>that OIS may use as part of their own policies.
>
>Some articles are at:
>
> http://www.theregister.co.uk/content/55/27312.html
>
> http://www.eweek.com/article2/0,3959,558881,00.asp
>
>The OIS home page is at:
>
> http://www.oisafety.org
>
>A FAQ is at:
>
> http://www.oisafety.org/about.html
>
>
>The FAQ should be of high interest to anybody who does vulnerability
>research.
>
>- Steve
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlgEARECABgFAj2Zmy4RHHBoY0BodXNobWFpbC5jb20ACgkQ0rw64nEc6GJLvACgjiBp
d39siuZjFZhs8T6o8H52zDcAn0ofQyvCBJX3yZe3i5QU7odkp24v
=hv4E
-----END PGP SIGNATURE-----

Get your free encrypted email at https://www.hushmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]