[10950] in bugtraq
Re: Fwd: Information on MS99-022
daemon@ATHENA.MIT.EDU (Weld Pond)
Mon Jul 5 16:21:30 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9907050759490.2253-100000@l0pht.com>
Date: Mon, 5 Jul 1999 08:14:47 -0500
Reply-To: Weld Pond <weld@L0PHT.COM>
From: Weld Pond <weld@L0PHT.COM>
X-To: Renaud Deraison <deraison@CVS.NESSUS.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9907040028570.1357-100000@prof.fr.nessus.org>
On Sun, 4 Jul 1999, Renaud Deraison wrote:
> And I'm writing a free security auditing tool, and I won't be able to
> implement a security check for this, because I'm not a "vendor" ?
> (apparently only software vendors are welcomed to the ICSA's IDC --
> they did not reply to my request of being admitted in this consortium
> [so that I could get information about this flaw])
I have an idea. To counter this information witholding problem, non-vendor
individuals who find security problems should have mailing lists that only
non-vendor individuals are on. Yeah, sure the information will eventually
leak out but it will take much longer for the problems to be fixed by the
vendors. Of course Microsoft and members of their selected consortia would
be forbidden to join the list.
Does this seem like a good idea? Well personally I think it is crazy but
it is exactly what Microsoft is asking individual security contributers
and practitioners to accept, albeit shoe on other foot.
-weld
