Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Sat, Jan 23, 2010 at 08:57:12AM +0200, Gadi Evron wrote: ...(such as the Google attacks 0day apparently was) i hope m$ products have something to do with http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/ Oil companies hit by 'state' cyber attacks, says report Petrol reserves data targeted ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Not even Linux or OSX for the matter On Tue, Jan 26, 2010 at 11:07 AM, Rafael Moraes raf...@bsd.com.br wrote: Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Rafael, Well, either Windows will no longer exist, or Windows will be the only thing that will exist. Remember, very few people in the government have the necessary technical knowledge to evaluate operating systems accurately. Therefore, they will rely on private industry for input. In practice, this will mean that Microsoft will get to dictate the standards that every operating system must meet in order to be approved. -- Rohit Patnaik On Tue, Jan 26, 2010 at 4:07 AM, Rafael Moraes raf...@bsd.com.br wrote: Valdis, That's the way The government must have a kind of protocol to allow OS to be released. I believe that Windows will no longer exist after that. LOL. 2010/1/25 valdis.kletni...@vt.edu On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Mon, Jan 25, 2010 at 14:11, valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? That's one issue. There are others. The real issue, though, is not how to regulate MSFT. It's how to level the playing field. Best way I can think of to do that is to specify document formats, and make them available to all. ODF may not be the right format, but it's in the right direction. If government(s) were to specify that any software they buy needs to read and write a particular set of formats, with the specifications of those formats publicly available for no more than the cost of copying them, and that they would only accept documents in those formats, then anyone could build software that meets those specifications. Then you'd see a more competitive environment. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
-100 We need more responsible IT departments. On Sun, Jan 24, 2010 at 1:29 PM, Bipin Gautam bipin.gau...@gmail.comwrote: +1 WE NEED MORE DISCUSSION ON THIS!!! -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? 2010/1/25 omg wtf hexma...@gmail.com -100 We need more responsible IT departments. On Sun, Jan 24, 2010 at 1:29 PM, Bipin Gautam bipin.gau...@gmail.comwrote: +1 WE NEED MORE DISCUSSION ON THIS!!! -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Att, Rafael Moraes Linux Professional Institute Certified - Level 1 ITIL Foundations Certified ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? Rafael Moraes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? pgpCURaOIdNvC.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Some people think or assume that MS lays eggs daily. As if the security team at MS stayed leg over the other waiting for some bug to crop up some day. On Mon, Jan 25, 2010 at 11:11 PM, valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
[I have given this some thought, edited my argument, and am moving this message to its own thread.] Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough? My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule). Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now sold to them directly or indirectly by the security industry. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
The problem with regulating Microsoft as critical infrastructure is that it simply entrenches the existing monoculture and all the problems that it entails. To really improve our position regarding security, the government ought to encourage greater diversity and openness in the OS market. Placing operating systems under formal regulation would have the opposite effect. It would increase the barriers to entry, discouraging diversity. In effect, this proposal will formalize Windows as the official OS of the federal government. Second, unless the government extends its regulation to cover all consumers, there will be little to no improvement in security. The vast majority of exploited bugs are not 0-day vulnerabilities. They are bugs that have been discovered and patched. The problem is that the consumer has not applied the patch. If the government really wanted to improve computer security, they'd mandate that citizens keep up with patches to their operating system and applications. Such a mandate would have a far greater immediate impact than any regulation of Microsoft or any other OS vendor. -- Rohit Patnaik On Sat, Jan 23, 2010 at 12:57 AM, Gadi Evron g...@linuxbox.org wrote: [I have given this some thought, edited my argument, and am moving this message to its own thread.] Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough? My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule). Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now sold to them directly or indirectly by the security industry. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
+1 WE NEED MORE DISCUSSION ON THIS!!! -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
-1 I think there's enough already. What we need is focused and unbiased information, possibly from the MS software dev team (if you've got questions they need answering..). On Sun, Jan 24, 2010 at 8:29 PM, Bipin Gautam bipin.gau...@gmail.comwrote: +1 WE NEED MORE DISCUSSION ON THIS!!! -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
Ok, +0 as the right hand doesnt know the other... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
+*∞* Who says so? On Sun, Jan 24, 2010 at 9:22 PM, Bipin Gautam bipin.gau...@gmail.comwrote: Ok, +0 as the right hand doesnt know the other... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
m.. Read Books! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/