MS to force IT-security censorship

Creating, then throttling, security 'partners'

  • alert
  • submit to reddit

3 Big data security analytics techniques

Exclusive: We all know how Microsoft likes to bully its many 'partners', so it comes as no surprise that the Beast has decided to apply its partnership muscle to silence the software and network security research community.

The company is currently shopping a 'security partnership agreement', which would open up reams of MS vulnerability data to those firms which capitulate to its censorship demands while leaving all others out in the cold, The Register has learned.

Terms of the partnership agreement include provisions which would enjoin partners from releasing 'detailed' vulnerability data over a 'blackout' period. Our information is in conflict here; we've heard that the blackout could be 45 days, a la CERT, or as long as six months, or indefinitely, until a fix is developed.

It's likely that several drafts of the agreement are in circulation, and this uncertainty indicates the minimum and maximum periods currently under consideration.

The word 'detailed' is still being debated, we gather. But we can guess that the sanitized reports MS itself likes to publish to accompany its patches would provide the model. Full disclosure would be enjoined until the Beast manages to issue a fix; and it appears that the agreement would give the company as long as it likes to develop one. Its security partners would be expected to keep silent, or issue a well-scrubbed, sanitized advisory in the mean time.

Just as we saw MS pressuring its partners to rat on system builders who request quotes on OS-less 'naked' boxes with a bribery scheme, we can expect similar shenanigans to ferret out rogue security vendors which dare defy the Redmond Censors and actually offer their customers useful information.

Redmond's goal is to ensure forcibly that exploit code doesn't fall into the hands of the blackhat development community before they've got a fix, but it also means that security vendors won't be able to give their customers the means to develop a workaround or a fix to an existing vulnerability until Redmond gets off its ass and solves the problem.

The problem here is obvious: if millions of systems are vulnerable to attack, it's pure head-in-the-sand gambling to hope that none of them will be exploited during the time it takes Redmond to sort it all out.

Frankly, if I were paying good money for security services, I'd feel cheated if my vendor withheld data which I might be able to use to protect myself from attack. I wouldn't consider that a service worth paying for. I would do business with security vendors who wouldn't withhold crucial information from me on Microsoft's behest.

Worse, we have here a recipe for establishing a monopoly on vulnerability data like the little cabal of greedy insiders who run the anti-virus industry, and who control access to information with a stranglehold which protects nothing so much as their revenue stream.

Spin Session

It's likely that MS will announce this appalling scheme formally during its Trusted Computing Forum in Mountain View, California on 6, 7 and 8 November.

The forum "will bring together leaders of the online community to address some of the most pressing privacy and security issues we face today," the company says.

And of course, it's all part of Microsoft's touching tradition of selfless public service: "The need for a forum such as this is greater than ever. The tragic events of September 11, 2001 have made an undeniable impact on the industry and the world with regards to privacy and security concerns," we're told.

And who's been invited to speak? Richard Clarke, Presidential Advisor for Cyber Security; Brian Arbogast, Vice President of Microsoft's .NET Core Platform Services; Craig Mundie, MS Chief Technology Officer; Mozelle Thompson, Commissioner, Federal Trade Commission; Stewart Baker, Partner, Steptoe and Johnson & former General Counsel, National Security Agency; Jerry Berman, Executive Director, Center for Democracy and Technology; Rebecca Cohn, member of the California State Assembly; Lt. Lenley Duncan, Commander California Highway Patrol Network Management Section; and Barry Steinhardt, Associate Director of the ACLU.

Rather a significant stacking of collaborators over skeptics, we must observe.

If anyone mistook MS Security Manager Scott Culp's recent essay denouncing full-disclosure proponents as 'information anarchists' for some simple, earnest opinion piece, they can dispense with that illusion.

The essay was a mere shot across the bow in preparation for the real assault, which we predict will ultimately include some RIAA-like lobbying consortium to enforce Redmond's will upon the security community.

Unless, of course, the security research community has the spine to defy the Beast, an outcome we'd like to see, but which we wouldn't bet good money on. Though if anyone wants to step up and prove us wrong, we'll be the first to applaud. ®

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.