MS to force IT-security censorship

Creating, then throttling, security 'partners'

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Exclusive: We all know how Microsoft likes to bully its many 'partners', so it comes as no surprise that the Beast has decided to apply its partnership muscle to silence the software and network security research community.

The company is currently shopping a 'security partnership agreement', which would open up reams of MS vulnerability data to those firms which capitulate to its censorship demands while leaving all others out in the cold, The Register has learned.

Terms of the partnership agreement include provisions which would enjoin partners from releasing 'detailed' vulnerability data over a 'blackout' period. Our information is in conflict here; we've heard that the blackout could be 45 days, a la CERT, or as long as six months, or indefinitely, until a fix is developed.

It's likely that several drafts of the agreement are in circulation, and this uncertainty indicates the minimum and maximum periods currently under consideration.

The word 'detailed' is still being debated, we gather. But we can guess that the sanitized reports MS itself likes to publish to accompany its patches would provide the model. Full disclosure would be enjoined until the Beast manages to issue a fix; and it appears that the agreement would give the company as long as it likes to develop one. Its security partners would be expected to keep silent, or issue a well-scrubbed, sanitized advisory in the mean time.

Just as we saw MS pressuring its partners to rat on system builders who request quotes on OS-less 'naked' boxes with a bribery scheme, we can expect similar shenanigans to ferret out rogue security vendors which dare defy the Redmond Censors and actually offer their customers useful information.

Redmond's goal is to ensure forcibly that exploit code doesn't fall into the hands of the blackhat development community before they've got a fix, but it also means that security vendors won't be able to give their customers the means to develop a workaround or a fix to an existing vulnerability until Redmond gets off its ass and solves the problem.

The problem here is obvious: if millions of systems are vulnerable to attack, it's pure head-in-the-sand gambling to hope that none of them will be exploited during the time it takes Redmond to sort it all out.

Frankly, if I were paying good money for security services, I'd feel cheated if my vendor withheld data which I might be able to use to protect myself from attack. I wouldn't consider that a service worth paying for. I would do business with security vendors who wouldn't withhold crucial information from me on Microsoft's behest.

Worse, we have here a recipe for establishing a monopoly on vulnerability data like the little cabal of greedy insiders who run the anti-virus industry, and who control access to information with a stranglehold which protects nothing so much as their revenue stream.

Spin Session

It's likely that MS will announce this appalling scheme formally during its Trusted Computing Forum in Mountain View, California on 6, 7 and 8 November.

The forum "will bring together leaders of the online community to address some of the most pressing privacy and security issues we face today," the company says.

And of course, it's all part of Microsoft's touching tradition of selfless public service: "The need for a forum such as this is greater than ever. The tragic events of September 11, 2001 have made an undeniable impact on the industry and the world with regards to privacy and security concerns," we're told.

And who's been invited to speak? Richard Clarke, Presidential Advisor for Cyber Security; Brian Arbogast, Vice President of Microsoft's .NET Core Platform Services; Craig Mundie, MS Chief Technology Officer; Mozelle Thompson, Commissioner, Federal Trade Commission; Stewart Baker, Partner, Steptoe and Johnson & former General Counsel, National Security Agency; Jerry Berman, Executive Director, Center for Democracy and Technology; Rebecca Cohn, member of the California State Assembly; Lt. Lenley Duncan, Commander California Highway Patrol Network Management Section; and Barry Steinhardt, Associate Director of the ACLU.

Rather a significant stacking of collaborators over skeptics, we must observe.

If anyone mistook MS Security Manager Scott Culp's recent essay denouncing full-disclosure proponents as 'information anarchists' for some simple, earnest opinion piece, they can dispense with that illusion.

The essay was a mere shot across the bow in preparation for the real assault, which we predict will ultimately include some RIAA-like lobbying consortium to enforce Redmond's will upon the security community.

Unless, of course, the security research community has the spine to defy the Beast, an outcome we'd like to see, but which we wouldn't bet good money on. Though if anyone wants to step up and prove us wrong, we'll be the first to applaud. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
prev story


Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.