MS to force IT-security censorship
Creating, then throttling, security 'partners'
Exclusive: We all know how Microsoft likes to bully its many 'partners', so it comes as no surprise that the Beast has decided to apply its partnership muscle to silence the software and network security research community.
The company is currently shopping a 'security partnership agreement', which would open up reams of MS vulnerability data to those firms which capitulate to its censorship demands while leaving all others out in the cold, The Register has learned.
Terms of the partnership agreement include provisions which would enjoin partners from releasing 'detailed' vulnerability data over a 'blackout' period. Our information is in conflict here; we've heard that the blackout could be 45 days, a la CERT, or as long as six months, or indefinitely, until a fix is developed.
It's likely that several drafts of the agreement are in circulation, and this uncertainty indicates the minimum and maximum periods currently under consideration.
The word 'detailed' is still being debated, we gather. But we can guess that the sanitized reports MS itself likes to publish to accompany its patches would provide the model. Full disclosure would be enjoined until the Beast manages to issue a fix; and it appears that the agreement would give the company as long as it likes to develop one. Its security partners would be expected to keep silent, or issue a well-scrubbed, sanitized advisory in the mean time.
Just as we saw MS pressuring its partners to rat on system builders who request quotes on OS-less 'naked' boxes with a bribery scheme, we can expect similar shenanigans to ferret out rogue security vendors which dare defy the Redmond Censors and actually offer their customers useful information.
Redmond's goal is to ensure forcibly that exploit code doesn't fall into the hands of the blackhat development community before they've got a fix, but it also means that security vendors won't be able to give their customers the means to develop a workaround or a fix to an existing vulnerability until Redmond gets off its ass and solves the problem.
The problem here is obvious: if millions of systems are vulnerable to attack, it's pure head-in-the-sand gambling to hope that none of them will be exploited during the time it takes Redmond to sort it all out.
Frankly, if I were paying good money for security services, I'd feel cheated if my vendor withheld data which I might be able to use to protect myself from attack. I wouldn't consider that a service worth paying for. I would do business with security vendors who wouldn't withhold crucial information from me on Microsoft's behest.
Worse, we have here a recipe for establishing a monopoly on vulnerability data like the little cabal of greedy insiders who run the anti-virus industry, and who control access to information with a stranglehold which protects nothing so much as their revenue stream.
It's likely that MS will announce this appalling scheme formally during its Trusted Computing Forum in Mountain View, California on 6, 7 and 8 November.
The forum "will bring together leaders of the online community to address some of the most pressing privacy and security issues we face today," the company says.
And of course, it's all part of Microsoft's touching tradition of selfless public service: "The need for a forum such as this is greater than ever. The tragic events of September 11, 2001 have made an undeniable impact on the industry and the world with regards to privacy and security concerns," we're told.
And who's been invited to speak? Richard Clarke, Presidential Advisor for Cyber Security; Brian Arbogast, Vice President of Microsoft's .NET Core Platform Services; Craig Mundie, MS Chief Technology Officer; Mozelle Thompson, Commissioner, Federal Trade Commission; Stewart Baker, Partner, Steptoe and Johnson & former General Counsel, National Security Agency; Jerry Berman, Executive Director, Center for Democracy and Technology; Rebecca Cohn, member of the California State Assembly; Lt. Lenley Duncan, Commander California Highway Patrol Network Management Section; and Barry Steinhardt, Associate Director of the ACLU.
Rather a significant stacking of collaborators over skeptics, we must observe.
If anyone mistook MS Security Manager Scott Culp's recent essay denouncing full-disclosure proponents as 'information anarchists' for some simple, earnest opinion piece, they can dispense with that illusion.
The essay was a mere shot across the bow in preparation for the real assault, which we predict will ultimately include some RIAA-like lobbying consortium to enforce Redmond's will upon the security community.
Unless, of course, the security research community has the spine to defy the Beast, an outcome we'd like to see, but which we wouldn't bet good money on. Though if anyone wants to step up and prove us wrong, we'll be the first to applaud. ®
Sponsored: Becoming a Pragmatic Security Leader