>>>>Did you read the history?
>>>>
>>>>http://www.solutions.fi/index.cgi/news_2001_11_09?lang=eng
>>>>
>>>>it scared me more than the bug itself.
>>>>
>>>>I'm switching to NS today.
>>>
>>>The story is really scary, and reminds me of the shark scenario - remember, in "Jaws", the local big money man who tries to suppress any information about the shark, because it would jeopardize the tourist harvest.
>>>
>>>
>>
>>Well, this is even worse:
>>
>>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/noarch.asp
>>
>>There is a new term: "Information Anarchy" wich means that you are some kind of criminal if you tell the world about a security risk before MSFT releases a patch for it. If you read the article carefully, at the end there is a menace to those "Information Anarchyst" about a possible lobby to make that a criminal act.
>
>It says "The page you're looking for has been moved or removed from the site.", and note the time between our messages. Or it won't let me read it because I'm using NS?
>Nope, found it after searching on "information anarchy", under http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/security/noarch.asp
>and from what I see it differs by just the camel-case spelling after url= part. Could it be the case-sensitivity comes from using a Linux server? :)
>
>I wish someone could check this: "The relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more far conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published ? in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons."
>
>The point here is whether the guys who cried "wolf" when the wolf really was ready to come, have actually invited the wolf or not. They seem to be accused of it, but then the author of the article ony says it was proven - and I've read enough of stuff where "proven" equalled "I take it for granted and so should you", but actual digging for fact led to a different conclusion.

This is a classic case of "Blaming the messenger". To listen to Microsoft one would think that CERT, BugTrac and the rest actually create the bugs themselves. Mike, you should know that skilled crackers have excellent communication networks and will exchange newly discovered exploits among themselves at the speed of the net regardless if they are reported by anyone or not. These skilled crackers are aided in their malicious work when their victims are kept ignorant of such security breeches until such time as it is convenient for a company to patch a hole or release a 'new' OS version. The longer the bug goes unpublished the more damage is done. Script Kiddies, a collection of savants whose skills often barely exceed what is necessary to follow a step by step receipe, constitute the flies swarming around the bullet wound on a dead animal.

Microsoft has a history of stone-walling security holes - "security through obscurity." Since their own intranet was compromised last year for nearly six weeks, and the the family jewels were stolen in the process, there are several groups of eastern block crackers who know where the holes are buried. They have been methodically exploiting them one by one, and no doubt will continue to do so since Microsoft is still using the same code base.

These bug announcements also occur for non-Microsoft systems, and companies writing those systems take full advantage of the reports to fix their software ASAP. It is in the communities interest to do so, regardless of what a company CEO or CTO thinks. For example, the Linux SSH hole mentioned in another report at about the same time already had patches available. Were there exploits? Sure. Were they publicized? Of course. How else can you let people know their house is on fire? (Certainly by not informing the contractor first, so he can prepare a PR report, or blame the person who shouted fire!) But by quick detection and announcement the real damage, done by the originators of the exploit (the ones who can do the real damage and are usually malicious) is minimized. Waiting tell RH or SuSE gets around to patching the hole and then making the patch available on their site or in the next release is not acceptable. The community MUST and SHOULD drive these repairs.