I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks

Roger

Shoaib's blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? - Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View. Not surprisingly Bruce says "yes" and Marcus says "no". If you read through their points, you might even agree partly with each of them:

• Bruce Schneier: Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible--and more and less legal--ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent.
• Marcus Ranum: Trust model? What's that? The so-called vulnerability "researchers" are already sharpening their knives for the coming feast. If we were really interested in making software more secure, we'd be trying to get the software development environments to facilitate the development of safer code--fix entire categories of bugs at the point of maximum leverage.

But to me, this is the wrong question: It is not so much about security research. To me it is about two things:

• Once you find a security vulnerability, what do you do with it? Do you do responsible or irresponsible disclosure?
• And then, what does the vendor do with it? Does the company act on it? And does it provide security updates for free over the support lifecycle of a product? The following quote from Marcus scars me: The vulnerability game has given vendors a fantastic new way to lock in customers--if you stop buying maintenance and get off the upgrade hamster wheel, you're guaranteed to get reamed by some hack-robot within six months of your software getting out of date.

That's really bad if vendors make money selling security updates…

Roger

We just announced that we will add support for additional file formats in Office System 2007 SP2. Just read more on Open XML, ODF, PDF, and XPS in Office

Roger

You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it.

This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime. This is as "we are all in this together". As I say often, that we have to collaborate and build partnerships in order to fight the criminals.

Read the announcement by SANS: SANS Institute Commits $1 Million for Joint Cyber Defence Program with International Multilateral Partnership Against Cyber-Terrorism (IMPACT)

Roger    

I just read this article on Cryptography Expert Wins ACM Award for Advances in Protecting Privacy of Information Retrieval. This is really cool to see that research with do at Microsoft Research not "only" leads to advancements in our products but to public recognition as well. Well done Sergey!

Roger