back to article Spurned security researchers form anti-MS collective

Security researchers irked by how Microsoft responded to Google engineer Tavis Ormany's public disclosure of a zero-day Windows XP Help Center security bug have banded together to form a group called the Microsoft Spurned Researcher Collective*. The group is forming a "union" in the belief that together they will be better …

COMMENTS

This topic is closed for new posts.
Silver badge

Good grief.

Don't like Microsoft? Don't use their product! How hard is it?

Oh, wait ... these people are making money from low hanging fruit grown by other people. The gutter press of so-called "security research". Me, I'd rather provide a secure solution and be done with it. Seems cleaner, somehow.

4
8
Thumb Up

Great

Sounds good, what is your secure solution?

2
1
Grenade

Cool! So how'd you get your refund

for your system that you were forced to take Windows with? Oh, you want us to build our own so as to avoid that? Yeah, that'll work for the first 30 or so but what about the rest of the 6000 in my company's infrastructure?

What's that you say? Change my software too? Sure. So our customers cancel our contracts because our designs are not up to spec (and won't work when they reference them); so what? We can tell our multimillion dollar customers to stop using their product right?

Ass.

1
1

lock in

It's called "lock in". Microsoft haz it. They and their coterie are also very aggressive at buying and destroying companies that might try to provide alternatives in several business domains.

As for a "secure solution" on a Microsoft platform - I think that's the problem they're trying to address.

0
0
Silver badge

@Iain McG

"Sounds good, what is your secure solution?"

A Slackware based solution customized for the desktop(s) in question, BSD on the servers, routers and firewalls. Works for me mum (near 75) & great aunt.(near 95) ... and all the businesses I consult for.

3
3
Silver badge

@raving angry loony

"It's called "lock in". Microsoft haz it."

No, they do not. This is a myth. It's easy to buy bare PC-type hardware, even complete systems, for home use or in corporate bulk.

"They and their coterie are also very aggressive at buying and destroying companies that might try to provide alternatives in several business domains."

That's a whole 'nuther kettle of worms.

"As for a "secure solution" on a Microsoft platform - I think that's the problem they're trying to address."

Said solution is another myth, at least with with current MS software.

1
1
Silver badge

@AC 15:08

So, 6030 staff with computers, eh? I'll bite ... With a typical four year hardware cycle, you're purchasing upwards of 1600 machines per year (planned obsolescence + unplanned attrition), and you don't have the ability to negotiate with one of many OEMs willing to produce bare-hardware systems? That's how I do it. Works fine.

As for your software, frankly the lack of planning for the future on the part of your IT department is hardly my issue. How much money, exactly, does it cost you in retraining and purchasing new software every time Microsoft rolls a major rev on Windows?

Yes, I have told multim^hbillion dollar corporations (even a couple Fortune 50s) "I don't use toy software anymore". Strangely, even without the Microsoft related work, I made more money in the first half of this year than I did in the first half of last year ... and spent fewer hours doing it!

Ass indeed.

3
2
Anonymous Coward

HAHA

>>So, 6030 staff with computers, eh? I'll bite ... With a typical four year hardware cycle, you're purchasing upwards of 1600 machines per year (planned obsolescence + unplanned attrition), and you don't have the ability to negotiate with one of many OEMs willing to produce bare-hardware systems? That's how I do it. Works fine.<<

Buddy, a few years back I worked with Tyco International. That's a multi-billion dollar company with around 200'000 staff and nearly double that in systems. Even with that much clout, the only barebones systems we could get were "greybox" systems - IE, non-branded, non-support-contracted crap. Now Dell, HP and the others are often called crap as well, but it's crap I can get replacement parts for today when it falls over (which is rare even for Dell).

>>As for your software, frankly the lack of planning for the future on the part of your IT department is hardly my issue. How much money, exactly, does it cost you in retraining and purchasing new software every time Microsoft rolls a major rev on Windows?<<

Well, given we use SA to keep our version level wherever we want it, and SCCM to manage patches and rollouts; that value is easy to figure. Zero. Zilcho. Nada. Far less than our couple of Linux and Unix systems; which require updates more frequently than Madonna drops her pants.

>>Yes, I have told multim^hbillion dollar corporations (even a couple Fortune 50s) "I don't use toy software anymore". Strangely, even without the Microsoft related work, I made more money in the first half of this year than I did in the first half of last year ... and spent fewer hours doing it!<<

Well, good luck telling that to a company that relies of manufacturing or IC design. Better yet, lets hear about some of those companies you've chummed up to as a consultant - surely they would be a glorious example of how Microsoft lost the day.

1
2
Silver badge

@AC 14:50

"Even with that much clout, the only barebones systems we could get were "greybox" systems - IE, non-branded, non-support-contracted crap."

::heh:: I'm not surprised ... The so-called "security" industry isn't exactly known for it's vast intelligence. Trust me, you can get supported, bulk, commodity PC systems without the Microsoft Tax. I've been making a living doing exactly that for a couple-three decades.

"Well, given we use SA to keep our version level wherever we want it, and SCCM to manage patches and rollouts; that value is easy to figure. Zero. Zilcho. Nada."

Oh. I see. "Wherever you want it". Stuck in the past, eh? That'll bite you, in the long run.

"Well, good luck telling that to a company that relies of manufacturing or IC design."

Both manufacturing & IC design build their own proprietary software. I consult for several corporations who wear one or the other or both hats. None use Microsoft software anywhere that matters.

"Better yet, lets hear about some of those companies you've chummed up to as a consultant - surely they would be a glorious example of how Microsoft lost the day."

Oh. I see. You're a shill, spreading FUD. This isn't about "market share" or "earnings". This is about providing a secure solution for a given problem. Microsoft fails in the "secure" department, and succeeds remarkably in the "problem" department.

But whatever. Follow your bliss.

2
2
FAIL

FUD? Shill?

>>Oh. I see. You're a shill, spreading FUD. This isn't about "market share" or "earnings". This is about providing a secure solution for a given problem. Microsoft fails in the "secure" department, and succeeds remarkably in the "problem" department.

Actually.. to be fair.. you're sounding like a shill yourself. AC is asking for an example and in response you've called him a shill and spreader of FUD.. not something I would expect a proud consultant dealing with multibillion dollar corps.

You got me interested now.. shill.

>>Both manufacturing & IC design build their own proprietary software. I consult for several corporations who wear one or the other or both hats. None use Microsoft software anywhere that matters.

Well, since I've worked in neither industries for a long time I can't really comment on whether they do or don't design their own. But I bet there wouldn't be companies like Agilent, Ansoft and Ansys - who charge upwards of $100k per license for engineering apps - if they did.

Seems to me you're the one spreading FUD here pal.

1
0
Silver badge

@mego

"Actually.. to be fair.. you're sounding like a shill yourself."

Where, exactly, did I advocate any particular solution in my reply to AC?

"You got me interested now.. shill."

No, thanks. I'm married :-)

"Well, since I've worked in neither industries for a long time I can't really comment on whether they do or don't design their own."

And yet you go on to comment anyway. The mind boggles.

0
2
Stop

Also

...make sure to disable the Java and .net (Silverlight and WPF) plugins. You can enable them anytime you need them again.

0
0
FAIL

Somebody call a waaaaaambulance

So what - some researchers have got their knickers in a twist because they can't be bothered to follow responsible disclosure guidelines.

Personally, when reporting a security issue, I tend to follow rain forest puppy's policy - but I might be showing my age. 5 days to fix an issue may be a little tight - depending on the issue - but rfp's policy suggests that you should refrain from publishing the issue if there are active and ongoing communications between both the originator and the maintainer.

There will always be grey areas about whether a company as large as Microsoft is actively chasing the issue down and sometimes a researcher may release the issue before a fix is ready if they feel that they are getting stonewalled. Some are more precious about it than others.

If you really feel the need to release 0 day exploits into 'the wild' then IMHO you fail as a security researcher. Especially if you seem to be motivated by a desire to cause bad publicity for your competition out of spite (Mr Ormandy).

In other words, if you are a serious practitioner of security, work with the vendor and disclose only when it is patched, when you see it in the wild and you haven't released it or the vendor appears to have stopped actively looking at the issue.

Or, to put it another way, grow up and act responsibly

And get off my lawn you damn whippersnappers!

6
3

and put down that garden gnome

gagnabbit!

*shakes fist*

1
0
FAIL

Very Interesting Article On Browser Security

This article is about the Chrome Security Architecture:

http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

As always, MS had a good idea (process privileges and ways to remove them), but certainly they found and opportunity to botch it:

With FAT (that's what mem sticks use), it is being ignored. But would anyone have expected the Redmonders to do something right ?

0
0
Paris Hilton

And we've all got really big willies too...

no message... I trust the PH angle is obvious...

0
1

Pah...

This is just being petulant - some security researchers got narked because MS, a company whose own customers asked them to switch to a once a month update cycle, didn't get a security fix out in five days after primary contact was made. This particular five days being the lead up to a "patch tuesday", so probably their busiest time of the month. The person in question released the bug just after "patch tuesday" which can only have been to either cause as much damage to MS as possible or utter ignorance of the way MS do things.

To follow this up by forming a 'we don't like MS' club is unbelieveable.

1
3
Anonymous Coward

The way MS do things is the problem

in so very many ways.

1
0

Err...

Like what? In this particular case, it turned out that after the guy denied that MS had been in touch he let slip that they'd told him it would most likely be the patch tuesday after next that they released the fix. What's the problem? Many linux distros take weeks to move fixes from unstable to stable builds.

The customers want patches released on a regular scheduled basis, rather than ad hoc as MS used to.

1
0
Pirate

What's the intent of the group, anyways?

Sidestepping the arguments above, I do have to question the reasoning of the group's name and attitude. Do they expect to be taken as a serious security group by their peers?

A name that intentionally confuses seems to be one more of parody or roguishness than of professionalism. My first thought of it was of Cult of the Dead Cow, whose acronym of CDC intentionally refers to the Center for Disease Control. With being 'spurned' in the name, do they intend to have any impression of impartialness or lack of bias? In declaring that they won't be beholden to outside pressures, how will they claim to be a part of the system?

Flaws do need to be brought to the public eye, but this requires a quality of delivery as well as content. I fear that any serious progress that this group may try to make would be undone by Microsoft simply announcing, "We do not respond to threats and intimidation by rogue hackers." Regardless of the truth of the matter, the label may stick due to how this group presents itself.

0
0

@r81miler

What's Java and .NET got to do with anything?

0
0
Flame

Java and .Net

Recently Oracle would not want to "break their patch cycle" to fix a security problem in their JWS plugin that could be used to run anything under the current user's privileges.

Eventually they did provide a hotfix, but that attitude is clearly FAIL.

.Net is from MS and their bitching and bureaucratic behaviour is as much a FAIL. Consequentially, deinstall the .net stuff to remove risks from your browser.

That is what I meant to say.

0
0

Ok...

Many enterprise customers request that software companies release their fixes on a known schedule, this means that they can plan workload and don't get caught out with a fix (and therefore also an explot) in the public domain and no staff to work on it. This is also so they don't have staff sitting round doing nothing waiting for things to happen. The companies who do this will only release out-of-cycle fixes in the most serious of cases.

As for complaining about MS' bureaucratic behaviour - This is what their cnterprise customers wanted. Their enterprise customers also don't want security researchers from rival companies releasing explots without giving MS a fair chance to fix it first.

At this point, usually people point out how Linux/FOSS would have a fix in about ten minutes - remember that those fixes are in the unstable releases and can take weeks to get fully tested and accepted into the stable release.

0
1
Stop

@Sarah

Could you please make a decision on publishing/not publishing

"Use Chrome And It's PDF viewer"

which I posted yesterday ?

I would also appreciate a canned statement on why you reject a posting. Something like

[x] insulting religious feelings

[x] normal insult

[x] call for criminal action

[x] insulting a business partner of ElReg

[x] insulting Freedom Fighters That Liberate Opressed Women

Ok, something more serious, but anyway it would be good to know why something was rejected. Thanks a lot.

0
0
(Written by Reg staff)

Re: @Sarah

Someone else quarantined it. Don't know why. Please put toys/extravagant sarcasm/sense of outrage back in pram.

0
0
Happy

@Sarah

Thanks a lot ! I owe you a glass of wine.

0
0
This topic is closed for new posts.

Forums