back to article Spurned security researchers form anti-MS collective

Security researchers irked by how Microsoft responded to Google engineer Tavis Ormany's public disclosure of a zero-day Windows XP Help Center security bug have banded together to form a group called the Microsoft Spurned Researcher Collective*. The group is forming a "union" in the belief that together they will be better …

COMMENTS

This topic is closed for new posts.
  1. jake Silver badge

    Good grief.

    Don't like Microsoft? Don't use their product! How hard is it?

    Oh, wait ... these people are making money from low hanging fruit grown by other people. The gutter press of so-called "security research". Me, I'd rather provide a secure solution and be done with it. Seems cleaner, somehow.

    1. Iain McG
      Thumb Up

      Great

      Sounds good, what is your secure solution?

      1. jake Silver badge

        @Iain McG

        "Sounds good, what is your secure solution?"

        A Slackware based solution customized for the desktop(s) in question, BSD on the servers, routers and firewalls. Works for me mum (near 75) & great aunt.(near 95) ... and all the businesses I consult for.

    2. Anonymous Coward
      Grenade

      Cool! So how'd you get your refund

      for your system that you were forced to take Windows with? Oh, you want us to build our own so as to avoid that? Yeah, that'll work for the first 30 or so but what about the rest of the 6000 in my company's infrastructure?

      What's that you say? Change my software too? Sure. So our customers cancel our contracts because our designs are not up to spec (and won't work when they reference them); so what? We can tell our multimillion dollar customers to stop using their product right?

      Ass.

      1. jake Silver badge

        @AC 15:08

        So, 6030 staff with computers, eh? I'll bite ... With a typical four year hardware cycle, you're purchasing upwards of 1600 machines per year (planned obsolescence + unplanned attrition), and you don't have the ability to negotiate with one of many OEMs willing to produce bare-hardware systems? That's how I do it. Works fine.

        As for your software, frankly the lack of planning for the future on the part of your IT department is hardly my issue. How much money, exactly, does it cost you in retraining and purchasing new software every time Microsoft rolls a major rev on Windows?

        Yes, I have told multim^hbillion dollar corporations (even a couple Fortune 50s) "I don't use toy software anymore". Strangely, even without the Microsoft related work, I made more money in the first half of this year than I did in the first half of last year ... and spent fewer hours doing it!

        Ass indeed.

        1. Anonymous Coward
          Anonymous Coward

          HAHA

          >>So, 6030 staff with computers, eh? I'll bite ... With a typical four year hardware cycle, you're purchasing upwards of 1600 machines per year (planned obsolescence + unplanned attrition), and you don't have the ability to negotiate with one of many OEMs willing to produce bare-hardware systems? That's how I do it. Works fine.<<

          Buddy, a few years back I worked with Tyco International. That's a multi-billion dollar company with around 200'000 staff and nearly double that in systems. Even with that much clout, the only barebones systems we could get were "greybox" systems - IE, non-branded, non-support-contracted crap. Now Dell, HP and the others are often called crap as well, but it's crap I can get replacement parts for today when it falls over (which is rare even for Dell).

          >>As for your software, frankly the lack of planning for the future on the part of your IT department is hardly my issue. How much money, exactly, does it cost you in retraining and purchasing new software every time Microsoft rolls a major rev on Windows?<<

          Well, given we use SA to keep our version level wherever we want it, and SCCM to manage patches and rollouts; that value is easy to figure. Zero. Zilcho. Nada. Far less than our couple of Linux and Unix systems; which require updates more frequently than Madonna drops her pants.

          >>Yes, I have told multim^hbillion dollar corporations (even a couple Fortune 50s) "I don't use toy software anymore". Strangely, even without the Microsoft related work, I made more money in the first half of this year than I did in the first half of last year ... and spent fewer hours doing it!<<

          Well, good luck telling that to a company that relies of manufacturing or IC design. Better yet, lets hear about some of those companies you've chummed up to as a consultant - surely they would be a glorious example of how Microsoft lost the day.

          1. jake Silver badge

            @AC 14:50

            "Even with that much clout, the only barebones systems we could get were "greybox" systems - IE, non-branded, non-support-contracted crap."

            ::heh:: I'm not surprised ... The so-called "security" industry isn't exactly known for it's vast intelligence. Trust me, you can get supported, bulk, commodity PC systems without the Microsoft Tax. I've been making a living doing exactly that for a couple-three decades.

            "Well, given we use SA to keep our version level wherever we want it, and SCCM to manage patches and rollouts; that value is easy to figure. Zero. Zilcho. Nada."

            Oh. I see. "Wherever you want it". Stuck in the past, eh? That'll bite you, in the long run.

            "Well, good luck telling that to a company that relies of manufacturing or IC design."

            Both manufacturing & IC design build their own proprietary software. I consult for several corporations who wear one or the other or both hats. None use Microsoft software anywhere that matters.

            "Better yet, lets hear about some of those companies you've chummed up to as a consultant - surely they would be a glorious example of how Microsoft lost the day."

            Oh. I see. You're a shill, spreading FUD. This isn't about "market share" or "earnings". This is about providing a secure solution for a given problem. Microsoft fails in the "secure" department, and succeeds remarkably in the "problem" department.

            But whatever. Follow your bliss.

            1. mego
              FAIL

              FUD? Shill?

              >>Oh. I see. You're a shill, spreading FUD. This isn't about "market share" or "earnings". This is about providing a secure solution for a given problem. Microsoft fails in the "secure" department, and succeeds remarkably in the "problem" department.

              Actually.. to be fair.. you're sounding like a shill yourself. AC is asking for an example and in response you've called him a shill and spreader of FUD.. not something I would expect a proud consultant dealing with multibillion dollar corps.

              You got me interested now.. shill.

              >>Both manufacturing & IC design build their own proprietary software. I consult for several corporations who wear one or the other or both hats. None use Microsoft software anywhere that matters.

              Well, since I've worked in neither industries for a long time I can't really comment on whether they do or don't design their own. But I bet there wouldn't be companies like Agilent, Ansoft and Ansys - who charge upwards of $100k per license for engineering apps - if they did.

              Seems to me you're the one spreading FUD here pal.

              1. jake Silver badge

                @mego

                "Actually.. to be fair.. you're sounding like a shill yourself."

                Where, exactly, did I advocate any particular solution in my reply to AC?

                "You got me interested now.. shill."

                No, thanks. I'm married :-)

                "Well, since I've worked in neither industries for a long time I can't really comment on whether they do or don't design their own."

                And yet you go on to comment anyway. The mind boggles.

    3. raving angry loony

      lock in

      It's called "lock in". Microsoft haz it. They and their coterie are also very aggressive at buying and destroying companies that might try to provide alternatives in several business domains.

      As for a "secure solution" on a Microsoft platform - I think that's the problem they're trying to address.

      1. jake Silver badge

        @raving angry loony

        "It's called "lock in". Microsoft haz it."

        No, they do not. This is a myth. It's easy to buy bare PC-type hardware, even complete systems, for home use or in corporate bulk.

        "They and their coterie are also very aggressive at buying and destroying companies that might try to provide alternatives in several business domains."

        That's a whole 'nuther kettle of worms.

        "As for a "secure solution" on a Microsoft platform - I think that's the problem they're trying to address."

        Said solution is another myth, at least with with current MS software.

  2. Anonymous Coward
    Stop

    Also

    ...make sure to disable the Java and .net (Silverlight and WPF) plugins. You can enable them anytime you need them again.

  3. Anonymous Coward
    FAIL

    Somebody call a waaaaaambulance

    So what - some researchers have got their knickers in a twist because they can't be bothered to follow responsible disclosure guidelines.

    Personally, when reporting a security issue, I tend to follow rain forest puppy's policy - but I might be showing my age. 5 days to fix an issue may be a little tight - depending on the issue - but rfp's policy suggests that you should refrain from publishing the issue if there are active and ongoing communications between both the originator and the maintainer.

    There will always be grey areas about whether a company as large as Microsoft is actively chasing the issue down and sometimes a researcher may release the issue before a fix is ready if they feel that they are getting stonewalled. Some are more precious about it than others.

    If you really feel the need to release 0 day exploits into 'the wild' then IMHO you fail as a security researcher. Especially if you seem to be motivated by a desire to cause bad publicity for your competition out of spite (Mr Ormandy).

    In other words, if you are a serious practitioner of security, work with the vendor and disclose only when it is patched, when you see it in the wild and you haven't released it or the vendor appears to have stopped actively looking at the issue.

    Or, to put it another way, grow up and act responsibly

    And get off my lawn you damn whippersnappers!

    1. Doshu

      and put down that garden gnome

      gagnabbit!

      *shakes fist*

  4. Anonymous Coward
    FAIL

    Very Interesting Article On Browser Security

    This article is about the Chrome Security Architecture:

    http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

    As always, MS had a good idea (process privileges and ways to remove them), but certainly they found and opportunity to botch it:

    With FAT (that's what mem sticks use), it is being ignored. But would anyone have expected the Redmonders to do something right ?

  5. Anonymous Coward
    Paris Hilton

    And we've all got really big willies too...

    no message... I trust the PH angle is obvious...

  6. Anonymous Coward
    Anonymous Coward

    Pah...

    This is just being petulant - some security researchers got narked because MS, a company whose own customers asked them to switch to a once a month update cycle, didn't get a security fix out in five days after primary contact was made. This particular five days being the lead up to a "patch tuesday", so probably their busiest time of the month. The person in question released the bug just after "patch tuesday" which can only have been to either cause as much damage to MS as possible or utter ignorance of the way MS do things.

    To follow this up by forming a 'we don't like MS' club is unbelieveable.

    1. Anonymous Coward
      Anonymous Coward

      The way MS do things is the problem

      in so very many ways.

      1. Anonymous Coward
        Anonymous Coward

        Err...

        Like what? In this particular case, it turned out that after the guy denied that MS had been in touch he let slip that they'd told him it would most likely be the patch tuesday after next that they released the fix. What's the problem? Many linux distros take weeks to move fixes from unstable to stable builds.

        The customers want patches released on a regular scheduled basis, rather than ad hoc as MS used to.

  7. Blain Hamon
    Pirate

    What's the intent of the group, anyways?

    Sidestepping the arguments above, I do have to question the reasoning of the group's name and attitude. Do they expect to be taken as a serious security group by their peers?

    A name that intentionally confuses seems to be one more of parody or roguishness than of professionalism. My first thought of it was of Cult of the Dead Cow, whose acronym of CDC intentionally refers to the Center for Disease Control. With being 'spurned' in the name, do they intend to have any impression of impartialness or lack of bias? In declaring that they won't be beholden to outside pressures, how will they claim to be a part of the system?

    Flaws do need to be brought to the public eye, but this requires a quality of delivery as well as content. I fear that any serious progress that this group may try to make would be undone by Microsoft simply announcing, "We do not respond to threats and intimidation by rogue hackers." Regardless of the truth of the matter, the label may stick due to how this group presents itself.

  8. GazElm

    @r81miler

    What's Java and .NET got to do with anything?

    1. Anonymous Coward
      Flame

      Java and .Net

      Recently Oracle would not want to "break their patch cycle" to fix a security problem in their JWS plugin that could be used to run anything under the current user's privileges.

      Eventually they did provide a hotfix, but that attitude is clearly FAIL.

      .Net is from MS and their bitching and bureaucratic behaviour is as much a FAIL. Consequentially, deinstall the .net stuff to remove risks from your browser.

      That is what I meant to say.

      1. Anonymous Coward
        Anonymous Coward

        Ok...

        Many enterprise customers request that software companies release their fixes on a known schedule, this means that they can plan workload and don't get caught out with a fix (and therefore also an explot) in the public domain and no staff to work on it. This is also so they don't have staff sitting round doing nothing waiting for things to happen. The companies who do this will only release out-of-cycle fixes in the most serious of cases.

        As for complaining about MS' bureaucratic behaviour - This is what their cnterprise customers wanted. Their enterprise customers also don't want security researchers from rival companies releasing explots without giving MS a fair chance to fix it first.

        At this point, usually people point out how Linux/FOSS would have a fix in about ten minutes - remember that those fixes are in the unstable releases and can take weeks to get fully tested and accepted into the stable release.

  9. Anonymous Coward
    Stop

    @Sarah

    Could you please make a decision on publishing/not publishing

    "Use Chrome And It's PDF viewer"

    which I posted yesterday ?

    I would also appreciate a canned statement on why you reject a posting. Something like

    [x] insulting religious feelings

    [x] normal insult

    [x] call for criminal action

    [x] insulting a business partner of ElReg

    [x] insulting Freedom Fighters That Liberate Opressed Women

    Ok, something more serious, but anyway it would be good to know why something was rejected. Thanks a lot.

    1. Sarah Bee (Written by Reg staff)

      Re: @Sarah

      Someone else quarantined it. Don't know why. Please put toys/extravagant sarcasm/sense of outrage back in pram.

      1. Anonymous Coward
        Happy

        @Sarah

        Thanks a lot ! I owe you a glass of wine.

This topic is closed for new posts.