Slashdot Mirror
New Security Group Hedges Bets And Builds Hedges
7card writes: "ok i was just doing my morning surfing and i found
this article, which may be of some interest. It looks like the world has another club of security experts with the goal of security through obscurity. some of the members include Microsoft, Oracle, and Cisco." Reader Junin points to this CNET story as well.
Well, this is a dangerous step toward the evolution and existence of sovreign corporations.
The real problem with the concept of 'private networks of information' is that they tend to grow, especially with the impetus this one has. It's in their best interest to keep as much of the knowledge they gather classified for as long as they can. If there is the perception that this kind of limited sharing is effective and one has to pay to become a member, there will be leaps and bounds of growth to this organization. Unlike the federal government, there are no laws in place to protect average citezens from this type of secrecy.
What's even more disturbing is the kind of actions this organization will eventually take to protect its secrets. At first it will be legal actions. They will sue to prevent people from releasing important security information. Then the proliferation of 'inter-agency' controls will increase, say giving back-doors to certain law enforcement agencies into certain applications. I'm certain this already goes on to some extent, but this gives tech companies a reason for this to become common practice.
How long is it before this kind of alliance has the ability to conduct its own 'Security' raids and anti-hacker activities through its contacts in law enforcement? Not too damn long, if I'm not mistaken.
What laws are in place to keep a corporation from harrasing and causing problems for an individual? Abso-fricken-lutely none. American business law is written to favor a business or corporation over an individual every single time.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Reminds me of of the US raid on Tehran. The special-warfare troopers were out in the middle of the desert, in a spot so remote nobody would be there looking for them... and they got discovered by a busload of people who stumbled across the area by virtue of getting lost.
Moral of the story: security through obscurity doesn't work. It's a numbers game, a calculated risk, and the risk involved is far higher than other more proactive forms of security.
Would you be willing to do all your online banking if your bank told you, "We don't bother to encrypt your financial records or firewall our system from malicious hackers--but don't worry! All the data is kept on a URL so obscure nobody will ever come across it!"
At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.
Speaking as a cryptographic engineer, I find this amazingly hilarious.
To this utter naievete, your typical malicious attacker would respond with:
... In other words, you're being just plain silly.
What's more than this is you're also lying.
At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.
No, you make sure your site is secure by locking down ports 21 and 23 for starters (telnet and mail). I know this because I just tried to telnet into them to see if they were open. So if security-through-obscurity is so darned good, why do you need to take the additional step of locking down your ports?
The answer is: because security through obscurity is a failed policy. Always has been, always will be. Locking down ports, on the other hand, is a smart and proactive policy.
Just look at the game Quake when it came out and after the source was released. Yes there was cheating when the source was closed, but there is a lot more cheating now that the source is open. There are ways to solve the problems if the source is open, but they would have been inefficient back in the days when Quake came out. Security is a tradeoff between performance and security. The higher the security the lower the performance of the product. In most products this is not a problem, but with a game that's designed to work over a modem, performance is critical.
Let's take and example from Quake. Quake sends extra data to a user for prediction purposes, like where a users location is even though the user is not suppose to see that person. This is so that if the user doesn't get a packet update with the other users location in time, then the users client side can predict where the other user will be and if he is about to pop out of a corner and be visible. Sure this data can be taken away from the user to prevent cheating, but then the performance of the game drops critically. The users have to be kept unaware that this information is available to them.
So what are some possible solutions? Well, not sending the data to the user is the best solution but then this will decrease performance. The users framerate and updates on what other people were doing would effectivly be limited by their ping time or modem speed. What about encrypting the data? Well, somewhere on the clients machine the user has to decrypt the data and perform calculations on it so the data is still available. How about hiding the data inside of a binary that the user does not have the source for and therefore does not know where to look for the data? This will prevent the user from finding the data while still allowing the client program access to the data, although only until the user gets smarts and finds where the data is hidden. This is a tradeoff between security and performance.
So what is the ultimate security protection? Well just have keystrokes sent to a server, then have the server render an image, a "screenshot" of the game, and then send it to the users machine to be drawn. This way no information is sent to the user except for an image which only the user can interpret. Is this very secure? Yes, but the level of performance would be horribly low. Somewhere a tradeoff has to be made between what information a user is allowed to see to increase performance and what information stays hidden.
That's just my splurge of the day, wonder if it makes sense...Outdoor digital photography, mostly in New Engl
Isn't this like what gangs charge in "their" neighborhoods? Protection money? If we give them $5k a year, they'll give us their information. Otherwise, we're screwed, and they'll decide whether or not they wish to come forward. And, as we've seen in the past, they will only come forward if there is some benefit to them.
This quote is really the best part of the article. Does anyone -not- see the hypocrisy?
"We have to put down our differences and our competitiveness and share more if we're going to prosper together," Mr. Copeland said. "If you're going to wall yourself off and not share, then you're going to be hurting. This will be a venue and a forum where we can start to build a level of trust."
Um, aren't these companies going to wall themselves off and not share with the rest of us?
Before I begin, let me state that there is some merit to the Open Source security "process" (if you could call it that) AND there are legitimate concerns with companies merely shirking off ALL concern for security while depending 100% on so-called obscurity. That being said, I have real issue with going from "security through obscurity" is not a cure-all, to the Open Source mantra that "security through obscurity" has absolutely no merit. A couple key points that all too many just glaze over:
First, the only way the Open Source security philosophy really works is if people ACTUALLY (as opposed to theoretically) sit down and read the code for security flaws in its entirity. I would argue that in a great many cases, no one even approaches this level. Because the Open Source community has very little centralization of effort, there is going to be a great deal of redundancy. In other words, even if you believe that 1000 security "experts" will spend some time reviewing the code, they may well be looking at the same piece of code (which in and of itself, can be a good thing), while leaving other pieces of code largely unscrutinized. Furthermore, I suspect that very few people truely give the code the time of day.
Second, while Open Source makes it easier for white hats to find flaws, it also makes it easier for blackhats to find and exploit flaws. This is particularly relevant if, as I point out, the code is not getting the right kind of attention from white hats.
Third, Closed Source can make it HARDER and DULLER to find flaws. Many people seem to assume that just because obscure products have been cracked, that there is absolutely no reedeeming value to it being closed. In other words, at any given moment in time, if we could some how have two parallel universes that would allow you to have the same piece of code (let's say the latest stable linux kernel with all patches applied) in Open Source and Closed Source at the same time, without knowledge leaking either way, most reasonable people would prefer the Closed Source option.
Fourth, security flaws are found all the time in Open Source code projects. A lot of them are presumably stable pieces of code that have already been put into production. These systems get hacked REGULARLY. Now this isn't to say the same doesn't apply to closed source, but you can't ignore the problem either way.
Fifth, many people constantly bring up the point "well if you just patch regularly...". While I agree that everyone SHOULD do this if possible, it's not always possible, and it's frequently not economical. If there is a piece of closed source code that hasn't had any published (or suspected) security flaws in 4 years of existence, while the competing Open Source alternatives have had many (constantly forcing their admins to patch), then that's a real issue for any competent admin.
Sixth, it's entirely possible for a Closed Source company to do a full internal security audit of their code. It may not be perfect, but it's better than nothing. Although I fully realize that hardly anyone does this, it'd be a mistake to ignore this as an option. If a company can get _most_ of the (presumed) benefits of an Open Source security audit without the corresponding exposure of their source code to blackhats (or at least less "risk" of that), then that might be very good indeed.
In summation, this is not nearly as black and white as people protray it. It comes down to numbers and many other unquantifiable elements. A simple philosophy is a not a one time cure-all. For instance, as I have alluded to, if there are very few white hats reviewing the code (say 50) and those white hats are mostly replicating their own work (say 15% efficiency) while allowing any black hat with proper monetary motivation to put the effort into cracking easy to read source code, then you might well be worse off. The same goes the other way around, if a software company, as all too many do, rush their product out with little to no review and depend entirely on obscurity, they might well use some routines that are well known security problems that can be easily searched for....
The bottom line is that it is just as stupid to assume your carelessness will be automatically covered by "peer review" (or "Open Source") as it is to assume it will be covered by "obscurity".
The RSA algorithm is not an obscure algorithm; every single detail of the algorithm is in the public domain, and a staggering amount of academic scholarship (the vast majority of which is also in the public domain) is available.
If I pick 17 as one of my RSA primes, that doesn't change the algorithm. Okay, so I'm picking a stupid prime, but the algorithm is unchanged. If I pick a 300-decimal-digit prime, that doesn't change the algorithm, either.
"Security through obscurity" means "as long as I don't tell you how it works, then the system is secure".
Real security is "I'll tell you how it works, I'll tell you about all its known weaknesses, and I'll help you understand it inside and out--and it'll still work within its specified operational parameters."
In the case of RSA, part of its specified operational parameters is that the private part of the keypair is kept secret.
Where's the obscurity?
(Sidebar: cracking RSA does not rely on the private prime being obscure. For a very long time it was conjectured that breaking RSA was dependent upon factoring an extremely large composite number into two primes, but the recent attacks against PKCS1, etc., show that it's possible to stage cryptanalytic attacks against RSA that don't involve factorization.
RSA is based on three conjectures. One, that P!=NP. Two, that factorization is NP-complete. Three, that factorization is the only way to break RSA. Neither of the first two conjectures have been proven, and the third conjecture has been proven false.
That said, RSA is still a well-trusted algorithm. The non-factorization attacks are well-known and fairly easy to avoid.)
RSA keys are not purely entropic--they possess a great deal of predictability, which is why the keys are so long. For instance, if you're using a 512-bit prime, you can be assured that bits 0 and 511 are set.
If bit 0 is not set, then the number is evenly divisible by two, and it's not prime. If bit 511 is not set, then it's not a 512-bit prime (it's a 511-bit, or what-have-you).
Right there I've predicted two bits, out of 512. With more advanced mathematical techniques you can discover more properties about the binary representation of prime numbers, which helps you winnow out even more possibilities.
It's been widely conjectured that a 1024-bit RSA key is roughly commeasurate to about 128 bits of entropy. Of course, distilling entropic properties of asymmetric keys is more black art than formal science, so I generally err on the side of rampant paranoia and guesstimate a 1024-bit RSA key as roughly equal to an 80-bit key. Still plenty good for most purposes, but if you're worried about major governments, 2048-bit keys are appropriate.
Moral of the story: asymmetric algorithm keys must possess a large degree of entropy to be useful, but the key itself is not one hundred percent random.
> No, you make sure your site is secure by locking down ports 21 and 23 for starters (telnet and mail). I know this because I just tried to telnet into
> them to see if they were open. So if security-through-obscurity is so darned good, why do you need to take the additional step of locking down
> your ports?
Since you mention those two ports, out of curiosity, did the prompt identify the software running on those ports? (e.g., sendmail, postfix or exchange on port 23?)
Another simple step to take is to make sure that your web server always returns a 404 error if someone looks for non-existent pages. (You'd be surprised how many web servers don't do this, & cheerfully identify the software running instead.)
The reason I mention this is that I've seen it mentioned in several different places to disable self-identification of server software -- it's trivial to do for most of these applications, & it makes a cracker's job a bit more difficult.
No, if you take these measures you can't unsubscribe from your favorite security mailling list & still sleep soundly at night. These steps will only slow down the determined cracker -- maybe enough so that you can catch the miscreant in action & foil him.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
A much better example is that I bought my house lock from Acme and Acme keeps private how the innards works, not revealing the fact they just figured out that all hairpins in the world work just fine if bent in a certain way.
It's really an unclear decision to make, whether to fully disclose every security hole or to shut up about it until the hole is fixed (or forever, whichever comes first). Both sides have some good arguments justifying their case, but it is unclear which method results in the highest security.
The point of the full disclosure folks is that once a hole is found, it will be exploited by those who know. Therefore it is necessary for everyone to be aware of these holes in order to create counter-measures aimed at closing the hole. Exposing all security hazards also has the side effect of forcing software houses to release a security patch more quickly. Since no security hole is safe from hackers, it makes no sense in trying to hide them from the public since the public (or at least the malicious) is probably already aware of it.
The other side of the coin says that security holes should not be announced for the express reason of preventing massive exploitation of them. This line of reasoning has some solid evidence behind it. *Real* hackers with the ability to find these holes are few in number, but the script kiddies with virtually no skills whatsoever are legion. It is arguable that the damage caused by a few 'in the know' is far outdone by the damage of the kiddies with their point and click hacking devices. Likewise, by the time the exploits are known to places like Bugtraq and the various software houses, the hole has pretty much been well exploited by the discoverers. It then seems that hiding the exploits from the general public seems like quite the pragmatic thing to do.
So which is it? Disclose every exploit openly or hide them until they are fixed? I don't know.
Dancin Santa
Or maybe I'm just nuts... either way, it'd be damn funny (see ironic) to see /. & co. pull this off.
Hi! This is the Sig, blatantly attached to the end of this comment.
Imagine how secure your data would be if nobody knew where it was except you - you wouldn't need any expensive safes or firewalls then.
Not unless script kiddies obtained some sort of "port scanning" software, of course.
If I know I'm being trolled, and I respond anyway, does it make me more or less of an idiot?
What will likely happen is that every bug that comes up will be seriously considered for political and economic fallout and they'll only allow the information that's relatively safe to them get out to this group. So, only the truely innocuous bugs will get dealt with and the big nasty ones will still be out there.
And you know where the nasty bugs will get discussed? Bugtraq!
I'd save my money if I was Cisco or Oracle or what have you. The only possible value in this is getting some dirty laundry on your competitors and that's only if their dumb enough to tell you in the first place (and if they are that dumb they'll be dead in a couple years anyhow).
---
This sig has been temporarily disconnected or is no longer in service
I find it funny that this (mentioned in the article) was all brought about by President Clinton suggesting that the tech industry create an exclusive "members only" club like this to "promote security". (Of course, this is also the point I stopped reading. Any tech company that takes the advice of a politician....left to your imagination.)
The funny thing is that they are trying to emulate the spirit of open source while still remaining closed. They want to "share" information that could be of great help to them, but they don't want to share that information with the public at large. Something about that just strikes me wrong. Their idea is that they are protecting us (the public) and them from more debilitating attacks, but isn't this entire idea flawed? As the poster I am responding to said, security through obscurity just doesn't seem to work.
Granted, open source isn't perfect. But it seems to do the job pretty well. And apparently the businesses involved in the creation of this new "security" group is aware that an open policy can do some good. But their idea that only they (as in the special multi-national interests/corps) should have this "open" information seems kind of a deterrant to the idea of "open" information.
Opening up your information to a bunch of like-minded individuals in similar situations probably isn't going to solve underlying problems any more quickly. It's the fact that such hugely diverse people can look at the same problem from so many angles that open source projects can solve security problems quickly (when they need to). Letting someone with a fresh and possibly completely new way of looking at something is always good for any project.
But, another way of looking at this is that they are going out of their way to adapt as many open source ideas as they can without truly admitting that open source ideas work. Maybe eventually someone there will get a clue that if opening things up amongst the companies was good, perhaps opening up further would be better. I don't really see this as a conspiracy. But I think it's kind of funny. Like one of the AC's in this thread said, they've set up their own little closed source version of the OSS community. And the AC is right, it is kind of cute, in an odd way.
------------
Yes, with the employees of Oracle (who have no time) and the employees of Microsoft (who have no time and no skills) looking for stuff that hackers already know about things are gunna be more secure. Please.. Whilst the Cartel is sitting on discoverys so they can take their time fixing the damn things the rest of the world is going to be doing the same thing it already does ie, find bugs and report them. This is just a big excuse to delay releasing patches.
How we know is more important than what we know.
My, the original link really made my eyes hurt, even with Junkbuster.
-- Stanislav Shalunov
I have to wonder, tho, if the original poster has a grudge against americanwiccan.com? Call me cynical, but I suspect something like that...
:)
No, I'll call you ragingly paranoid--which is good, that's a compliment, I like that.
At any rate, I sent off mail to the people over at Americanwicca.com, telling them that they might be the target of malicious attacks as the result of that Slashdot post. So we've given them some warning, which is about all we can do in this situation.
Good point. Even if these organizations do attempt to close ranks, it only takes one employee with access to the reports and willingness to leak them to ensure that outside parties "discover" the same holes that the club members do.
I figure if a bunch of us throw in a bit of money, Slashdot could join this exclusive club, and then we'd get access to the reports on all the unpublished, undiscovered holes and bugs that the marketroids are hiding from us.
So, I pledge $5/year for this endeavour.
Ys... in your example, in the physical world, if you can't find it you cna't have it.
That's also it's weakness. The main point is that there is no way that you would even know. As with most security holes in closed programs, no one knew... or really had the capability to know until that one person found it.
It may have taken a while but things like "Netscape engineers are weenies" do get found.
Let's take a look at this page:
http://www.w3.org/Consortium/Prospectus/Joining
Hmm, looks like joining W3C costs 50 grand a year for a company, nearly ten times the amount proposed by this security group. Non-profit/educational access costs $5k annually, the same price as this security group. How come nobody accuses W3C of being an "information cartel"? Simple... it's not, and neither is this group. $5k per year is nothing for a company that is interested in security issues, even a small company.
How is keeping a vulnerability secret until you've got a fix for it "security through obscurity?" There's a big difference between releasing source and releasing vulnerabilities. Releasing vulnerabilities only guarantees that they'll be exploited.
Even the mighty Linux community sometimes keeps vulnerabilities secret until a fix is released.
What makes this security through obscurity rather than good security practices?
Won't some strong virile slashbot please explain it to timid pert little me?
--Shoeboy
We should be fair, and be unbiased. There is nothing wrong with security through obscurity. It is a helpful element in any security arragement, ever since Blackbeard buried his treasure in the Carribean. Thanks!
I am being fair and unbiased. Security through obscurity never works.
Read a few books on cryptography, and then come back with a clue.
Somebody as naive as you should NOT be using the ship name of an AI several billion times smarter.
If Banks were dead, he would be turning over in his grave.
PS. Nice Troll.
Where's the incentive for a corporation to fix a security hole if they know that they can effectively keep knowledge of the existence of that hole a secret? Fixing problems costs money, covering something up is (usually) easier (i.e. cheaper) if you can catch the problem before knowledge of it grows out of hand.
Your point about script kiddies is well taken, however you have to admit that nothing motivates a corporation to fix a problem more than public attention on that problem.
My opinion (for whatever it's worth), is that attempting to keep knowledge of flaws in your product a secret is self-serving and unethical. At the very least, even if you don't have a fix for the problem, your customers deserve to know that the problem exists and if there is any way they can work around it. The corporations are *supposed* to be in business to serve their customers, not themselves.
--
www.scorbett.ca
... they're colluding to fix output and prices. Laws against collusion and cartels are NOT made to prevent corporations from "patting each others' backs and shunning the upcoming little guy." They're made to prevent producers from splitting the market by limiting output, creating shortages, high profits, and above-equilibrium prices (e.g. OPEC). Unless this is happening (and I doubt it is), this isn't any different from any other industry group, such as the collective of milk producers that pays for those clever "got milk?" ads.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
From the article: "THE OVERRIDING GOAL is to protect ourselves from cyber-hazards, whether they be deliberate attempts or accidental events," said Guy Copeland of Computer Sciences Corp.
An accidental event?! I can see it now: "Whoa, what was that? Did I just overflow a buffer or something? What the fsck is that root shell doing there????"
--
This is exactly the sort of thing antitrust laws are intended to prevent: collusion among market dominators, patting each others' backs and shunning the upcoming little guy. If you're not a major conglomerate like Oracle or Microsoft (much less AT&T and others), you can't possibly break into this information cartel. Don't people understand that information is the currency of the new age?
Having a cartel like this is not only unnecessary; it's plain wrong. It simulatneously flies in the face of libertarian notions of self-help and of liberal notions of the omnipotent government who can protect citizens corporations on its own. Like so many areas of our economy, things were just fine until the corporations decided to start merging into one giant monopolistic hairball. I urge you all to write your congressmen and senators. This must be put to a stop.
Read the rest of this comment...
Members that discover a new cyber-threat -- a new strain of virus or a break-in method that foils existing electronic defenses -- will be able to send detailed warnings to the rest of the group via e-mail, telephone, fax and pagers.
I wish I had $750,000 dollars to sink into a non-profit center so that I could email, telephone, fax and/or page my friends when something important happened.
*Sigh*
Too bad only big buisness has these capabilities. I guess I'll go feed my carrier pigeons now.
--Shoeboy
"Tech firms team up against hackers"
With the current boom in open-software products and the increased visibilty to ordinairy computer users some of the Industries (monopolistic computer firms) decided to team up to be able to tackle these problems. "Linux is getting too big and these hackers are causing us way to many losses" said one OS rep (who then took Jobs style approach and started cursing!).....
ohhhh wait wait... stop the presses, thats the wrong story... this ones about crackers......
Non-Deterministic Finite Automata
I can see the news story now "The Information Technology Information Sharing and Analysis Center website, used to share vital security information among members including Micro$oft, Oracle, Inhell, and more, has been shutdown after it was discovered that hackers had broken into it months ago and had replaced the real security and hacker info with false information making it even easier to gain access to systems from these companies"
Top Most Bizarre/Disturbing Error Messages
Another way this is bad: we have CERTs for a reason - to deal with this kind of thing. By forming this "coalition", they're further fragmenting the system of disaster recovery. CERT.org was created some time ago just for things like this, and it doesn't cost $5k a year to get warnings. It's free.
Propaganda is the best term for this, and marketing is a close runner up. If they really want to team up and help stop attacks on computer systems, they can work with everyone else instead of creating a members-only club.
My karma's bigger than yours!
SIG: HUP
Since all the "What is CERT for?" and "Bugtraq rocks my scary little world" posts seem to have been made, I thought I would point my slashbot tendencies at the Treaty of Rome.
<SLASHBOT>
The EU will soon be *easily* the largest economy on the planet (except China. OK, Maybe India. You know what I mean). 500 million eager consumers with shedloads of cash. Enough cash to support some *very* fat lawyers. In the EU, we send our fattest, most offensive lawyers to Strasbourg, where they can do most harm.
Then we have this little thing called the Treaty of Rome, which has much the same purpose as the US Constitution, except you can't fit it on a sheet of A4, no matter how 'leet your PostScript skillz are.
Article 85 of the Treaty of Rome says some interesting things.
One of the things it explicitly forbids is arrangements to establish contractual conditions that bear no direct connection to the subject of the contract, like tie-in clauses.
Now, If global giants like Sun, Cisco, Microsoft etc. use a forum like the one they have just set up to restrain trade, you wouldn't need a lawyer to win an antitrust case against them My blind old dog (if I had one) could win it.
</SLASHBOT>
So, there you go. If they do *anything* that pisses off the EU commission, they'll get nailed to the proverbial tree.
For those too stupid to work out how to get rich here, all you need to do is to start up a tech company that relies on one of their products in a way that directly competes with them or one of their "valued partners", wait for a security flaw to be announced, prove that they did not disclose it to *all* their customers at the same time and *BLAMMO!* a lot of fat lawyers get even fatter over a period of several years.
If I had ~50 million Euros to burn, I'd do it.
Share and enjoy.
This is another one of the disturbing security trends I've seen recently; the way some companies--and in this case several togather as a group--turtle in the face of security threats.
If you ask me, there should be less reaction to this sort of thing and more action. I don't hold a lot of faith in the big companies any more. I believe in the little fellows who work on stuff like the BSDs (now -they- understand security issues).
Hell, that Interbase backdoor wasn't dealt with by Borland/Inprise, but by OSS hackers. I say bring security concerns into the light, and let some more open minds worry about things like this. As a user and developer I would like not to be left in the dark by these close source, and closed minded people.
Beware the Whyte Wolf.
With a gun barrel between your teeth, you speak only in vowels...
Talk about letting the rhetoric begin. You build up this big straw man and expect people to kock it down. Well OK, "poof" your straw man is blown down.
The Open Source argument is about access. Its about giving everyone (yes, even the bad guys) access to the source code. In a closed source world, the bad guys may already have access to the source code, but you certainly do not. The opportunity to find and fix things, such as security vulnerabilities (and backdoors) exists.
If you can't grasp this, then you've missed them entire point behind the free (as in speech) software movement.
The "security thru obscurity does not work" argument refers to security that depends on obscurity to succeed. If your entire security model rests on the proposition that no one must even find out how it works, then your security model fails the moment that obscurity evaporates. Which is a bad security model. Plain and simple.
Python
Python
This policy will only matter in the event that someone within one of these companies is the first person to discover the flaw.
Given that many flaws will be found by people outside of this group, and that it only takes one source to leak a flaw, I doubt this supposed secrecy will be very secret.
Personally, and maybe I'm off-base here, I think a more public forum - though significantly more discreet than modern media - would better suit addressing security issues than a privately vested group. I mean, great, now all the "big" tech companies are helping to cover each others asses. But who's looking out for the mid-sized companies, the small companies? Sure, we could say that the big fish are going to be targets for problems more often, but that's really narrow minded and a bit selfish.
Anyway, I'm glad to see this happen, but I would feel better knowing that they were looking out for more than just themselves. Perhaps I'm becoming more ideallistic lately? I don't know. Perhaps I misread what the article was saying? Anyway, there you have it, my (our) take on things.
Looks like we missed out on some juicy patent discussions whilst we were out... damn.
Hi! This is the Sig, blatantly attached to the end of this comment.