« Corporations reject .Net runtime because of security fears | Main | David Temkin's Laszlo Systems leverages proprietary Flash player »
Microsoft hoards bad-Web site info for its own profit
Listen to Leo LaPorte talk with Steve Gibson about "how Microsoft's 'HoneyMonkey' system works, how it finds malicious web sites before they find you, and what Microsoft is doing (and NOT doing) with this valuable security information it is now collecting."
It's shameful that Microsoft is putting profit before helping to create a more secure Internet. Leo and Steve praise Microsoft for telling us about HoneyMonkey in the first place; but in that action I see much more marketing than altruism.
Technorati tags: security, HoneyMonkey
Posted on September 15, 2005 at 06:50 PM | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83453afad69e200d8348cc35669e2
Listed below are links to weblogs that reference Microsoft hoards bad-Web site info for its own profit:
Comments
I'm sorry, but that's complete crap.
We published a research paper on it. We told everyone exactly how to do this for themselves. And Steve Gibson says very clearly that this is not hard to do. That BETTER than giving out the data, which would become stale and obsolete faster than it could be published.
HoneyMonkey is a lead generation tool -- it tells you that when you visit a site, something got installed. It doesn't tell you HOW it got installed -- the researchers, working with the security folks at Microsoft, have to do a whole lot more work to figure that out, and it takes a long time. It would be irresponsible to give out data unless it was thoroughly vetted. Imagine the outcry (and lawsuits) if Microsoft falsely accused someone of using browser vulnerabilities to install spyware or malware.
Gibson's pretty levelheaded about the whole thing, but Leo just trashes Microsoft and the whole project (even the name) just for sport and to create controversy where there is none.
So give the researcher,and the Microsoft security folks, some credit for being responsible citizens and for contributing a very detailed research paper to the open research community. They're doing the right thing.
Full disclosure: I work for Microsoft Research.
Posted by: Kevin Schofield at Sep 15, 2005 9:45:45 PM
Neither I, Leo or Steve asked Microsoft to simply publish the list of discovered malicious Web sites.
How about sharing certain information with Google, Yahoo and a few other big, legitimate search engines? I think that was the sort of gesture Leo and Steve were expecting.
Posted by: Scott Mace at Sep 15, 2005 10:26:43 PM
I repeat: we did even better. We told them how to do it for themselves, so they're not reliant on us for anything, most importantly for the quality and timeliness of the information. In six months' time (probably less) the information the researcher has now will be worthless. The ability to run your own Honeymonkey system will still be very valuable, as will the fresh information that it generates for them.
You also need to keep in mind that the honeymonkey system isn't crawling the entire Web. For that matter, neither is Google, Yahoo, nor MSN Search. But honeymonkey crawls a far, far smaller area that is carefully chosen (see the research paper). I'm sure others would like to crawl a different set that is more relevant to their business.
Posted by: Kevin Schofield at Sep 16, 2005 11:38:31 PM
