Brian Ploskina asks, are we really supposed to believe that Microsoft is concerned about keeping security problems secret for the benefit of its customers?
COMMENTARY--All of us, at some point in our lives, have blamed someone else for a mistake we made. But in the end, we realized what we did was wrong.
Microsoft's security team apparently has no such instinct to own up to its sins. Scott Culp, manager of Microsoft's Security Response Center--notice Microsoft has no proactive "prevention center"--recently posted an essay on Microsoft's TechNet in which he blasts the security community for giving away too much information on how to crack through Microsoft's software. The essay, titled It's Time to End Information Anarchy, argues that full disclosure of vulnerabilities isn't necessary. Security firms, he says, can just whisper the problems to Microsoft, which will promptly patch the hole.
Bruce Schneier, chief technology officer of Counterpane Internet Security, says that won't happen. Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility, Schneier says. "Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities," he explains. "They would lie to the public and say that the vulnerabilities were 'theoretical only' or 'impractical.' "
Other security types defend Microsoft. Vincent Weafer, senior director of Symantec's security response division, fully agrees with Culp's essay. "As a security company, our role is to improve software and let people know about vulnerabilities, but keep the balance by not to giving away too much information," Weafer says.
Microsoft says it is trying to work more closely with security firms to cut vulnerabilities in its software and patch the holes before they're noticed.
There's something else going on here, though. Notice the words Culp has carefully selected in the title of his report: information anarchy. The only people in a free society who worry about anarchy are those in power. Are we supposed to believe that Microsoft is concerned about keeping security problems secret for the benefit of its customers?
What gets I-managers irritated is reading the never-ending reports on the latest vulnerability in Microsoft's Swiss cheese software. In fact, as I-managers have expressed to me, it gets downright frustrating to hear Microsoft blame systems administrators for not installing shoddy patches on its shoddy software and, therefore, getting blasted with the next worm.
As Microsoft ramps up .Net, its most ambitious plan to rule the Internet, most I-managers are troubled by what they've always been anxious about: Microsoft's notorious and well-earned reputation for poor security.