Killing the Messenger
All of us, at some point in our lives, have blamed someone else for a mistake we made. But in the end, we realized what we did was wrong.All of us, at some point in our lives, have blamed someone else for a mistake we made. But in the end, we realized what we did was wrong. Microsofts security team apparently has no such instinct to own up to its sins. Scott Culp, manager of Microsofts Security Response Center notice Microsoft has no proactive "prevention center" recently posted an essay on Microsofts TechNet in which he blasts the security community for giving away too much information on how to crack through Microsofts software. The essay, titled Its Time to End Information Anarchy, argues that full disclosure of vulnerabilities isnt necessary. Security firms, he says, can just whisper the problems to Microsoft, which will promptly patch the hole.
Bruce Schneier, chief technology officer of Counterpane Internet Security, says that wont happen. Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility, Schneier says. "Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities," he explains. "They would lie to the public and say that the vulnerabilities were theoretical only or impractical. "