Lets Be Civil About Responsibility

 
 
By Peter Coffee  |  Posted 2006-04-27 Email Print this article Print
 
 
 
 
 
 
 

Opinion: Public discussion of badly flawed code moves users toward better choices.

With all due respect to the righteous indignation of my colleague Larry Seltzer, I can see a number of issues that one might take with his vehement condemnation of security researcher Michal Zalewski and his disclosure of a possible vulnerability in Internet Explorer. Ill start by agreeing with Larry that Zalewski misuses the label of "civil disobedience." That phrase has a specific meaning: the knowing violation of an unjust law in the expectation of being punished under that law, but with the further expectation of triggering popular support for a change to that law.
I dont see how that applies here at all. No law was violated, and Zalewski places nothing at risk but his reputation—which if anything, I believe he expects to enhance with all this publicity. Microsoft cant even threaten action for the tort (that is, the civil rather than criminal offense) of defamation, since truth is what the lawyers call "a complete defense" against such claims. No one, so far as I can tell, disputes the truth of Zalewskis statements.
I also appreciate Larrys restraint in not accusing Zalewski of reckless scaremongering, instead going out of his way to acknowledge that "Zalewski is...much more reasonable in his evaluation of the severity of the vulnerability than some outside agencies." Ziff Davis Media eSeminars invite: Join this eSeminar at 12:30 p.m. ET on May 3 and learn the real risks and implications of vulnerabilities to your business. Larry goes on to note that "Many crashes like this turn out to be exploitable, but not all of them do, and some are only exploitable with great difficulty. In other words, this may turn out to be nothing more than a way for a Web page to crash your browser." Ill emphasize, though, that this is therefore hardly in the same league as releasing exploit code with a comment block labeled "Insert malicious payload here." As Larry warms to his topic, though, he lets loose with "Theres no conceivable value to the public in him disclosing publicly with no advance notice to the vendor. With a serious bug, this is on par with leaving gasoline and matches around and pointing out that there are flammable buildings about." I dont agree with that, for one simple reason. Its expensive to move to a neighborhood where the building codes are more stringent about fire safety and where theres vigorous enforcement of those codes by civilian volunteers. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. The digital world is different: Downloading Firefox takes just a few minutes, and its free. Larrys final statement is that "The best we can hope from it is not changes in Microsofts behavior, but that his bad example will deter others from doing the same." Again, I disagree. The best we can hope to see from this is that a few more percent of the user base will reach their tipping point of lost confidence in the integrity of the browser theyre using, and that theyll switch to a browser with a better (though none are perfect) security record and take additional precautions such as not surfing the Web from administratively enabled accounts. As Larry said, "its users who matter." On that, at least, Larry and I have always agreed. Peter Coffee can be reached at peter_coffee@ziffdavis.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel