: Microsoft Security Guru Leaves Post"> "Its high time the security community stopped providing blueprints for building these [worms and viruses]. And its high time computer users insisted that the security community live up to its obligation to protect them," Culp wrote in the article. "We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it. If we cant eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when theyre found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice thats best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used." The paper drew strong reactions from people on both sides of the debate, with some researchers dismissing it as self-serving rhetoric designed to scare people away from looking for flaws in Microsoft products. Still, many in the security community say Culp make the most of a difficult, often thankless job.
"Probably the most sensible thing Microsoft has done recently on the security front is to convince Scott Culp to move over to the relatively new group known as the Trustworthy Computing Initiative. Scott has a rare combination of skills for the security world; hes not a programmer, and he is able to speak to people without making them hate him," said Russ Cooper, surgeon general of TruSecure Corp., in Herndon, Va., and moderator of the NTBugTraq mailing list, who has often been at odds with Culp on security issues. "Combined, Scott has been very effective at gaining consensus within Microsoft on how to better handle security issues when they arise, and over the past four years has been very influential in effecting changes to the mindsets of product managersmaking them appreciate the value of doing this correctly. In his new position Scott will, hopefully, have more time and status to effect further changes. Now if we can only get him to go after those folks in Windows Update more fervently."