Lets Be Civil About Responsibility

Opinion: Public discussion of badly flawed code moves users toward better choices.

With all due respect to the righteous indignation of my colleague Larry Seltzer, I can see a number of issues that one might take with his vehement condemnation of security researcher Michal Zalewski and his disclosure of a possible vulnerability in Internet Explorer.

Ill start by agreeing with Larry that Zalewski misuses the label of "civil disobedience."

That phrase has a specific meaning: the knowing violation of an unjust law in the expectation of being punished under that law, but with the further expectation of triggering popular support for a change to that law.

I dont see how that applies here at all. No law was violated, and Zalewski places nothing at risk but his reputation—which if anything, I believe he expects to enhance with all this publicity.

Microsoft cant even threaten action for the tort (that is, the civil rather than criminal offense) of defamation, since truth is what the lawyers call "a complete defense" against such claims.

No one, so far as I can tell, disputes the truth of Zalewskis statements.

I also appreciate Larrys restraint in not accusing Zalewski of reckless scaremongering, instead going out of his way to acknowledge that "Zalewski is...much more reasonable in his evaluation of the severity of the vulnerability than some outside agencies."

/zimages/3/84833.gifZiff Davis Media eSeminars invite: Join this eSeminar at 12:30 p.m. ET on May 3 and learn the real risks and implications of vulnerabilities to your business.

Larry goes on to note that "Many crashes like this turn out to be exploitable, but not all of them do, and some are only exploitable with great difficulty. In other words, this may turn out to be nothing more than a way for a Web page to crash your browser."

Ill emphasize, though, that this is therefore hardly in the same league as releasing exploit code with a comment block labeled "Insert malicious payload here."

As Larry warms to his topic, though, he lets loose with "Theres no conceivable value to the public in him disclosing publicly with no advance notice to the vendor. With a serious bug, this is on par with leaving gasoline and matches around and pointing out that there are flammable buildings about."

I dont agree with that, for one simple reason. Its expensive to move to a neighborhood where the building codes are more stringent about fire safety and where theres vigorous enforcement of those codes by civilian volunteers.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The digital world is different: Downloading Firefox takes just a few minutes, and its free.

Larrys final statement is that "The best we can hope from it is not changes in Microsofts behavior, but that his bad example will deter others from doing the same."

Again, I disagree. The best we can hope to see from this is that a few more percent of the user base will reach their tipping point of lost confidence in the integrity of the browser theyre using, and that theyll switch to a browser with a better (though none are perfect) security record and take additional precautions such as not surfing the Web from administratively enabled accounts.

As Larry said, "its users who matter." On that, at least, Larry and I have always agreed.

Peter Coffee can be reached at peter_coffee@ziffdavis.com.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.