Killing the Messenger

All of us, at some point in our lives, have blamed someone else for a mistake we made. But in the end, we realized what we did was wrong.

All of us, at some point in our lives, have blamed someone else for a mistake we made. But in the end, we realized what we did was wrong.

Microsofts security team apparently has no such instinct to own up to its sins. Scott Culp, manager of Microsofts Security Response Center — notice Microsoft has no proactive "prevention center" — recently posted an essay on Microsofts TechNet in which he blasts the security community for giving away too much information on how to crack through Microsofts software. The essay, titled Its Time to End Information Anarchy, argues that full disclosure of vulnerabilities isnt necessary. Security firms, he says, can just whisper the problems to Microsoft, which will promptly patch the hole.

Bruce Schneier, chief technology officer of Counterpane Internet Security, says that wont happen. Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility, Schneier says. "Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities," he explains. "They would lie to the public and say that the vulnerabilities were theoretical only or impractical. "

Other security types defend Microsoft. Vincent Weafer, senior director of Symantecs security response division, fully agrees with Culps essay. "As a security company, our role is to improve software and let people know about vulnerabilities, but keep the balance by not to giving away too much information," Weafer says.

Microsoft says it is trying to work more closely with security firms to cut vulnerabilities in its software and patch the holes before theyre noticed.

Theres something else going on here, though. Notice the words Culp has carefully selected in the title of his report: information anarchy. The only people in a free society who worry about anarchy are those in power. Are we supposed to believe that Microsoft is concerned about keeping security problems secret for the benefit of its customers?

What gets I-managers irritated is reading the never-ending reports on the latest vulnerability in Microsofts Swiss cheese software. In fact, as I-managers have expressed to me, it gets downright frustrating to hear Microsoft blame systems administrators for not installing shoddy patches on its shoddy software and, therefore, getting blasted with the next worm.

As Microsoft ramps up .Net, its most ambitious plan to rule the Internet, most I-managers are troubled by what theyve always been anxious about: Microsofts notorious and well-earned reputation for poor security.