Those Pesky Whistle Blowers

A TechNet article that blames the messengers, not the source, for Microsoft’s security lapses gets Auntie seeing red.

The other day, I was out shopping for some fresh plants for my greenhouse and came up just a little short of cash. Fortunately, my bank was right around the corner, so I popped in.

Now, Auntie isn’t made of money, but I thought I had a healthy little balance in my account. You can imagine my surprise when the teller told me that he couldn’t give me any money. I hollered for the manager and demanded an explanation.

“Well, heh, heh,” stammered the manager nervously. “Um, yes, you had some money in our bank, that’s true. But, you see, we made a tiny mistake. Last week, we installed a new lock on our vault. Unfortunately, we forgot to set the combination. Well, a gentleman noticed this and told us, and we were going to get around to setting the combination, but there was the office party to plan and our health insurance to review and…”

“What happened?” I interrupted impatiently. “Did he come back and steal the money?”

“Oh no,” replied the manager. “But he gave an interview to the newspapers telling everyone that our vault was unlocked! There were dozens of people opening the vault the next day, but it’s not our fault! Blame that awful man who publicized the problem!”

I stormed off, the plants remained at the nursery … and I’m switching banks to one that actually cares about the security of my funds.

What, you may wonder, does this have to do with the price of bananas in Panama? Well, I was reminded of my bank manager the other day when I happened to be poking around the Microsoft TechNet security Web site and stumbled across an essay by Scott Culp, the manager of the Microsoft Security Response Center, entitled “It’s Time to End Information Anarchy.” ( technet/treeview/default.asp?url=/technet/columns/security/noarch.asp). In it, Culp discusses some of the recent computer worms that have caused us all untold grief in our daily toil of managing our corporate servers. He then goes on to cast the blame for these problems, not on the developers who wrote buggy code or the company that released it, but on those who found and revealed the problems.

“If we can’t eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they’re found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that’s best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.”


What Culp calls “information anarchy,” most of the security community calls “full disclosure.” Full disclosure didn’t become an accepted practice just to make the Microsofts, Suns and IBMs of the world look bad. Rather, it was in response to the simple fact that, without full disclosure, vendors had no incentive to actually fix security holes.

Microsoft is doing some good things in the security arena these days. Notably, it has devoted substantial resources to the new Strategic Technology Protection Program, which promises security fixes and step-by-step instructions in one easy-to-use CD (although it still takes three to six weeks to get a copy of the CD).

But what’s up with this “shoot the messenger” attitude? Instead of blaming someone else, how about taking some of those thousands of man-years of development we’re always hearing about and using it to fix the holes? Just a thought.

Now, if you’ll excuse me, I need to ge back to my greenhouse and wade through manure of a different sort.

About the Author

Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.

comments powered by Disqus

Reader Comments:

Thu, Feb 14, 2002 Anonymous Anonymous

Get a life

Mon, Feb 4, 2002 just me Anonymous

Oh so accurate!

Fri, Jan 11, 2002 ex mcse Anonymous

I spent a week patching all of our servers for Nimda and Code Red. Now whenever we have a mission critical server role we format the drive and install linux on it (DNS, File server, Web Server, email server, firewall, proxy server, databases, etc.). I have enough work to do already besides fixing the Microsoft "security bug of the week." XP appears to be more of the same except you have to buy more RAM too. Open Source = A, Microsoft = F

Sun, Jan 6, 2002 SeanS Alexandria

Responsibility for ones actions is a requirement for trust. If Microsoft can't stand the heat of disclosure, they should fix their security holes while programming. v1 should NOT mean BETA.

Mon, Dec 31, 2001 Jim M US-NC

I liked the analogy a lot, even if I was confused at first. But I think if MSFT provided feedback to people who send them security questions and answers they may not be inclined to publish them. And then they MIGHT get a head start.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.