Those Pesky Whistle Blowers
A TechNet article that blames the messengers, not the source, for Microsoft’s security lapses gets Auntie seeing red.
The other day, I was out shopping for some fresh plants for my greenhouse
and came up just a little short of cash. Fortunately, my bank was right
around the corner, so I popped in.
Now, Auntie isn’t made of money, but I thought I had a healthy little
balance in my account. You can imagine my surprise when the teller told
me that he couldn’t give me any money. I hollered for the manager and
demanded an explanation.
“Well, heh, heh,” stammered the manager nervously. “Um, yes, you had
some money in our bank, that’s true. But, you see, we made a tiny mistake.
Last week, we installed a new lock on our vault. Unfortunately, we forgot
to set the combination. Well, a gentleman noticed this and told us, and
we were going to get around to setting the combination, but there was
the office party to plan and our health insurance to review and…”
“What happened?” I interrupted impatiently. “Did he come back and steal
“Oh no,” replied the manager. “But he gave an interview to the newspapers
telling everyone that our vault was unlocked! There were dozens of people
opening the vault the next day, but it’s not our fault! Blame that awful
man who publicized the problem!”
I stormed off, the plants remained at the nursery … and I’m switching
banks to one that actually cares about the security of my funds.
What, you may wonder, does this have to do with the price of bananas
in Panama? Well, I was reminded of my bank manager the other day when
I happened to be poking around the Microsoft TechNet security Web site
and stumbled across an essay by Scott Culp, the manager of the Microsoft
Security Response Center, entitled “It’s Time to End Information Anarchy.”
In it, Culp discusses some of the recent computer worms that have caused
us all untold grief in our daily toil of managing our corporate servers.
He then goes on to cast the blame for these problems, not on the developers
who wrote buggy code or the company that released it, but on those who
found and revealed the problems.
“If we can’t eliminate all security vulnerabilities, then it becomes
all the more critical that we handle them carefully and responsibly when
they’re found. Yet much of the security community handles them in a way
that fairly guarantees their use, by following a practice that’s best
described as information anarchy. This is the practice of deliberately
publishing explicit, step-by-step instructions for exploiting security
vulnerabilities, without regard for how the information may be used.”
What Culp calls “information anarchy,” most of the security community
calls “full disclosure.” Full disclosure didn’t become an accepted practice
just to make the Microsofts, Suns and IBMs of the world look bad. Rather,
it was in response to the simple fact that, without full disclosure, vendors
had no incentive to actually fix security holes.
Microsoft is doing some good things in the security arena these days.
Notably, it has devoted substantial resources to the new Strategic Technology
Protection Program, which promises security fixes and step-by-step instructions
in one easy-to-use CD (although it still takes three to six weeks to get
a copy of the CD).
But what’s up with this “shoot the messenger” attitude? Instead of blaming
someone else, how about taking some of those thousands of man-years of
development we’re always hearing about and using it to fix the holes?
Just a thought.
Now, if you’ll excuse me, I need to ge back to my greenhouse and wade
through manure of a different sort.
Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.