Those Pesky Whistle Blowers

A TechNet article that blames the messengers, not the source, for Microsoft’s security lapses gets Auntie seeing red.

The other day, I was out shopping for some fresh plants for my greenhouse and came up just a little short of cash. Fortunately, my bank was right around the corner, so I popped in.

Now, Auntie isn’t made of money, but I thought I had a healthy little balance in my account. You can imagine my surprise when the teller told me that he couldn’t give me any money. I hollered for the manager and demanded an explanation.

“Well, heh, heh,” stammered the manager nervously. “Um, yes, you had some money in our bank, that’s true. But, you see, we made a tiny mistake. Last week, we installed a new lock on our vault. Unfortunately, we forgot to set the combination. Well, a gentleman noticed this and told us, and we were going to get around to setting the combination, but there was the office party to plan and our health insurance to review and…”

“What happened?” I interrupted impatiently. “Did he come back and steal the money?”

“Oh no,” replied the manager. “But he gave an interview to the newspapers telling everyone that our vault was unlocked! There were dozens of people opening the vault the next day, but it’s not our fault! Blame that awful man who publicized the problem!”

I stormed off, the plants remained at the nursery … and I’m switching banks to one that actually cares about the security of my funds.

What, you may wonder, does this have to do with the price of bananas in Panama? Well, I was reminded of my bank manager the other day when I happened to be poking around the Microsoft TechNet security Web site and stumbled across an essay by Scott Culp, the manager of the Microsoft Security Response Center, entitled “It’s Time to End Information Anarchy.” ( technet/treeview/default.asp?url=/technet/columns/security/noarch.asp). In it, Culp discusses some of the recent computer worms that have caused us all untold grief in our daily toil of managing our corporate servers. He then goes on to cast the blame for these problems, not on the developers who wrote buggy code or the company that released it, but on those who found and revealed the problems.

“If we can’t eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they’re found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that’s best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.”


What Culp calls “information anarchy,” most of the security community calls “full disclosure.” Full disclosure didn’t become an accepted practice just to make the Microsofts, Suns and IBMs of the world look bad. Rather, it was in response to the simple fact that, without full disclosure, vendors had no incentive to actually fix security holes.

Microsoft is doing some good things in the security arena these days. Notably, it has devoted substantial resources to the new Strategic Technology Protection Program, which promises security fixes and step-by-step instructions in one easy-to-use CD (although it still takes three to six weeks to get a copy of the CD).

But what’s up with this “shoot the messenger” attitude? Instead of blaming someone else, how about taking some of those thousands of man-years of development we’re always hearing about and using it to fix the holes? Just a thought.

Now, if you’ll excuse me, I need to ge back to my greenhouse and wade through manure of a different sort.

About the Author

Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.


  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.