Those Pesky Whistle Blowers

A TechNet article that blames the messengers, not the source, for Microsoft’s security lapses gets Auntie seeing red.

The other day, I was out shopping for some fresh plants for my greenhouse and came up just a little short of cash. Fortunately, my bank was right around the corner, so I popped in.

Now, Auntie isn’t made of money, but I thought I had a healthy little balance in my account. You can imagine my surprise when the teller told me that he couldn’t give me any money. I hollered for the manager and demanded an explanation.

“Well, heh, heh,” stammered the manager nervously. “Um, yes, you had some money in our bank, that’s true. But, you see, we made a tiny mistake. Last week, we installed a new lock on our vault. Unfortunately, we forgot to set the combination. Well, a gentleman noticed this and told us, and we were going to get around to setting the combination, but there was the office party to plan and our health insurance to review and…”

“What happened?” I interrupted impatiently. “Did he come back and steal the money?”

“Oh no,” replied the manager. “But he gave an interview to the newspapers telling everyone that our vault was unlocked! There were dozens of people opening the vault the next day, but it’s not our fault! Blame that awful man who publicized the problem!”

I stormed off, the plants remained at the nursery … and I’m switching banks to one that actually cares about the security of my funds.

What, you may wonder, does this have to do with the price of bananas in Panama? Well, I was reminded of my bank manager the other day when I happened to be poking around the Microsoft TechNet security Web site and stumbled across an essay by Scott Culp, the manager of the Microsoft Security Response Center, entitled “It’s Time to End Information Anarchy.” (www.microsoft.com/ technet/treeview/default.asp?url=/technet/columns/security/noarch.asp). In it, Culp discusses some of the recent computer worms that have caused us all untold grief in our daily toil of managing our corporate servers. He then goes on to cast the blame for these problems, not on the developers who wrote buggy code or the company that released it, but on those who found and revealed the problems.

“If we can’t eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they’re found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that’s best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.”

Huh?

What Culp calls “information anarchy,” most of the security community calls “full disclosure.” Full disclosure didn’t become an accepted practice just to make the Microsofts, Suns and IBMs of the world look bad. Rather, it was in response to the simple fact that, without full disclosure, vendors had no incentive to actually fix security holes.

Microsoft is doing some good things in the security arena these days. Notably, it has devoted substantial resources to the new Strategic Technology Protection Program, which promises security fixes and step-by-step instructions in one easy-to-use CD (although it still takes three to six weeks to get a copy of the CD).

But what’s up with this “shoot the messenger” attitude? Instead of blaming someone else, how about taking some of those thousands of man-years of development we’re always hearing about and using it to fix the holes? Just a thought.

Now, if you’ll excuse me, I need to ge back to my greenhouse and wade through manure of a different sort.

About the Author

Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.

Featured

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus