Those Pesky Whistle Blowers

A TechNet article that blames the messengers, not the source, for Microsoft’s security lapses gets Auntie seeing red.

• By Em C. Pea
• January 01, 2002

The other day, I was out shopping for some fresh plants for my greenhouse and came up just a little short of cash. Fortunately, my bank was right around the corner, so I popped in.

Now, Auntie isn’t made of money, but I thought I had a healthy little balance in my account. You can imagine my surprise when the teller told me that he couldn’t give me any money. I hollered for the manager and demanded an explanation.

“Well, heh, heh,” stammered the manager nervously. “Um, yes, you had some money in our bank, that’s true. But, you see, we made a tiny mistake. Last week, we installed a new lock on our vault. Unfortunately, we forgot to set the combination. Well, a gentleman noticed this and told us, and we were going to get around to setting the combination, but there was the office party to plan and our health insurance to review and…”

“What happened?” I interrupted impatiently. “Did he come back and steal the money?”

“Oh no,” replied the manager. “But he gave an interview to the newspapers telling everyone that our vault was unlocked! There were dozens of people opening the vault the next day, but it’s not our fault! Blame that awful man who publicized the problem!”

I stormed off, the plants remained at the nursery … and I’m switching banks to one that actually cares about the security of my funds.

What, you may wonder, does this have to do with the price of bananas in Panama? Well, I was reminded of my bank manager the other day when I happened to be poking around the Microsoft TechNet security Web site and stumbled across an essay by Scott Culp, the manager of the Microsoft Security Response Center, entitled “It’s Time to End Information Anarchy.” (www.microsoft.com/ technet/treeview/default.asp?url=/technet/columns/security/noarch.asp). In it, Culp discusses some of the recent computer worms that have caused us all untold grief in our daily toil of managing our corporate servers. He then goes on to cast the blame for these problems, not on the developers who wrote buggy code or the company that released it, but on those who found and revealed the problems.

“If we can’t eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they’re found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that’s best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.”

Huh?

What Culp calls “information anarchy,” most of the security community calls “full disclosure.” Full disclosure didn’t become an accepted practice just to make the Microsofts, Suns and IBMs of the world look bad. Rather, it was in response to the simple fact that, without full disclosure, vendors had no incentive to actually fix security holes.

Microsoft is doing some good things in the security arena these days. Notably, it has devoted substantial resources to the new Strategic Technology Protection Program, which promises security fixes and step-by-step instructions in one easy-to-use CD (although it still takes three to six weeks to get a copy of the CD).

But what’s up with this “shoot the messenger” attitude? Instead of blaming someone else, how about taking some of those thousands of man-years of development we’re always hearing about and using it to fix the holes? Just a thought.

Now, if you’ll excuse me, I need to ge back to my greenhouse and wade through manure of a different sort.