Welcome to long-time reader Dave who wrote to Doug for the first time last week and commented on various topics (join in by writing Doug at [email protected]):
I have been reading your work for 5-6 years now, and always look forward to each installment. I am a first-time commenter as a result of the revelation that whenever you ask for opinions, you just might really want to hear them!
First, the silly: In your Friday's Redmond Report, you wrote that you, "wondered aloud how long it would take to exploit [the HPC flaw details released by Google]." How can we confirm this? We can't hear you when you type!
Now, the main "take" that your column asked for: I am not a hard-core gear head. I've been working in IT since 1996, have a handful of certifications and have just completed the bachelor's degree I first started after high school in 1985 (so, I do read with great interest the postings about salary vs. education). The comments on the Web site seem to cover most any angle I could bring up, but there are a couple that seem to have a particular ring to them.
Chris from Lake Mary, Fla. wrote that, "it [isn't] irresponsible to tell hackers how they attach [sic] our software. This is just the way it is." He explains that Microsoft releases details as part of releasing patches. He goes on to cite the SQL Slammer worm as an example of the impact of unapplied patches. I think this is close to Google's actions: They combined announcing a flaw with announcing a work around. However, it isn't Google's product. They certainly have the "right" to suggest how people react to a flaw -- irrespective of by whom it was made public -- but I feel it may be over some imaginary line to (potentially) scare people into using their quick fix. Google essentially said, "There's this really serious problem with Windows -- you gotta do [this] to keep your computers safe." I may be in the dark on this, but how much testing did Google do on their work around before telling people it would work? Is it at all possible that their method would open a computer to some other attack vector, or unduly limit functionality?
I agree with Dan from Iowa that it's, "not [Google's] job to dictate how fast Microsoft responds with a fix." I further agree with the point that their actions blur the color of the hats -- white or black. It's certainly a leap -- and I'm am absolutely NOT suggesting that it is the case -- to couple Dan's comment about who are the "Bad Guys" with the comment by Esteban Gronzy from Tucson, Ariz. that Google just happens to be a competitor --direct competitor in many markets. Again, I'm not spouting off about a "vast, electronic-age conspiracy" (or, hope I'm not), but just how coincidental is it that Google releases details of a flaw in a Microsoft product just as Bing vs. Google vs. Google Apps vs. Office vs. Azure vs. Chrome vs. Android vs. Win Mobile 7...are all really starting to heat up? Again, I utterly disavow any inference that "A" follows "B", but the timing seems to be a marketing departments' dream come true (from Google's point of view).
Lastly, Keith from Bel Air, Md. asks, "But what does Google owe Microsoft?" I believe the answer is, "Absolutely nothing beyond legal business interaction." But perhaps a more fitting question would be, "But what does Google owe the multiple tens of millions of Windows users affected by this flaw?" Here, I believe the case could readily be made that "silence is golden."
Thanks for your time, especially if you made it this far! Thanks, too, for churning out the top-quality materials I've come to expect from all things Doug-related. Please let me know if you would (really) like future comments -- especially if you would really like them to be shorter!! Keep doing what you do.
-Dave