Barney's Blog

Blog archive

Doug's Mailbag: Google's Whistle Blowing Too Loud?

Was it wrong for Google to publicly broadcast a Microsoft security hole? Here's what some of you think:

It was irresponsible for Google to tell people how to exploit the hole (if that is indeed what they did). It is also irresponsible for Microsoft to let a high vulnerability stand once they knew about it (if that is indeed what they did).

As I recall, the last time an XP vulnerability surfaced, you had to be on the local machine to exploit it. If this is the vulnerability to which you refer, it is not much of one if it cannot be exploited without sitting at the keyboard.

That said, Microsoft announced the upcoming retirement of Windows XP in 2007 after releasing Windows Vista. Users demanded that they extend the lifetime of XP. Microsoft responded with Windows XP SP3 and announced a retirement date for XP SP3 for April 2014. More likely than not, XP and SP4 will ship shortly before that date.

Since then Vista SP1, SP2 and (a much improved) Windows 7 has shipped. Users have had three years to prepare for the transition to the NT 6.x kernel.

There reaches a point at which it is unrealistic to expect Microsoft to continue to support Windows XP. If users are too lazy or too cheap to upgrade a nine-year-old OS, I just don't feel very sorry for them.

If Microsoft knew about this flaw all along and did not fix it then I think they are almost criminally negligent and should be made to refund the cost of the software, as well as any costs associated with any damage caused by the flaw.

I applaud Google for exposing it so that it would be fixed. That this exposure has caused hackers to exploit the flaw should not surprise anyone.

It appears that the fellow who exposed the flaw was working with a group of his peers within Google. Unless they are working totally off-the-clock and with NO Google resources (even a copy of a compiler or a notebook controlled by the company) I would qualify this as a Google-sponsored issue.

If that's the case and there is any damage done by hackers, I would go after Google because they allowed the programmer to go public with the information in a reckless way. Also, the employee should also be blameed because he is putting many people at risk.

I'm sure that Google would love to embarrass Microsoft any way they can, but putting thousands of people at risk in the process is corporate irresponsibility.

Google is encouraging criminal behavior. Could it be prosecuted for conspiracy?

Flaws should NOT be advertised so that hackers may exploit them. The owner of the software or platform should be notified so that they may fix it. Even if they do not, it is better not to tell the world that it exists. If you do tell, every hacker around the world can take a stab at it, if they so desire.

Sounds like Google wanted Microsoft to take a hit over this. I trust Google less than I trust Microsoft.

I am one of those that think that all hackers should be taken out back and SHOT in the head.

Hacking should be a major felony, along with identity theft -- 10 years in federal prison, minimum.

I've been the recipient of these attacks.

Google should have told Microsoft about the problem with a phone call (not over the Internet).

Thanks Google. Stupid...

Share your thoughts with the editors of this newsletter! Write to [email protected]. Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).

Posted by Doug Barney on June 23, 2010