blank.gif (43 bytes)

Church Of The
Swimming Elephant
Search:

What would you do if you produced unsecured software?

Would you work to fix it and work to make it more secure? Or would you instead work to forbid people from discussing it? It appears that Microsoft is choosing the latter.

It's no secret that Microsoft software has taken a beating recently on the security side. It seems like they cannot stop their software from being compromised. One vulnerability after another has been discovered. Most of them by the blackhat community, a community that would like nothing better than to keep it secret that they know a new way to compromise a system.

Fortunately, the community also contains grayhat and whitehats. These people are quick to release the details of the security vulnerability to the rest of us when they discover blackhats using it. This allows system administrators to address the issue rather than be in the dark while the blackhats run rings around their systems through a vulnerability only the blackhats know about. The open discussion acts as a whistle blower on the blackhat community.

The major security lists are a-buzz with detailed analysis of holes in software, along with work arounds to close these holes. They have also forced companies normally reluctant to open their wallets to fix a problem, to address it in a timely manner. This has saved many an administrator from waking one morning to a page that their customer data is all over the net. But at the same time it's focused the light on Microsoft. A light that Microsoft doesn't like focused upon it.

This has been a real thorn in their side, having their unsecured software laid bare in the press. Especially given that there have been so many vulnerabilities in MS software. It hit real hard when the Gartner Group pulled no punches and told companies to dump their investment in MS now. That there were way too many vulnerabilities in it to trust it with valuable intellectual property. This didn't make MS look too good. They had to do something and they are doing it in a typical Microsoft way.

Rather than work harder to fix the issues, they are focusing on the messengers. Those grayhats and whitehats who tell the world about the vulnerabilities that blackhats already know about and are utilizing. Those people who pass the messages that end up in the press. The people who force MS to spend time and money fixing something old, when they would rather be releasing something new. Microsoft is moving to crush the messengers (see Scott Culp's recent essay). After all, it's easier than than being forced to fix the problem, and a lot cheaper.

Basically, it is a good move for Microsoft, and we all know that a good move for Microsoft has always benefited everyone else in the community. It will help squash all that nasty bad press. After all, if they can force people not to discuss their weaknesses, they can hide from them. That makes those weaknesses as good as invisible, even an ostrich knows this. Of course it's right, from the Microsoft perspective, but there is a big problem for the rest of us. Blackhats will still know about the vulnerabilities, and it is blackhat nature to share those vulnerabilities with each other in the underground and to use them while trying to keep it all secret from those who might patch them.

Now MS is going to help them. MS will make sure that anyone who learns what the blackhats are doing, will no longer be able to tell the rest of us. What's this mean to the administrators? It means they aren't going to know when their systems are vulnerable or how they are vulnerable, but the bad guys sure will. It means no one running Microsoft software will be able to ensure their systems are secure. It means running Microsoft software will be like playing Russian Roulette.

The end result will be that you'll never know if there is a gaping hole in your software that malicious individuals are walking through to get at your data. Microsoft won't let anyone tell you about it. But rest assured, they'll get around to fixing it on their own time, when it is deemed profitable to go back and patch old code. We all know that throwing money at patches is profitable and because of that companies are always ready to drop everything to patch something quickly. We'll be safe because we know MS is good at this, right? Of course we will, sleep well Microsoft administrators.

/steve
11/03/01

Cotse.Net

Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

 
.
www.cotse.com
Have you gone to church today?
.
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 Cotse.com.
Cotse.com is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609