The information security community has grown out of academic circles and has entered the main stream. However, it seems that it wants to hold on the very academic idea that ALL information should be free-flowing with little or not restriction.

This philosophy works great in labs and universities. However, in the real world, where businesses base their existance on information, full disclosure (i.e. disclosure without allowing the vendor to publish a patch first) is wreckless and irresponsible. (To all the flamers: I don't work for MS, and I don't excuse security vulnerablities.)

The arguement seems to be that by allowing full disclosure, this adds an "incentive" for the vendor to act. This back-handed attempt at extortion is no way to get a company to release a reliable patch. The recent IE-patch recall is an excellent example of this. If the group / person that discovered the vulnerability had reported to the vendor (in this case MS) the problem BEFORE posting a demonstration of the issue, more time might have been taken by MS before releasing the patch to the public.

MS has obviously had reliability problems with its patches. As someone who has worked with multiple OS vendors over the past 20 years, they are no worse (or better) than anyone else. However, given the ubiquitous nature of MS's products, they have a great responsibility to make their products secure.

In response to their pick, I would have preferred a more technical person for this post, and then hiring Charney into their legal department. Hiring a top infosec professional would have been a much better choice. I am disappointed in this new hire.

But perhaps MS will have infosec professionals reporting to him, and all will be well. Only time will tell.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/59/10464#10464