In the article you quote Microsoft is arguing that security companies shouldn't provide an step by step instruction manual on how to exploit a new bug. I and most other IT professionals agree.
It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch. There is no need to provide script kiddies with an instruction manual.
That's Microsoft's characterization. Not everyone agrees that's what security companies are doing.
I and most other IT professionals agree.
You can stop right there. You don't speak for most IT professionals. Can you cite a survey or some other evidence to back up the claim that most IT profesionals agree with withholding information on security problems?
It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch.
You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.
There is no need to provide script kiddies with an instruction manual.
Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.
Microsoft. You gotta love em. Up till now, the only ones in favor of withholding information on security problems has been the malicious hackers. Go figure.
In the article you quote Microsoft is arguing that security companies shouldn't provide an step by step instruction manual on how to exploit a new bug. I and most other IT professionals agree.It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch. There is no need to provide script kiddies with an instruction manual.
I get the sense that the self-described "open source" advocates-cum-"supporters of information anarchy" paint a picture of a binary world: their side preaches "openess", and damns the other side, which it accuses of "security by obscurity".
In reality, there's a third option, which they refuse to consider. It's detailed quite nicely in that article.
Let's use a "door" metaphor. The "open" folks deride the more prudent homeowners, accusing them of "trying to make their homes secure by hiding the doorknob instead of buying a lock." Yet, they themselves continue to experience one break-in afer another.
Along comes a little boy, who was driven out of his last hometown after he pointed out that the emperor was naked. He looks at the situation, and tells the "open" people that he knows what their problem is.
Before he can say anything else the Head Open Guy pipes up and says "Look, kid -- we've got the best locks available, and we're constantly making them better. And because we're Open, we encourage others to work on the locks too, so that lock technology can evolve at an even faster pace. We fully document everything, so that they can get up to speed quickly."
The kid shakes his head, looks the HOG in the eye, and asks, "Are you done now?"
The HOG says, "fine, say whatever you want to say, but make it snappy; we've got a bunch of people in the next town that are getting hit really hard, and we've got to get an improved lock to them pronto!"
The kid says, "This won't take long. The problem with your locks is simple -- no matter how secure you make them, you persist in displaying picking directions on each one of 'em! You might as well not even bother having locks in the first place, because you're giving the thieves a blueprint to defeat them."
At this, the HOG shook his head, muttered an obscenity beneath his breath, and shot the kid.