[oc-flyfish]

You can stop right there. You don't speak for most IT professionals. Can you cite a survey or some other evidence to back up the claim that most IT profesionals agree with withholding information on security problems?

Well... let's see... We have some of the big security firms pushing this like Guardent Inc., @stake Inc., Internet Security Systems Inc., BindView Corp., and Foundstone Inc. I guess none of these companies count in your little myopic view of the world, eh?

You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.

Guess you didn't understand my point. I don't have a problem with s/w companies saying that xyz components is vulernable to an exploit. My objection is providing a step by step procedure that any script kiddie can follow to run the exploit. Heck, I don't even mind if they give them 4 out of 5 steps, as long as they withhold some aspect that won't let the kiddies compromise the system.

Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.

Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks." Please don't tell me that Gartner is a big fan of Microsoft because it won't fly.

[strtok14]

This is all pretty sad. I use Windows NT on my desktop, and it has proved to be a great desktop environment. Requires a reboot every couple of days, but I can live with that. I am sitting in front of it all the time anyway, why not lean back and relax when it is rebooting, claiming back all the memory leaked out and what-not. This machine needs constant care, and is able to perform desktop duties quite reliably. A plethora of software exists to make my development more rapid and easy. Desktop environment++

But when the day is done, my deployment goes off to a UNIX server (FreeBSD, Linux, UNIX, anything but a windows based 'server') These UNIX servers have;

-reliable remote administration
-uptime in excess of 600 days (obviously not windows servers then)
-power, scalability and very, very few exploits. Notice how happy the MS women are when _one_ UNIX-related exploit finally makes press (this software also runs on windows motards)...and this is one which can only be used when anonymous access is turned on anyway, so it doesn't pose a threat to any admin worth a damn. compare this to the win32 exploits which have come down the pipe this year, which _all_ windows servers were vulnerable to.

I know some of the windows people on this list are happy to finally see something bad come down the pipe re a UNIX-type server, but that is because they so desperately cling to their world where clicking a next button qualifies them as being a system administrator.

Setting up enterprise level software _is_ difficult. It can be made easier by introducing WYSIWYG admin tools, and fancy GUI, but for the most part, you get what you give. and when you give next to nothing (setting up a windows server) you get next to nothing (a windows server)

Windows owns when it comes to the desktop (after all, the command line interface which dominates UNIX admin is easily emulated, so the power of UNIX is with you while you work on an OS as easy to use as a fisher price toy) but when you want a server to do its job (reliability and performance are key here [qualities usually associated with UNIX not windows for those in the know]), you need qualified administrators , not inept fools. don't scrimp because your tech staff consists of some next-button-pressing idiots who aren't worth the paper their pay check is printed on.

few more points worth making; -people that know _both_ windows and UNIX agree that UNIX is the superior server. -script-kiddies are morons -very very few enterprise level organizations, where uptime and reliability are key, run windows server side (check www.netcraft.com for your favorite bank, government or educational institution [ or any other organization which _requires_ stability and security])

[Blade]

The "big" security firms are as tangled up with Microsoft as everyone else, and they would also probably like to see their lives made easier too. After all, malicious attackers have been laying waste to Windows for years.

The Code Red and Nimda viruses were incapable of executing on non-Windows machines, and they caused billions of dollars worth of damage to production data. Tell me, what vulnerability that is specific to all flavors of UNIX/Linux and only to UNIX/Linux has ever caused that kind of financial pain?

This campaign against “information anarchy” isn’t about "being responsible." It's about public relations. Otherwise, why characterize anyone who disagrees with the Microsoft position as an “anarchist”? Do you advocate INFORMATION TOTALITARIANISM?

I would note that published attack scripts are not a threat anyone running a secure OS.

Bottom line: this is about Micro$oft advancing its agenda. It is an attempt to sweep security risks under the rug, while still charging an arm and a leg for subscriptions to a technically inferior product.

[Blade]

Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks."

Ho hum. You quote your experts, I’ll quote mine.

Did you miss Bruce Schneier's evaluation of this issue? He as was recently quoted as saying:

Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility. Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities. They would lie to the public and say that the vulnerabilities were 'theoretical only' or 'impractical.'"

Obviously we’re dealing with a dangerous “information anarchist" here. For those of you that don’t know Scheiner’s work, you can read his bio here.

Damn anarchists. :-)