Replies

Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks."

Ho hum. You quote your experts, I’ll quote mine.

Did you miss Bruce Schneier's evaluation of this issue? He as was recently quoted as saying:

Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility. Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities. They would lie to the public and say that the vulnerabilities were 'theoretical only' or 'impractical.'"

Obviously we’re dealing with a dangerous “information anarchist" here. For those of you that don’t know Scheiner’s work, you can read his bio here.

Damn anarchists. :-)

I actually have a great deal of respect for Bruce Schneier. One of the reasons is his "Applied Cryptography" books, which sit on my bookshelf. Another is that he is a security purist without an apparent axe to grind. To some degree, his comments about Microsoft DO reflect the Microsoft of the past: arrogant, security-through-obfuscation, and often ignorant of security issues. HOWEVER, I have to tell you ... I have quite a few friends who still work with Microsoft and they tell me that security has been made a top priority within the organization -- particularly in light of Nimda/CodeRed, etc. A few years ago, reliability was the top priority for MS. Now, it's security. And just as they improved the reliability of Windows, I have no doubt that they will fix most of the security issues that continue to hound them. Granted, nobody can ensure bulletproof security. But I think they are taking steps as an organization which will be positive for the industry. One thing that will definitely help is that a big portion of MS server-side codebase is moving to managed code. This will greatly reduce the incidence of buffer-overruns, IMO.