[Bush2000]

Bottom line: this is about Micro$oft advancing its agenda. It is an attempt to sweep security risks under the rug, while still charging an arm and a leg for subscriptions to a technically inferior product.

This, I have to disagree with. I believe it's reasonable to call for a code of ethics among security researchers under which exploits are not described in so much detail that malicious script-kiddies can take advantage of them. There is definitely a dividing line between legitimate research and promoting mischief. A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers. That's wrong. Exploiting customers because you hate MS isn't sufficient justification. There has to be a healthy medium between absolute disclosure and customer interests. If you are honest with yourself, you will agree. Software politics and ideology should be checked at the door on this issue.

[Blade]

Both of your posts were reasonable, and I can subscribe to most of what you wrote, with one exception:

A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers. That's wrong. Exploiting customers because you hate MS isn't sufficient justification.

What is your main argument or evidence for this claim? I am skeptical that someone carried out security research that damaged real people just to embarass Microsoft. This isn't an attempt to bait you, just curiosity.

[supercat]

I believe it's reasonable to call for a code of ethics among security researchers under which exploits are not described in so much detail that malicious script-kiddies can take advantage of them.

Indeed, in some cases this line is clear while in others it's not. And sometimes (albeit rarely) even when it clear there may be legitimate reasons to cross it and let the chips fall where they may.

An example of the latter type of judgement, albeit in a different venue, was Newsweek's publication of the answers for a current college entrance exam. Newsweek's reporters had found that there were [illegitimate] copies of the exam floating around in some circles and suggested to the testing firm that they should replace the test, but the firm refused. By releasing the answers, Newsweek made the test 'obviously' worthless (whereas before it would have been 'deliably' worthless, since there was bound to be an unknown and unmeasurable amount of cheating). Good call IMHO, even though the testing firm argued in court (IIRC) that the published copies of the answers could serve no purpose except to help people cheat [actually, they did the reverse, since the testing form changed the test, thus preventing those who'd bought copies from cheating].