Security /

A bag without a cat

By Mark Gibbs
Network World, 11/12/01

"Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. . . . The people who wrote them have been rightly condemned as criminals. But they needed help to devastate our networks. And we in the security community gave it to them. . . . It's time the security community stopped providing blueprints for building these weapons . . . We can and should discuss security vulnerabilities, but we should be smart, prudent and responsible in the way we do it."
- From "It's Time to End Information Anarchy" by Scott Culp of Microsoft

The above extract is from a story posted on Microsoft's TechNet. The point that Culp, who is manager of the Microsoft Security Response Center, is apparently trying to make is that the computer industry needs to be more circumspect about how and when it discusses the vulnerabilities of various operating systems.

Culp argues that "much of the security community handles [security vulnerabilities] in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used."

Culp argues that some malicious code is so obviously based on the published analysis of worms that it is "simply indefensible for the security community to continue arming cybercriminals."

Culp's solution is a vague proposal that security professionals should handle information about threats "responsibly." Considering how many security problems have been generated by Microsoft operating systems, a cynical mind might conclude that Culp - and Microsoft by extension - would prefer that if you find anything amiss you keep it to yourself. In other words, after you've told the owner of the software (such as Microsoft) you should leave them to generate a fix without getting a lot of IT people worried and bent out of shape over the issue.

While, at first blush, this may sound reasonable, it does suppose that the company addresses the problem thoroughly and in a timely manner.

This is, of course, wildly optimistic.

The problem is that whenever a fault is found with something and someone with a vested interest in that something is involved in the dissemination of information about the problem, there will be a powerful tendency to maintain those interests and minimize potentially negative consequences. In short, when things go wrong, people and organizations tend to act so as to minimize damage.

Microsoft's past responses to serious security snafus show that when these problems arise there's no guarantee the company will behave responsibly and in the best interests of end users.

Culp's thinking is a wonderful example of Microsoft's alarming and pernicious tendency toward a heady mix of fascism and totalitarianism: "We know best. We'll handle this, and don't you worry your pretty little heads over it until we tell you to."

Unfortunately, when it comes to problems that affect millions of people and thousands of businesses, there is no substitute for knowledge, even if Microsoft chooses not to act on it. And the idea that some group of self-appointed and self-interested experts should control the flow of information is laughable. Particularly if the world's largest software vendor is at the helm.

Culp, information of any kind on the 'Net is anarchic, and the more we talk about our problems the stronger we are. Conversely, the more secretive we are, the weaker our responses become. By all means let us avoid sensationalizing these problems, but the cat got of the bag years ago. And it will never get back in. Ever.

Escape stories to nwcolumn@gibbs.com.