At this Microsoft.com page one Scott Culp, advertised to us as the "Manager of the Microsoft
Security Response Center", exhorts people to stop publishing
information on computer security vulnerabilities. Culp's rant is a transparently self-serving and dishonest attempt to
shift the onus for epidemics like Code Red, Lion, and NIMDA away from
where it belongs, which is squarely on Microsoft's shoddy architecture
and negligent engineering.Culp is certainly right that no software will ever be perfectly secure
-- but we know it's possible to do a great deal better, before and
after the fact, than either Microsoft's operating-system design group
or Mr. Culp's bumbling bunch of Keystone Kops has ever managed.
Open-source developers are not frightened of what Culp calls
"information anarchy". That's because we have confidence (a
confidence justified by the track record of Linux, the BSD operating
systems, and Apache) that our security holes will be infrequent, the
compromises they cause will be relatively minor, and fixes will be
rapidly developed and deployed.
And we're not getting passed over by crackers because we have fewer
sites, either. Apache runs two thirds of the Web servers in the
world. When was the last time you heard about an Apache remote
compromise? There are many fewer IIS websites -- and yet they are
constantly getting cracked. Because they're soft targets.
Ultimately, this is because the `security' in IIS and Windows is
incompetently designed, and its source code has never been subjected
to independent peer review.
Cryptographers and security experts have known for years that peer
review of open source code is the only reliable way to verify the
effectiveness of encryption systems and other security software. So
Microsoft's closed-source mode of development guarantees that
customers will continue getting cracked and Microsoft will continue
pointing the finger of blame everywhere except where it actually
belongs. (In Microsoft-speak, this sort of thing is called
What Culp is really saying is that he doesn't believe Microsoft will ever get
its act sufficiently together for Windows or IIS to survive in a high-threat
environment, so Microsoft wants to blame someone else for the problem.
Here's what I have to say to Mr. Culp: "If you can't stand the heat,
get out of the kitchen. And if your OS can't stand an environment
where attack tools are instantly disseminated, you don't belong in the
Think of it as evolution in action...