Home / Business Focus
Wed, Nov 21, 2001 - Page 19 News List

Skeptics distrust software giant's secrecy on bugs

The increasing need for computer security has brought to the surface disagreements over the disclosure of information about the nighmare of protecting Microsoft's systems


By the early 1990s, "you could literally break into every single computer on the Internet ... because security wasn't taken seriously," Levy said.

So researchers began publicizing flaws they discovered -- and releasing detailed information, including in some cases tools that could be used to exploit the flaw, so companies could not dismiss the findings as theoretical or inaccurate.

Now Microsoft's Culp believes the pendulum has swung too far, creating what he calls "information anarchy." A proposal developed at Trusted Computing calls for researchers to be careful "not to disclose details that can be directly used to exploit the vulnerability." If a software vendor fails to fix a problem within 30 days, more details could be disseminated. Many bugs are fixed well within 30 days.

"We're not saying full disclosure goes away -- we're saying, is there a responsible way to provide this information, to minimize its ability to be a hacker tool?" said Chris Klaus, founder of Atlanta-based Internet Security Systems Inc, which is pushing for the new standard.

Klaus dismissed the claim that Microsoft just wants to cover up its bug problems, and said those who want to publicize vulnerabilities are interested mainly in attracting attention to themselves.

"Our priority is to help the customer, and I think this thing solves that," Klaus said.

"Whether it helps or hurts Microsoft is not the intention of the security group."

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top