Main Area and Open Discussion > Living Room
Microsoft lashes out at Googler for making Windows vulnerability public
40hz:
Who cares if Google has an excuse for kicking MS' butt?
-Paul Keith (June 12, 2010, 12:36 PM)
--- End quote ---
I do.
It's counterproductive for everyone including Google.
You can compete without getting unnecessarily rough. And you can be truly passionate and committed without indulging in the pleasures of anger and self-righteousness.
We have more than enough crusaders and dead heroes already. Ever notice how little they accomplish compared to the people who put in consistent and focused commitment and effort?
Just my tuppence. :)
Paul Keith:
...err I think you missed the context of that one 40hz. (It's not about competing roughly or smoothly)
It's more to point out the inanity of saying Google has no excuse this time. (which is what that section of my post was replying to)
This entire act is wrong regardless of whether Google has an excuse or not.
The fact that someone can draw a conclusion based on irrelevant drivel like Google's excuse just shows how good such articles are at confusing people with the real issues.
I didn't really get the crusaders and dead heroes bit.
40hz:
^Hi Paul!
The reason my remarks seem out of context (along with the cryptic reference to crusaders) is because I inadvertly posted that comment here when it was supposed to be going to a totally different website.
Why I quoted your line is anybody's guess. I think I started to say something but then got distracted by the discussion going on over in another forum and got confused about where I was.
Gotta stop keeping dozens of tabs open. I'm obviously not that good at it. That or confining myself to one discussion at a time.
I'll leave it here since deleting it would only make your response to it even more confusing to the next reader.
Sorry all. :-[
JavaJones:
Interesting 40hz how in most of your responses you focus on the reporter himself, as an individual, avoiding the Google focus that everyone else seems to have. That was my first thought too, and in fact Google and the researcher himself both claim it was an independent action:
http://www.networkworld.com/community/blog/neither-googler-nor-google-can-wash-hands-win
Not surprisingly of course, but this doesn't mean it's not true. That article tries to paint the picture that it's Google's responsibility anyway, but provides no evidence for the potential falsehood of the claim, and doesn't make a very compelling argument for why Google should be blamed.
I know I'm probably starting to sound like a Google apologist, but when you have multiple people almost literally screaming for Google's blood in this thread, I don't feel so bad. ;)
To those who think this "can't be forgiven", what exactly does that mean to you? What reaction do you suggest?
- Oshyan
Renegade:
4 days is very, very far from reasonable.
The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)
--- End quote ---
It is a valid complaint because it is a cultural complaint in my opinion.
-Paul Keith (June 12, 2010, 08:32 AM)
--- End quote ---
We're going to have to agree to disagree on that one. I simply cannot see blaming Microsoft because some of its customers are idiots.
To me, it's like blaming Smith & Wesson because some idiot left a loaded gun out for his kid to shoot herself. (There was a recent thread on that one here.) We can't just blame the manufacturer because we're too lazy/stupid/irresponsible.
...
You could almost see it in this thread. Lots of complaints about the reporting but very little acknowledgement of the incomplete analysis and easily circumvented workaround when that is just as much a huge deal if not bigger from a security perspective and a bigger security issue considering who disclosed it.
As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!
Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.
Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.
I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.
--- End quote ---
Exactly. But look at your post now.
The details, the points, they're all correct. But instead of security, you're more interested in creating analogies of what Google's actions correlate with other rude actions.
At the end of the day, this is what the article has done and that's why I still side with Google on this. Not because it's Google but it's a long time coming and Microsoft's stance needs to be tested further by such acts.-Paul Keith (June 12, 2010, 08:32 AM)
--- End quote ---
But the disclosure is the worse security issue. I'm not glossing over the security issue. I'm addressing the more serious security issue here. Granted, I'm also pointing out the political side of that as well. But you can't really separate the 2. They are linked. The disclosure has a motivation. They need to be in context.
There always will be bugs and exploits in software, but disclosing them in an irresponsible manner like that is the bigger issue. i.e. That there is a security issue (the Windows vulnerability) is the given. But that's not the central issue. New vulnerabilities are not security issues until they are public or actively being exploited. It's the responsibility of the security professional to disclose to the manufacturer, and not to put it out in the open. In that way, security vulnerabilities do not become issues, which is what we all want. We want the problem fixed before it becomes a problem. This guy made a non-problem into a problem. THAT is the problem here. Not the original Windows vulnerability that was not being exploited prior to his disclosure.
It's one thing to be a weapons manufacturer, but it's another thing to sell weapons to thugs, criminals, and terrorists. Which is effectively what happened here.
As for security, Microsoft (in the past few years) has done a very good job. Most companies do not patch security issues nearly as effectively as Microsoft. It's a business issue. Does the risk that an exploit poses justify the cost of patching the issue? For a lot of software authors, the answer is "no".
Having worked in the industry for some time, I've seen exploits before they've been made public and seen companies basically ignore them because the risk was small or the cost was high. It does no good to go out of business because of security costs.
The timing on this is really too much to ignore -- Google just got rid of Windows because of "security", and now this? Hogwash. It's a deliberate attempt to discredit Microsoft and Windows. There is no "lone gunman" here. That's rubbish. But that's the political side of irresponsible security.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version