[ISN] Czar sets out security stall

From: InfoSec News (isnat_private)
Date: Fri Mar 01 2002 - 02:10:48 PST

  • Next message: InfoSec News: "[ISN] UK must lock down the law to stop the hackers"

    By Paul Allen [27-02-2002]
    Microsoft chief UK security officer speaks exclusively to Network News
    The man charged with leading Microsoft's efforts to secure its
    software has vowed to put the interests of enterprises above the
    company's consumer customers.
    Stuart Okin was appointed last week to the newly created post of UK
    chief security officer. His role is to bring together the raft of
    security initiatives sparked by Bill Gates's promise to clean up the
    company's act on security.
    Microsoft CTO Craig Monday recently said that reaching a trusted state
    with security, reliability and privacy could take up to 10 years. "I
    support that for consumers, but for enterprises we need to do it as
    quickly as possible," said Okin.
    He would not commit to a specific timescale, but said the company was
    in consultation with customers and developer forums to ascertain the
    key short-term goals.
    Okin said it was difficult to gauge the company's progress. "We can't
    just go to vulnerability tracking sites to judge whether we're being
    effective. If we find more vulnerabilities it could be an indication
    we're doing well, providing they're fixed quickly."
    Okin renewed Microsoft's attack on those who publish the details of
    vulnerabilities as soon as they are discovered.
    "It is irresponsible for any finder to issue details until a patch is
    available. It's like leaving home, leaving the door open and
    announcing it with a megaphone," he said.
    But Deri Jones, security services director at NTA Monitor, said that
    published vulnerabilities gave suppliers an incentive to get things
    done faster, and that network managers had a right to know.
    "Honesty and openness mean things get fixed," he said. "If Microsoft
    and other vendors fixed vulnerabilities in a timely fashion, then that
    argument would hold water.
    "If you don't publish the information, then sysadmins don't have the
    choice to turn off a feature. It goes round the hacker community fast
    enough, and network managers should be able to make an informed
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 05:26:19 PST