In the February issue of Crypto-Gram, a monthly security newsletter, my occasional collaborator Bruce Schneier makes a number of excellent points about both Microsoft's and Oracle's approaches to security, and soundly lambasts both companies' apparent attitude of spin over substance.
THE PROBLEM with making security a marketing topic is that the marketers will make an effort to control the conversation, and that serves no one. It does us, as customers of software and hardware products, a great disservice, since the real issues become clouded by double-talk. It also undermines the efforts of the people within Microsoft and other software makers who are trying to do the right thing.
Take last week's big pronouncement that Microsoft's new Visual C++.Net compiler had a security flaw within the stack-guarding feature, which was explicitly designed to enhance software security and reliability. At face value, it looked like Microsoft experienced yet another software security failure, at a particularly embarrassing time, no less.
In a carefully crafted rebuttal sent to BugTraq, a well-regarded mailing list that tracks security problems, a Microsoft compiler engineer highlights the downside of letting marketers hog the conversation: expectation management.
IF COMPANIES tout their products' security as a competitive advantage, they (understandably) prefer to avoid having to document instances where the vaunted security isn't quite up to snuff. This approach deliberately creates unrealistically high expectations among these companies' customers, and will inevitably lead to disappointment, and the occasional round of gloating among those unaffected by a newly discovered vulnerability.
There's no replacement for good methodology when writing software. And that's the valid point that the Microsoft engineer makes. The feature appears to function as documented, but it's not any kind of silver security bullet.
By publicizing Gates's memo, Microsoft has painted an extra large, brightly colored bull's-eye on itself when it comes to security issues. For the time being, Microsoft will have little choice but to take criticism, rebut it when it's unfounded, but also accept it when the vulnerability is real.
WITH THAT IN MIND, here's a little free advice to the security spin controllers in the industry: Euphemism and newspeak, artful though their skilled application can sometimes be, have no place in discourse about security.
In Microsoft's case, if there's one way to further undermine the sincerity of the Trustworthy Computing memo, it's by continuing to downplay the importance of vulnerabilities the way it has in the past and by using apocalyptic language--such as "information anarchy," a term used in a recent diatribe by the head of Microsoft's Security Response Center--in an attempt to downplay the importance of free security information exchange.
Neither Microsoft, nor Oracle, nor even Network Associates can--or should--be allowed to take over this conversation. If their products have flaws, we deserve to know about them before they can put our systems at risk.
