Culpability

Week of October 25, 2001

One more ante-up.

Scott Culp has had a hard time of it of late. Security big wig for the 100 million burgers sold Microsoft Empire, he's had to watch as his inept servants have churned out vulnerability after vulnerability. In a corporate climate where nerdy inadepts have to go to their departmental heads to get approval to add more new kewl features and bells and whistles to already shaky software instead of getting the bugs and bloat out of what already is, a climate which will never ever ever be capable of providing satisfactory server side software despite Gartner's somewhat lukewarm hopes, he's seen his company's products torn to bits by scourges such as ILOVEYOU, AnnaK, SirCam, Code Red and Nimda. Microsoft's status among the true industry professionals, never close to the stratosphere exactly, has reached an all-time low. No doubt pressure was brought to bear on Scott, and Scott has reacted by, among other things, writing a long and laborious diatribe against what he calls information anarchy.

Surely it is obvious that the little men with the dyed blue hair wearing titles like Chief Security Surgeon and Chief Hacking Officer are, just as Thomas Greene of the Register has pointed out, exploiting the situation for their own benefit. Yet the gap sometimes between notice of a vulnerability and its actual exploit can reach into the months and years; and Radsoft has long hammered on, bashed even, these lame netadmins who are not worth the little money they are paid. And surely it is a vicious circle devised by a cynical attitude that netadmins like programmers are just pipe fittings which are put into operation when the need arises, faceless inhuman non-wonders who for a given number of hours on the job and a given piecemeal salary can do a given very limited job. But the idea that Microsoft or any other company be given the privilege of having access to information that not all others will have access to once again makes our democratic backs rise in protest - if Microsoft are to be our guardians, the question would go, then who are to be the guardians of the guardians?

There are many security companies which have, to say the least, a very ambivalent attitude towards security, vulnerabilities and exploits. Corporately they dress in the garb of the hacker and go after holes with an ambitious viciousness; then, when they are found, when they have succeeded in scaring the daylights out of their established and potential customer bases, they do a quick costume change and come out all paternal and assuming airs of actually despising the hacking activities they so eagerly engage in. Surely this is not good; surely this is twisted; but from here to a total censorship of truth is a great leap no one but no one has a right to make.

For it's the truth and nothing else which is at stake here. Truth is on trial. There are so many security gurus out there who are really worth their salt, who are moreover very good at their craft, and who help plug holes before the unseen adversaries can stick their fingers in them. These are good people, and their method of doing business cannot and should not be called into account.

Culp argues that one need only an aspirin for a headache, one need not know how one got one's headache in the first place. It is unfortunate that Culp use this analogy, for it is patently obvious that despite the consumption of aspirin around the world, the number of people who do take an active interest in finding out how they got the danged headaches in the first place is almost as great. People want to know, and people need to know, but most of all: people have a right to know.