In particular, his comment that he wishes security researchers would just shut their mouths is a sure sign that Ballmer just doesn't get it. His ambit scenario would see researchers only telling Microsoft about bugs they find. He actually cited the good of the world for his reasoning. At least he didn't bring God into it.
"I can tell you I wish those people just would be quiet. It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers," Ballmer said at Microsoft's Worldwide Partner Conference in New Orleans.
So when they do find a security flaw in Windows, Internet Explorer, Microsoft SQL Server, Internet Information Services (IIS) etc, who should they tell? Just Microsoft? The practice of disclosing vulnerabilities solely to the vendor responsible for maintaining the product in question has never worked. Why? The vendor becomes unresponsive, and starts knocking out quick fixes that may or may not work. The more transparent the disclosure model is, the more the public can feel assured the vendor has appropriately addressed the issue. This is not rocket science, it's disclosure 101.
While there are some irresponsible researchers out there, most will happily give companies like Microsoft a reasonable lead time--not to mention unfettered access to some very comprehensive research material--so they can produce and distribute a fix before they go public with a vulnerability. The unofficial rules of responsible vulnerability disclosure have been established for a long time.
While it is a very positive move for Microsoft to acknowledge it must work with security researchers, it is quite unfortunate it feels it must needle them in front of its world-wide partners for essentially performing a public service.
Other remarks made during his speech show the company is indeed listening to its customers. It's listening to all of their gripes about how difficult it is to patch products, about how its vulnerability infested products are causing frustration among system administrators. This frustration is breeding apathy, which means people just aren't taking the sort of care with their systems they should be, so in that regard MS is doing the right thing by tuning to listen to its customers gripes.
The only problem with only listening to the customers is that the average Microsoft customer is no security expert. Wouldn't it be better if Microsoft listened more to the security researchers it loves to hate--the people that spend 60 hours a week debugging Windows code--as opposed to just quizzing its cola-chugging sysadmin customers about their "patching experience"?
source:
zdnet
