Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Czar sets out security stall

From: InfoSec News <isn () c4i org>
Date: Fri, 1 Mar 2002 04:10:48 -0600 (CST)
http://www.vnunet.com/News/1129537

By Paul Allen [27-02-2002]

Microsoft chief UK security officer speaks exclusively to Network News
The man charged with leading Microsoft's efforts to secure its
software has vowed to put the interests of enterprises above the
company's consumer customers.

Stuart Okin was appointed last week to the newly created post of UK
chief security officer. His role is to bring together the raft of
security initiatives sparked by Bill Gates's promise to clean up the
company's act on security.

Microsoft CTO Craig Monday recently said that reaching a trusted state
with security, reliability and privacy could take up to 10 years. "I
support that for consumers, but for enterprises we need to do it as
quickly as possible," said Okin.

He would not commit to a specific timescale, but said the company was
in consultation with customers and developer forums to ascertain the
key short-term goals.

Okin said it was difficult to gauge the company's progress. "We can't
just go to vulnerability tracking sites to judge whether we're being
effective. If we find more vulnerabilities it could be an indication
we're doing well, providing they're fixed quickly."

Okin renewed Microsoft's attack on those who publish the details of
vulnerabilities as soon as they are discovered.

"It is irresponsible for any finder to issue details until a patch is
available. It's like leaving home, leaving the door open and
announcing it with a megaphone," he said.

But Deri Jones, security services director at NTA Monitor, said that
published vulnerabilities gave suppliers an incentive to get things
done faster, and that network managers had a right to know.

"Honesty and openness mean things get fixed," he said. "If Microsoft
and other vendors fixed vulnerabilities in a timely fashion, then that
argument would hold water.

"If you don't publish the information, then sysadmins don't have the
choice to turn off a feature. It goes round the hacker community fast
enough, and network managers should be able to make an informed
choice."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: