Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Schmidt goes to Washington. Quantum Leap. Microsoft top security officer expected to join U. We're thinking security roll-ups. If you're patching your system over a period of time, you might reach a point where you're not sure you're up to date. Maybe you can run something, a security roll-up that has everything that you need to be current, and you just deploy that and you're set.
As part of this process, we also need to provide better tools so people can figure out where they stand. We have some tools like HFNetChk to run on your system to see where you are. In the long term, it's better if we can come up with a single harmonized tool that leads to consistent results and follow a carefully thought-out policy of how patches should work and be implemented.
What I have said to staff as we work on this is I'd rather have it good than fast. The traditional model was, 'OK, let's get something out there quickly,' but now with the new shift on security, everyone understands that doing it right is more important than getting it out fast. Charney: It's an issue I had a lot of contact with when I was on the government side. There was a case of a hacker who shut down an airport by hacking a telephone switch, and this switch was in place all over the country and could be disabled with a limited number of commands.
I had to start thinking, do you tell people this vulnerability exists? As I worked through it on the government side and as I think about it on the industry side, my thinking hasn't changed a lot. If you know of a vulnerability but there is no patch or workaround, giving notice of that vulnerability to the public at large invites bad guys to exploit it when the good guys don't have anything for it, and that's dangerous.
So the first thing is it's better to talk about a vulnerability when there is a patch. That, of course, creates a bit of a race: The good guys have to race for the patch while bad guys are racing to exploit. Having said that, I think you have to notify people about the vulnerability. The key to making that work is that vendors do patches with all deliberate speed.
There are issues there; depending on the complication, it may not be a quick-fix. The other difficult issue is if someone sees a vulnerability and tells a vendor. Here are the latest Insider stories. More Insider Sign Out. Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here.
More from the IDG Network. Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind. Related: Networking Security. Still, Microsoft didn't create the initiative out of choice, Jaquith said. Microsoft once had an internal list, called the executive hot list, made up of "customers so furious with security that they called [Bill] Gates or [CEO Steve] Ballmer personally," Jaquith said.
Since Charney joined Microsoft, on five occasions vice presidents in charge of products have disagreed with his no-ship order, Charney said recently to a group of reporters at Microsoft's headquarters in Redmond, Washington.
Craig Mundie, chief research and strategy officer at Microsoft, was called to settle the disputes, and each time he sustained Charney's no-ship order. Once, Charney reversed his no-ship order himself. That was after his team found out about an issue in Windows Mobile that should have been fixed before it shipped, he said.
But then Pieter Knook, who was in charge of Microsoft's mobile communications business until he left the company this February, explained that delaying the product launch would mean missing the end-of-year holiday season -- and that the issue could be fixed after the launch.
Charney decided to let the operating system ship. His team typically finds issues during development and makes sure the problems are fixed, he said.
0コメント