...a malicious person, may also have found the same flaw and might be using it to attack users, Ferris said.
Often lambasted for bugs in its products, Microsoft is doing its best to win the respect of the security community. The company has "community outreach experts" who travel the world to meet with security researchers, hosts parties at security events and plans to host twice-annual "Blue Hat" events with hackers at its headquarters. At Blue Hat, hackers are invited to Microsoft's headquarters to demonstrate flaws in Microsoft's product security.
"Security researchers provide a valuable service to our customers in helping us to secure our products," said Stephen Toulouse, a program manager in Microsoft's security group. "We want to get face to face with them to talk about their views on security, our views on security, and see how best we can meet to protect customers."
Many companies are getting better at dealing with security researchers, said Michael Sutton, director of iDefense Labs, which deals with researchers and software makers. "The environment has definitely changed from two or three years ago, though there are vendors who are going in the opposite direction," he said.
While Microsoft sometimes is still referred to as the "evil empire", it appears to be successfully wooing security researchers.
"We are at the point where all the obvious things we tell Microsoft to do, they already do it," Dan Kaminsky, a security researcher who participated in Microsoft's first Blue Hat event last March, has said.
Balancing act
Other technology companies still struggle with hacker community relations. Cisco especially has managed to alienate itself from the hacker community to the extent that T-shirts with anti-Cisco slogans were selling well at on of this year's largest international hacking events, the Defcon conference in Las Vegas. Oracle also isn't a favourite, researchers said.
Recently, Cisco sued security researcher Michael Lynn after he gave a presentation on hacking router software at the Black Hat security conference, which was also held in Las Vegas. The company had previously tried to stop Lynn from giving his talk in the first place.
"It was definitely a surprise to see Cisco's reaction," iDefense's Sutton said. "I don't think...
For more, click here...
Talkback
Vendors shouldn't lay down security related disclosure rules. Period.
When a researcher finds a flaw he/she should post it in full on a special members only disclosure list and 30 days after the same information should be posted on a public list by someone else. End of story.
That should motivate vendors and researchers alike to be very carefull as to what they publish (or sell on the markets). As well as making sure that they follow up with all required resources.
Don't like? Then make sure that, 1, you don't get posted or, 2, that if you get posted you can fix things within 30 days.
Nothing is perfect. We all know that. So make sure that you're prepared to handle inperfections in a timely matter. In fact, that aspect should have been part of the general design.
The only two constants in IT are: damage and change. So master that. The rest will be part of history sooner or later.
There's plenty of blame to go around.
The software makers are responsible for preventing and repairing issues with the software. This means they should keep any foreseeable holes out of there software and QUICKLY remove any that turn up despite their efforts to prevent them. Those that don't are the blame for making an insecure product; no more, no less.
The press and IT/security professionals are responsible for informing the software makers and computer users of any problems in such a way that does not compound the issue. Those that don't are the blame for reenforcing the problem by preventing appropriate communication.
The IT/security professionals and end users are responsible of understanding and applying the appropriate patches to already installed version of the software. Those that don't are the blame for leaving the issue in play.
The malicious hacker, are also the blame for exploiting these problems and actually aggravating them.