The current environment is an unfortunate one. Researchers report security holes and the vendors either claim that the lapse is only theoretical or don't respond at all. The result is that those researchers write and circulate proof of concept code in order to force vendors to respond. In the time between release of concept code and installation of the patch everyone has a higher degree of exposure than they would have had in the absence of the disclosure. As an example, the Klez virus topped the charts in 2002, yet the fix was released a year before a virus based on the concept code began circulating.

However, this is an area where the ones complaining the loudest have the power to make it stop. If the vendors acknowledged the vulnerabilities, kept the researcher involved in the solution, and released a fix (not just a patch) in a timely manner then the problem would go away. There'd be no need to force the vendors' hand and we'd all be better off.


What are your future plans? Any exciting new projects?

I've started working on a new book, this one called Network Security Fundamentals. It is aimed at managers who need to know what all the component parts are (i.e., security policies, VPNs, PKIs, IDSes, firewalls and so on) and how they work together to form a security solution.