News from PANUG - March 14, 2001
http://www.panug.org
info@panug.org

DAMAGE CONTROL
by John Walker

The security world was made aware of a security hole
in Microsoft's Active Directory over a year ago. Network
World recently ran a story [1] about how the bug won't be
fixed for another year. Microsoft responded [2] to this
with a web page that includes this text:

 A recent article in Network World claims that a key
 security flaw exists in the Active Directory(tm)
 Service. It is Microsoft's position that statements
 made in this article are presented out of context,
 creating unnecessary concern and confusion.

This is typical of the damage control big companies like
Microsoft use when their products have bugs or, in this
case, design flaws. They minimize the problem. In this
case, minimizing the problem is necessary because the
time between discovery and resolution is measured in
years. Microsoft doesn't want its customers to replace
Active Directory with a more robust directory (Novell's
NDS is the only one that comes to mind) or to go back
to NT Domains.

In the world of open source software, damage control is
handled differently - the problems are fixed as quickly as
possible. Typical problems are fixed in minutes, hours, or
days - not years. This makes it unnecessary to explain
why the problem is not a problem and expecting that
users are gullible enough to believe it.

[1] http://www.nwfusion.com/archive/2001/117574_02-26-2001.html
[2] http://www.microsoft.com/windows2000/news/bulletins/multivalrep.asp