Opinion: Dumb Security

Computerworld - Is Sybase's management well intentioned and dumb, or a crowd of control freaks who want to dictate to everyone -- including Sybase customers -- exactly what they're allowed to say about security? The question comes up after Sybase threatened to sue Next Generation Security Software Ltd., a security research company in England. Last year, NGS found a batch of vulnerabilities in Sybase Adaptive Server and notified Sybase. Sybase issued patches for the holes. So far, so good.
But now, NGS wants to publish details of the problem, as is its usual practice. And Sybase says that if NGS does so, Sybase will sue.
On what grounds? Sybase is reportedly pointing to its license agreement, which states in part: "Results of benchmark or other performance tests run on the Program may not be disclosed to any third party without Sybase's prior written consent."
Let that one sink in. Sybase is claiming that finding security holes in one of its products qualifies as a "performance test." Sybase executives know that's bogus. But it's the only clause in the license agreement that sounds even remotely like it could apply. And so far, the threat has worked; NGS has delayed publishing its report.
Wait, it gets better. Here's the start of Sybase's official statement about the NGS situation: "Sybase constantly strives to improve the security and functionality of its software. Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybase's attention."
Did you catch it? That's right -- in talking about its threat against NGS, Sybase is specifically including any other customers who find problems with Sybase software too.
Sybase's statement goes on to say that the company is primarily concerned about the security of its customers and that "the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
Which sounds very well intentioned. It also sounds very dumb.
After all, the bad guys already know the details of these security holes. They've likely already reverse-engineered Sybase's patches and developed exploit code. They're surely not sitting around waiting for NGS's description of the problem.
Let's presume Sybase's patches work. Then for any customer who has applied them, the problem is fixed. And publishing the details of the vulnerability is a nonevent.
Except, of course, for customers who haven't applied the patches. Those customers are at risk. Every unpatched day is another opportunity for bad guys to attack them. If Sybase truly cares