I was reminded of Bruce Schneier's recent
Cypto-Gram Newsletter today. His editorial goes out of the way to be out of date and just plain wrong. By his second paragrpah he has completely discreditted himself. He takes quotes out of context, like culps comment on the UPNP bug being "the first network based, remote compromise" in (
client) Windows by giving server vuln examples. He also mentions a IE bug that "Microsoft is busy ignoring". Who wants to bet he actually asked secure@microsoft.com about it? Unfortunatly he gets away with that one because ms vuln people don't release a bulltien untill it's confirmed, and there is evidence of the vuln in the wild or there is a good workaround for the bug (the patch that fixes would count). (fyi: the patch for thoose issues have already come out now, and thanks to the "Information Anchary" reporting, people have been vulnerable to script kitty attacks with it as microsoft was creating and testing the fix). The most serious thing about his rant is the way he takes a real issues and combines them with things that were solved years ago (like the office macros paragraph) and things that he is completely guessing about and treating like fact (centralized customer databases). Finally it the end he links to a series of one sided sources.
In the end, you should stick to the stuff he is an expert about, like encryption, when you listen to his writting, and go elsewhere for editorials about Microsoft and security (there are plenty). Remebering at least one of the integrity rules myself, I'm a test developer in windows networking (but not speaking for Microsoft).