Right, they won't use the security researcher who found the bug that their "evolved" process missed... And that's why Microsoft has such a great and well deserved reputation for producing secure products. Internet Explorer, SQL Server, IIS, the Active X framework, every version of Windows OS before 2008/Seven. Firefox has been a terribly insecure product, but they do make timely efforts to fix the bugs when they are discovered. For me, that counts for something. I don't want to be an open source zealot, but how is it that a multi-billion dollar software company cannot even issue an advisory in 5 days, but groups loosely knitted groups of 3rd party funded engineers and volunteers can?

Imagine if that argument were applied elsewhere.

Not really, but I think his hotfix is a starting point, and testing would/should be at least partially automated. As another poster stated, they could put out an advisory or diable the service or do something more than they have done for the past 5 days.

Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.

Okay... so I admit I'm no fan of Palin... But as a soon-to-be newly minted CISSP, people like Kernell make me sick. However, when I see a 20 year sentence for his crime, vice 150 years for Madoff who stole tens of thousands of people's retirement, not put their information in the wind where there was potential of having money stolen... I can't help but think: 1. There is seriously something wrong with the way these crimes are sentenced - there needs to be either a specialized court system for computer-centered crimes which legal stuff who TRULY understand these issues, or a serious education program for lawmakers and the judicial and law enforcement communities that deal with these laws and issues. 2. There needs to be more creativity in the sentencing process. Kernell is a criminal, make no mistake. Obviously he is very far from a mastermind, and most of these convicted hackers are script kiddies, the cyberwar equivalent of cannon fodder. I just wonder what is gained by putting this dummy away for 20 years. I think we'd be better served by making him notorius for what he's done wrong and using him as a public example - i.e. banned from working in the computing field, long-term house arrest, etc (whose food and shelter we dont have to pay for).