<p>The UPnP problem was discovered by a young California computer whiz, a 21-year-old reformed hacker whose company, eEye Digital Security (www.eeye.com), held off announcing it until Microsoft could prepare a fix. It's that kind of cooperation that makes the whole thing work, Butler points out. "Servers are exposed to the Internet and by nature subjected to random or determined attacks," the CCC chief says. "We welcome alerts such as the one issued by the independent organizations . and expect Microsoft to address these concerns rapidly and effectively. "Given the wild and wooly nature of the Internet environment, I think they have served their customers well." So how should credit unions respond? "Make business decisions, not technology decisions," is how Dick Bastiansen, senior vice president of operations and MIS at $830 million Brockton CU in Massachusetts, puts it. "It's not about what operating system you're running, but how well you're supporting your staff in serving your members," he says, adding that his CU has no plans right now to upgrade to XP and wouldn't unless there was a business need. Still, Bastiansen says, he was surprised at the Microsoft announcement. "One would think that eventually software vendors would appreciate the user communities' need for a reliable and secure product," he says, adding, "We use Novell GroupWise for our e-mail and avoid Excel, Word and other Microsoft products as one of many strategies to protect ourselves from as much of this type of problem as possible." One leading tech expert in credit-union land said no matter what software you're using, there will always be a front-line problem. "Each of the various operating and Internet server systems has vulnerabilities. It's a matter of which poison you like the best. The only way you can protect yourself completely is to use an abacus," says Mike Scheuerman, business technology officer at $875 million First Tech CU in Oregon. The best defense continues to be diligence, adds Harold Randolph, director of CUNA Network Services' operations center in Tempe, Ariz. "Without running through the list of exposures and errors that have been discovered thus far, our advice to all that have installed XP is to visit Windows Update frequently and apply all critical updates as they are made available. Most of these have been for closing security holes," says Randolph, whose operation provides Internet hosting and other high-tech services to more than 1,000 credit unions. "More advice to the security conscious," he adds. "Subscribe to or visit frequently one of several security alert Web sites that monitor vulnerabilities and publish alerts. "One very good example is at www.cert.org. Sites such as this will typically expose vulnerabilities in XP well before Microsoft acknowledges the problems on Windows Update," says Randolph. Ironically, on nearly the same day that Microsoft announced its problems with XP, one of the other giants in the Internet-server, Oracle, was announcing a major security breach of its own. And it was dug out by the same eEye computer whizzes, this time responding to Oracle CEO Larry Ellison's claim that his system was bullet-proof. -</p> <p>[email protected]</p>