From Charney's speech last week, the MS transcript. They corrected Cliff Stoll's name, but a new flub takes its place. It's hard to take a company seriously that doesn't quite grasp "pen" testing vs "pin" testing.
http://www.microsoft.com/presspass/events/teched/06-03charney.asp
Then we did penetration testing. One of the things that I'm concerned about at Microsoft is organizational process. So, every group like the Windows Group has pin testers. That's good. It's good because they know their products. It's also bad because they know their products and you need people to think outside the box. It can also be a problem because if you're a pin tester in Windows, and you see a problem, you're going to escalate it up the chain of command to someone who's also responsible for shipping Windows. That's a natural business tension. So we have other pin testers. We have pin testers who work for me. I report to the chief technical officer, Craig Mundie. He reports to Bill Gates. I'm a cost center, not a profit center. My job isn't to ship the product. And then we bring in pin testers from the outside.