Does Microsoft Need a New Source Code for the Future?

P

PA Bear [MS MVP]

<plonk yet another of BoaterDave's posting aliases>

~BD~ wrote:
> Shenan - Thank you for such a comprehensive and thought-provoking answer.
> I
> really do appreciate your guidance!
>
> When I googled ............. I ended up here:
> http://www.google.com/search?hl=en&ie=ISO-8859-1&q=aumha.com&btnG=Google+Search
>
> The first result is www.minscape.com If I type that into my address bar,
> or follow the link, I get taken to exactly the same place as if I type in
> Aumha.com. Hmmmm!
>
> The fourth entry is Naive question about a URL - Malwarebytes Security
> Forums posted by me to determine alternate views. You may be interested to
> follow up on this.
>
> My only concern is that the bad guys don't win. I believe you feel the
> same
> way.
>
> Dave
>
> "Shenan Stanley" <newshelper@gmail.com> wrote in message
> news:OLJQw3$7IHA.3624@TK2MSFTNGP05.phx.gbl...
>> <snipped>
> <snipped>
 
P

Paul Adare - MVP

On Sun, 27 Jul 2008 19:31:02 -0400, PA Bear [MS MVP] wrote:

> <plonk yet another of BoaterDave's posting aliases>

Announcing this accomplishes less than nothing. Apparently you've got
nothing better to do than to announce to BD that it is time for him to
change his From header again. As an "MS" MVP one would assume that you'd be
smarter than that. Apparently not.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
If a program is useful, it must be changed.
 
P

Paul Adare - MVP

On Sun, 27 Jul 2008 19:31:02 -0400, PA Bear [MS MVP] wrote:

> My only concern is that the bad guys don't win.

Then start educating yourself and try to have at least a rudimentary
knowledge of the who the bad guys are. Redirecting ahuma.com is not a sign
of a bad guy.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Every program is a part of some other program, and rarely fits.
 
R

Root Kit

On Sun, 27 Jul 2008 20:07:59 -0400, Paul Adare - MVP
<pkadare@gmail.com> wrote:

>Then start educating yourself and try to have at least a rudimentary
>knowledge of the who the bad guys are. Redirecting ahuma.com is not a sign
>of a bad guy.

Dan? .... Where are you Dan? ... An MVP's knowledge is being
questioned! - We can't have that, can we?
 
D

Dan

Robear is a really good guy and I am disappointed that Microsoft hires MVP's
like you Paul that do not live up to your name in helping the little people.
I guess you are just interested in the big bucks from the cooperations.

"Paul Adare - MVP" wrote:

> On Sat, 26 Jul 2008 16:32:35 -0400, PA Bear [MS MVP] wrote:
>
> > Dan and I have had many fruitful discussions in the past.
>
> That doesn't surprise me.
> Have you got nothing better to do? I'm not going to waste my time with an
> off-topic discussion with you, even an on-topic discussion with you
> wouldn't be a very productive use of time.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Transistor: A sibling, opposite of transbrother.
>
 
D

Dan

"S. Pidgorny <MVP>" wrote: <response bottom posted>

> G'day:
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
the base for Windows
> Mobile next version.
>
> > For example, an OS should be able to wipe its own butt without
> > RPC, and/or not expose RPC to network surfaces (especially
> > the Internet). It shouldn't rely on RPC to do internal things, weld
> > this into Internet exposure, and then rely on a firewall as a band
> > aid over this clickless, remotable risk surface.
>
> RPC is as good (or bad, depending on your by-default attitude) as any other
> IPC. I can disable RPC in Windows and still run software, but I see no
> reason to.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>

----------------------------------------------------------------------------

Here is Chris Quirke's reply:

At 09:36 26/7/2008, Dan wrote:

>Wow, you and I have really created in uproar in the security community and
>many people are not pleased at all about our opinions. Who would have
>thought that 2 people could upset the security community so much? <grin>

Especially when one of them isn't there -)

> From Microsoft.Public.Security Newsgroup
>
>Dan 7/24/2008 6:08 PM PST
>I will now post Chris Quirke, MVPs reply to me


>S. Pidgorny <MVP> 7/25/2008 7:26 AM PST
>
>Windows 3.1/9x code base is now dead. Everything is NT. Not
>sure about mobile devices but will not be surprised with XP as
>the base for Windows Mobile next version.

That's my take, too. I briefly thought of 9x (not 3.x, and yes, they are
different enough to be considered as different OS families) as a small
GUI OS for small devices (e.g. a diskless PDA with 4G flash memory
and 32M working RAM) but while it would fit the "size" and host plenty
of legacy apps, those apps won't match what a PDA is to do, and the
PDA's hardware is likely to be outside 9x's capabilities.

In any case, a core design requirement of 9x - the ability to run apps
written for DOS and Win3.yuk - is no longer relevant, so much of what
constrains how good 9x could be, is redundant and should be discarded.

> > For example, an OS should be able to wipe its own butt without
> > RPC, and/or not expose RPC to network surfaces ... It shouldn't
> > rely on RPC to do internal things, weld this into Internet exposure,
> > and then rely on a firewall as a band aid over this risk surface.
>
>I can disable RPC in Windows and still run software, but I see no
>reason to.

By design, it may be OK, but that design has failed due to code exploits
a couple of times. Not just the Lovesan-era thing (with the "take two"
re-patching of what was considered to have been "fixed" already) but the
Server 2003 era bug that allowed DNS servers to be exploited via RPC.

If I have NO contexts whatsoever, where I need remote systems to call
procedures on my PC, then why should I be forced to provide that "service"?
If the answer is because the internal OS can't do without it, and it can't be
ripped out of the obligatory "network" surface, then that is IMO a sucky
design for a stand-alone OS. I know you can run some things without RPC,
but few articles written at the time of the Lovesan onslaught recommend
disabling the RPC service... it's usually considered "essential".

>Dan 7/25/2008 10:39 AM PST
>
> Windows 9x may be dead somewhat to Microsoft but it is alive and kicking
>everywhere else with Mozilla still supporting it with their web browser as
>well as AVG 7.5 supporting it as well.

Er... AVG 7.5 is replaced with 8.0, and that no longer supports 9x.
There's still Avast as a free av for 9x, as at July 2008.

>Heck, 98 Second Edition for me is more stable than XP Professional. Vista
>while it is stable enough for me still suffers somewhat with compatibility

I haven't had stability issues with XP as you say, much of the time, all
three are pretty stable. Are these three different systems, or groups of
systems? If groups, are there any commonalities (aside from OS) over
the comparatively-blighted XP group? Right now, I'd consider XP SP3 as
the top of the mature-and-stable pile.

>You talk about a great opportunity for all those used computers that
>cannot run XP and why not have them run 98SE

Old used PCs are a difficult resource to deploy (i.e. set up for others to
own and use) - they are usually heterogeneous in hardware, prone to
hardware failure, and difficult to source reliable and matching parts. If
the target users are, say, a PC maintenance school, it makes sense, so
a winning strategy may be to partner your intended users with such a
mainetance resource, so the community can support itself (and harness
problems as skill-building opportunities).

>Microsoft has not sold the source code because they don't sell source code.
>You can assign all the motives you want to this

One way to sanity-check such things (i.e. whether something is an inescapable
reality or a industry-motivated contrivance) is to watch what happens
in the open
source world. You do get small Linuxen that run on minimal hardware, but
while
the current versions of the main productivity distros may not need
Vista's hardware
specs, they won't be comfy on sub-XP hardware specs.

The cores of these OSs (Linux, BSD, the "new" MacOS) are a very long
evolution,
confirming the value of honing rather than re-inventing code. But
the original design
brief of those code bases was different to 9x if anything, more like
that of NT, though
from an earlier age (and thus "smaller" hardware).

> > I use 512 megabytes of ram with it and editted the system.ini to recognize
> > less and have a 256 megabyte ATI video card. Nope, it is Windows
> XP Service
> > Pack 3 that is having the issues right now with people having
> trouble getting
> > updates for it without the proper patch to register the *.dlls again. In
> > addition, Windows Vista has great external security but lacks the internal
> > safety of a 9x operating system.
>
>Again, you have no idea what you're talking about here. You really need to
>expand your horizons beyond your pet MVP.

Dan, your terminology differs from mine, and I can't really "get" what you're
referring to, either - e.g. when you refer to "internal security".

I'm also something of an outside to pro-IT group-think, and I'll take this
oppo
to clarify my own (unfamiliar?) terminology.

I refer to safety as underlying security, and sanity as underlying safety.

For example, the purpose of securing a PC so that only Fred can use it,
can be undermined if safety failures mean that what Fred does, is not what
Fred wanted to do (but rather fulfilled the intentions of an attacker).

For example, a safe design that ensures code can't run from a context that
is presented as "viewing a .JPG image", is undermined if defects within the
..JPG-handling code allow insane behavior (i.e. behavior that bears no relation
to what the .JPG-handling code was expected to do).

I'm also entirely unapologetic about my focus on stand-alone and consumer
users, and what I have to say about PC safety is from that perspective. Such
things will probably NOT be applicable to server infrastructure, so if my
ideas
are quoted in inappropriate contexts, I'd expect them to be bounced away.

One such concept is the need for an effective off-HD maintenance OS. In
the pro_IT world, the usefulness of this may be undermined by dangers
from managed users using this to escape central management, so there
may be a risk/benefit decision to avoid such things.

That is exactly the kind of decision I'm talking about, for us who own our
own PCs and have no wish to extend any sort of "remotability" to anything
beyond those PCs. Just as a sysadmin may be happier if his users did
not have the ability to undermine his control, so we would be happy to
have no complex "remote admin" surfaces waved at the 'net.

>Wow, you've really drunk the Chris Quirke kool-aid here

Hmm... that snippage didn't smell like anything from *this* kool-aid
factory -)

>and you really have no concept of what security is all about.

Much of what is spoken of as "security" (even in these security circles)
isn't so much about securing X for Y but against Z, but is about safety,
i.e. making sure that unwanted situation S should never arise.

When I first dropped into security newsgroups and elists, I expected to
see 95% networking and domain-centric user admin, and little that was
relevant to my interests. Instead, I found much discussion of the same
malware attacks and safety failures - the problems I see in my terrain.

To me, that means "malware" is far from being a "solved problem",
despite the resources that professionally-managed IT can throw at it.
 
P

Paul Adare - MVP

On Tue, 29 Jul 2008 02:04:01 -0700, Dan wrote:

> Robear is a really good guy and I am disappointed that Microsoft hires MVP's
> like you Paul that do not live up to your name in helping the little people.
> I guess you are just interested in the big bucks from the cooperations.

Microsoft does not hire MVPs, they are all, including myself and Robear,
volunteers.
FWIW, I don't help little people, I help people period. I generally learn
as much as I educate in the news groups.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Multitasking = screwing up several things at once.
 
P

Paul Adare - MVP

On Mon, 28 Jul 2008 16:21:20 GMT, Root Kit wrote:

> On Sun, 27 Jul 2008 20:07:59 -0400, Paul Adare - MVP
> <pkadare@gmail.com> wrote:
>
>>Then start educating yourself and try to have at least a rudimentary
>>knowledge of the who the bad guys are. Redirecting ahuma.com is not a sign
>>of a bad guy.
>
> Dan? .... Where are you Dan? ... An MVP's knowledge is being
> questioned! - We can't have that, can we?

Actually in this case I wasn't questioning Robear's knowledge, I followed
up to the wrong post. While my response attributed the line to Robear, it
was actually posted by Dan.
My mistake.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Life would be so much easier if we could just look at the source code.
 
D

Dan

Well, then Microsoft recognizes the contributions and grants people MVP
status. I am sorely puzzled at why you need to be rude to Robear. I
consider him a great MVP. Are your contributions to Microsoft newsgroups
nearly as vast and knowledgeable as Robear's are?

"Paul Adare - MVP" wrote:

> On Tue, 29 Jul 2008 02:04:01 -0700, Dan wrote:
>
> > Robear is a really good guy and I am disappointed that Microsoft hires MVP's
> > like you Paul that do not live up to your name in helping the little people.
> > I guess you are just interested in the big bucks from the cooperations.
>
> Microsoft does not hire MVPs, they are all, including myself and Robear,
> volunteers.
> FWIW, I don't help little people, I help people period. I generally learn
> as much as I educate in the news groups.
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Multitasking = screwing up several things at once.
>
 
K

Kerry Brown

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:394D204B-1869-46CB-AB1E-3E4B0F265A6B@microsoft.com...
> Much of what is spoken of as "security" (even in these security circles)
> isn't so much about securing X for Y but against Z, but is about safety,
> i.e. making sure that unwanted situation S should never arise.
>
> When I first dropped into security newsgroups and elists, I expected to
> see 95% networking and domain-centric user admin, and little that was
> relevant to my interests. Instead, I found much discussion of the same
> malware attacks and safety failures - the problems I see in my terrain.
>
> To me, that means "malware" is far from being a "solved problem",
> despite the resources that professionally-managed IT can throw at it.
>
>


As someone with one foot in both camps - support corporate networks, support
home users and very small networks. Let me add my perspective.

A lot of IT pros are only concerned with the health of the network not
individual computers. When something goes wrong with a computer it is
removed from the network and fixed. Their security is designed to protect
the network not only from outside attack but from malicious (or even just
dumb) users as well. They aren't concerned with saving data on individual
computers so it's usually easier and much more cost effective just to nuke a
computer that has any problems. This can lead to problems where the IT Pro
really has no idea how dangerous malware is or how to really protect users
from it.

Supporting individual users or very small p2p networks requires a totally
different mindset. In these situations data is scattered anywhere and very
rarely is all the data backed up. To lose one computer could be
catastrophic. At the same time these users expect to be able to do whatever
they want with their computer. To support these users you need to intimately
understand how malware works and how to defend against it.

Of course there is a lot of overlap between the two security paradigms. I
generalised with a very broad brush. I do think there are two very different
mindsets when it comes to computer security and this often leads to one
mindset disregarding the other as not relevant. This is a mistake. The
reality is understanding both mindsets, analysing what the current situation
requires, and applying whatever works from each mindset in this situation is
the best security.

Malware will never be a solved problem. There is too much money in it. As
OS's become hardened social engineering attacks will get better. Attacks
against other pieces of the infrastructure will become more common. The
current DNS problems illustrate this. You can have an invulnerable system
but if you are redirected to hacker.com instead of bank.com and enter your
credentials what good did all that security do you?

Security means different things in different situations and is always a
moving target.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
 
P

PA Bear [MS MVP]

That's an absurd question to ask any MVP, Dan, let alone an MVP as respected
in his field as is Paul. Please knock it off. THX

Dan wrote:
> Well, then Microsoft recognizes the contributions and grants people MVP
> status. I am sorely puzzled at why you need to be rude to Robear. I
> consider him a great MVP. Are your contributions to Microsoft newsgroups
> nearly as vast and knowledgeable as Robear's are?
>
> "Paul Adare - MVP" wrote:
>
>> On Tue, 29 Jul 2008 02:04:01 -0700, Dan wrote:
>>
>>> Robear is a really good guy and I am disappointed that Microsoft hires
>>> MVP's like you Paul that do not live up to your name in helping the
>>> little people. I guess you are just interested in the big bucks from the
>>> cooperations.
>>
>> Microsoft does not hire MVPs, they are all, including myself and Robear,
>> volunteers.
>> FWIW, I don't help little people, I help people period. I generally learn
>> as much as I educate in the news groups.
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> Multitasking = screwing up several things at once.
 
D

Dan

Okay, I was just trying to defend your honor, Robear.

"PA Bear [MS MVP]" wrote:

> That's an absurd question to ask any MVP, Dan, let alone an MVP as respected
> in his field as is Paul. Please knock it off. THX
>
> Dan wrote:
> > Well, then Microsoft recognizes the contributions and grants people MVP
> > status. I am sorely puzzled at why you need to be rude to Robear. I
> > consider him a great MVP. Are your contributions to Microsoft newsgroups
> > nearly as vast and knowledgeable as Robear's are?
> >
> > "Paul Adare - MVP" wrote:
> >
> >> On Tue, 29 Jul 2008 02:04:01 -0700, Dan wrote:
> >>
> >>> Robear is a really good guy and I am disappointed that Microsoft hires
> >>> MVP's like you Paul that do not live up to your name in helping the
> >>> little people. I guess you are just interested in the big bucks from the
> >>> cooperations.
> >>
> >> Microsoft does not hire MVPs, they are all, including myself and Robear,
> >> volunteers.
> >> FWIW, I don't help little people, I help people period. I generally learn
> >> as much as I educate in the news groups.
> >> --
> >> Paul Adare
> >> MVP - Identity Lifecycle Manager
> >> http://www.identit.ca
> >> Multitasking = screwing up several things at once.
>
>
 
P

PA Bear [MS MVP]

Thanks, but I'm fine.

Dan wrote:
> Okay, I was just trying to defend your honor, Robear.
>
> "PA Bear [MS MVP]" wrote:
>
>> That's an absurd question to ask any MVP, Dan, let alone an MVP as
>> respected in his field as is Paul. Please knock it off. THX
>>
>> Dan wrote:
>>> Well, then Microsoft recognizes the contributions and grants people MVP
>>> status. I am sorely puzzled at why you need to be rude to Robear. I
>>> consider him a great MVP. Are your contributions to Microsoft
>>> newsgroups
>>> nearly as vast and knowledgeable as Robear's are?
>>>
>>> "Paul Adare - MVP" wrote:
>>>
>>>> On Tue, 29 Jul 2008 02:04:01 -0700, Dan wrote:
>>>>
>>>>> Robear is a really good guy and I am disappointed that Microsoft hires
>>>>> MVP's like you Paul that do not live up to your name in helping the
>>>>> little people. I guess you are just interested in the big bucks from
>>>>> the
>>>>> cooperations.
>>>>
>>>> Microsoft does not hire MVPs, they are all, including myself and
>>>> Robear,
>>>> volunteers.
>>>> FWIW, I don't help little people, I help people period. I generally
>>>> learn
>>>> as much as I educate in the news groups.
>>>> --
>>>> Paul Adare
>>>> MVP - Identity Lifecycle Manager
>>>> http://www.identit.ca
>>>> Multitasking = screwing up several things at once.
 
S

S. Pidgorny

G'day:

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message

> Malware will never be a solved problem. There is too much money in it.

There is no credible data on how much money is in the cybercrime. On the
other hand, IT security has become giant and still rapidly growing business.
So there is huge interest in perpetuating malware and other security
problems, real or imaginary.

> OS's become hardened social engineering attacks will get better. Attacks
> against other pieces of the infrastructure will become more common. The
> current DNS problems illustrate this. You can have an invulnerable system
> but if you are redirected to hacker.com instead of bank.com and enter your
> credentials what good did all that security do you?

The current DNS problems are a repeat of multiple DNS problems of the same
outcome. Historically, there was no significant, Ctrl+Backspace, noticeable
attacks based on those vulnerabilities. All reports of exploit used by
criminals in the wild are unconfirmed.

A side note: I will not send my bank logon after being redirected. You know
why.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
 
D

Dan

*Below is the reply from Chris Quirke and myself to him via email*

"Kerry Brown" wrote:

> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:394D204B-1869-46CB-AB1E-3E4B0F265A6B@microsoft.com...
> > Much of what is spoken of as "security" (even in these security circles)
> > isn't so much about securing X for Y but against Z, but is about safety,
> > i.e. making sure that unwanted situation S should never arise.
> >
> > When I first dropped into security newsgroups and elists, I expected to
> > see 95% networking and domain-centric user admin, and little that was
> > relevant to my interests. Instead, I found much discussion of the same
> > malware attacks and safety failures - the problems I see in my terrain.
> >
> > To me, that means "malware" is far from being a "solved problem",
> > despite the resources that professionally-managed IT can throw at it.
> >
> >
>
>
> As someone with one foot in both camps - support corporate networks, support
> home users and very small networks. Let me add my perspective.
>
> A lot of IT pros are only concerned with the health of the network not
> individual computers. When something goes wrong with a computer it is
> removed from the network and fixed. Their security is designed to protect
> the network not only from outside attack but from malicious (or even just
> dumb) users as well. They aren't concerned with saving data on individual
> computers so it's usually easier and much more cost effective just to nuke a
> computer that has any problems. This can lead to problems where the IT Pro
> really has no idea how dangerous malware is or how to really protect users
> from it.
>
> Supporting individual users or very small p2p networks requires a totally
> different mindset. In these situations data is scattered anywhere and very
> rarely is all the data backed up. To lose one computer could be
> catastrophic. At the same time these users expect to be able to do whatever
> they want with their computer. To support these users you need to intimately
> understand how malware works and how to defend against it.
>
> Of course there is a lot of overlap between the two security paradigms. I
> generalised with a very broad brush. I do think there are two very different
> mindsets when it comes to computer security and this often leads to one
> mindset disregarding the other as not relevant. This is a mistake. The
> reality is understanding both mindsets, analysing what the current situation
> requires, and applying whatever works from each mindset in this situation is
> the best security.
>
> Malware will never be a solved problem. There is too much money in it. As
> OS's become hardened social engineering attacks will get better. Attacks
> against other pieces of the infrastructure will become more common. The
> current DNS problems illustrate this. You can have an invulnerable system
> but if you are redirected to hacker.com instead of bank.com and enter your
> credentials what good did all that security do you?
>
> Security means different things in different situations and is always a
> moving target.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
> http://vistahelpca.blogspot.com/
>
-------------------------------------------new--------------------------------
At 06:45 30/7/2008, you wrote:

>Kerry Brown has responded and his reply seems to make sense.

Yes, he usually does - and I see he's also trying to get back OT.

>"Dan" <Dan@discussions.microsoft.com> wrote

> > Much of what is spoken of as "security" (even in these security circles)
> > isn't so much about securing X for Y but against Z, but is about safety,
> > i.e. making sure that unwanted situation S should never arise.
> >
> > When I first dropped into security newsgroups and elists, I expected to
> > see 95% networking and domain-centric user admin, and little that was
> > relevant to my interests. Instead, I found much discussion of the same
> > malware attacks and safety failures - the problems I see in my terrain.
> >
> > To me, that means "malware" is far from being a "solved problem",
> > despite the resources that professionally-managed IT can throw at it.
>
>Kerry Brown says:
>
>As someone with one foot in both camps - networks, home users ...
>
>A lot of IT pros are only concerned with the health of the network not
>individual computers. When something goes wrong with a computer it is
>removed from the network and fixed. Their security is designed to protect
>the network not only from outside attack but from malicious (or even just
>dumb) users as well. They aren't concerned with saving data on individual
>computers so it's usually easier and much more cost effective just to nuke a
>computer that has any problems.
>
>Supporting individual users or very small p2p networks requires a totally
>different mindset. In these situations data is scattered anywhere and very
>rarely is all the data backed up. To lose one computer could be catastrophic.

In essence, you have all the same things that a network has, but on the
same PC (or across a few undifferentiated PCs). The network approach
relies on significant material being concentrated of a few well-protected
PCs, so that the bulk of other PCs can be cheaper and more disposable.

That approach just does not scale down to peer LANs and standalones,
unless you scope *within* the same PC the way that sysadmins scope
between servers and workstations.

We're a long way from that goal. Though some may wave reduced user
rights as a solution, this does not protect user data from what can go
wrong within that user's session at best, it can protect multiple user
accounts from each other, which isn't useful on single-user PCs.

>At the same time these users expect to be able to do whatever
>they want with their computer.

This is a political thing, and has already been decided in real life, with
the general approach being that a person's "home" is sacrosanct from
arbitrary search, seizure and so on. In other words, unless your time
and rights have been bought while you use a PC owned by someone
else, you expect to be the top of the control pyramid for "your" system.

That's why it's counter-intuitive to tell free users that they should limit
their rights on their own PCs - especially on an OS that is designed to
allow remote access to trump those rights, content providers to subvert
those rights via DRM, and so forth. It's all too easy for those hidden and
powerful mechanisms to be hijacked by malware.

>To support these users you need to intimately understand
>how malware works and how to defend against it.

And how to manage the ?infected state.

Any PC can be infected, and as a fully successful infection may show
no abnormal signs, you're more or less obliged to consider every PC as
infected until proven otherwise. That's why you need unspoofable tools
to detect infected states, manage common integration points, etc.

>Of course there is a lot of overlap between the two security paradigms. I
>generalised with a very broad brush. I do think there are two very different
>mindsets when it comes to computer security and this often leads to one
>mindset disregarding the other as not relevant. This is a mistake.

Yep. The scene is dominated by the concerns of large managed networks,
not only because they are MS's largest and best-spending customers, but
because tech communication is easier within the group-think that follows
when everyone has been through the same training paths.

Such folks may callously disregard the interests of the "small" user, or apply
lower standard of acceptability. Lose all data and wipe the PC? If
it's only an
end user or workstation, then sure why not. PC's down for a few days? Just
wheel in another workstation from stores to use in the meantime. It's an end
user with everything on one PC? Well, they won't be doing anything important,
so it doesn't matter if they're down for a while.

From their own interests, the mistake in doing so is that when large numbers
of consumers get infected, the malware industry grows on the revenue, and
can use all of those systems as a hammer against large networks.

>The reality is understanding both mindsets, analysing what the current
>situation requires, and applying whatever works from each mindset in
>this situation is the best security.

The ultimate point of conflict between the two approaches is: When you have
an "admin" acting remotely, versus a user at the keyboard, who should win?

>Malware will never be a solved problem. There is too much money in it.

The industry has grown out of Pandora's Box, and that can't be undone.

Most of the opportunities for such growth have come from poor safety
judgements built into our systems , which boil down to a few basic things:
- not indicating risk when presenting material (e.g. files)
- not limiting actions to the risks presented
- automatically taking risks beyond user intent (e.g. macros in "docs")

Today, we may have fewer by-design opportunities to attack systems, e.g.
you prolly can't simply stick an auto-running script in an email "message
text" and have that automate Outbreak to spread your malware to all the
addresses that are in the system's address book.

Instead, you'd more likely have to exploit some code defect within some
exposed surface, and that takes far larger tech resources. Unfortunately,
there's now sufficient malware finance available to fund those resources,
and plenty of malware coders who grew up in the easy "virus hobby" era.

>As OS's become hardened social engineering attacks will get better.

Yep - and those ride on the back of software safety failures, which dumb
things down to the point that the user lacks concepts of data safety vs.
code risk. It doesn't take much computer savvy to know that running a
code file is higher risk than viewing a data file, yet even that simple and
crucial difference is lost by an UI that hides types and calls both "open".

>Attacks against other pieces of the infrastructure will become
>more common. The current DNS problems illustrate this.

Yup. The resources to match the large system design vendors are
there, and are being used. Just as we move further into "the network
is the computer" and accept dumb reliance on av and patching, so we
may see malware breaking into the unique addressing between network
entities, exploiting surfaces within av, and hijacking update delivery.

>You can have an invulnerable system

....so you need the ability to formally manage the infected state...

>but if you are redirected to hacker.com instead of bank.com
>and enter your credentials what good did all that security do?

Another way to look at this, is:
- we can never "clean the Internet"
- so we break off and clean bits of it, i.e. LANs and systems

If seamlessly merged into the Internet, you can't avoid the first and
can't apply the second. Remember that, when "designing the future".

>Security means different things in different situations and is
>always a moving target.

What you (as a user or customer) wants to avoid, is an arms race.

But an arms race may suit your vendors just fine.
 
S

Shenan Stanley

<snipped>
Thread in its entirety:
http://groups.google.com/group/micr..._frm/thread/57959533a9a3c6d8/f6cf8af9617caaf8



Dan wrote:
<snip>

Some reference to the thread abandoned to start this one:
http://groups.google.com/group/micr..._frm/thread/f019bcc172c8ea40/d8353f2bade585d8

> Chris Quirke, MVP says:
<snip>

<other responses completely snipped>

Dan wrote:
> *Below is the reply from Chris Quirke and myself to him via email*
<snip>


I only have one question...

What's with the 'proxy responses' as opposed to actual responses?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
K

Kerry Brown

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%23ug%23LZu8IHA.5928@TK2MSFTNGP05.phx.gbl...
> G'day:
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>
>> Malware will never be a solved problem. There is too much money in it.
>
> There is no credible data on how much money is in the cybercrime. On the
> other hand, IT security has become giant and still rapidly growing
> business. So there is huge interest in perpetuating malware and other
> security problems, real or imaginary.
>

While I agree that the security industry is large and to some extent relies
on the bad guys to legitimize them I think going much beyond that is
venturing into tinfoil hat territory :)

>> OS's become hardened social engineering attacks will get better. Attacks
>> against other pieces of the infrastructure will become more common. The
>> current DNS problems illustrate this. You can have an invulnerable system
>> but if you are redirected to hacker.com instead of bank.com and enter
>> your credentials what good did all that security do you?
>
> The current DNS problems are a repeat of multiple DNS problems of the same
> outcome. Historically, there was no significant, Ctrl+Backspace,
> noticeable attacks based on those vulnerabilities. All reports of exploit
> used by criminals in the wild are unconfirmed.
>

http://www.google.com/search?hl=en&q=dns+exploit+in+the+wild&meta=

> A side note: I will not send my bank logon after being redirected. You
> know why.
>

You and I would not be easily fooled by this. I think would be quite easy to
fool most people if you owned their DNS.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
 
K

Kerry Brown

>
> What you (as a user or customer) wants to avoid, is an arms race.
>
> But an arms race may suit your vendors just fine.


I think we are already involved in this arms race. Finding a way to stop it
will be very hard at this point.

To get back to the original topic. I think that given the future of "cloud"
computing or whatever you want to call it the network stack needs to be at a
very low level in the OS and completely protected from all other processes
including security software. A new code base is probably needed for this. I
see a very minimal hypervisor based OS with hardware support, including
networking, and not much else. Everything else would run in virtual
machines. Each application would have it's own virtual machine and only talk
to other applications and the OS through strictly enforced communications
channels. The application would be free to supply it's own higher level OS,
UI, or whatever you want to call it for it's own virtual machine.
Applications could also have their own virtual file system completely
inaccessible to other applications if they wanted. Hardware is advancing at
a pace that this will be be possible in the near future if not already. We
are currently using OS's that have security and other problems because they
were designed to make the most of minimal hardware. Many compromises were
made to get acceptable speed. We need an OS that is aware that things exist
"out there somewhere" but it's core is isolated by hardware means. It's like
having someone isolated in a missile silo with only a telephone line for
communications. You also need a well guarded elevator to get a replacement
operator and food in (updates) but this elevator is a physical mechanism
that is well guarded and can be shut down in an emergency. All normal
communications are done only through the phone line.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
 
D

Dan

Chris Quirke, MVP lives in Africa and says he has trouble viewing the
Microsoft newsgroups thus I am posting his replies here for him.

"Shenan Stanley" wrote:

> <snipped>
> Thread in its entirety:
> http://groups.google.com/group/micr..._frm/thread/57959533a9a3c6d8/f6cf8af9617caaf8
>
>
>
> Dan wrote:
> <snip>
>
> Some reference to the thread abandoned to start this one:
> http://groups.google.com/group/micr..._frm/thread/f019bcc172c8ea40/d8353f2bade585d8
>
> > Chris Quirke, MVP says:
> <snip>
>
> <other responses completely snipped>
>
> Dan wrote:
> > *Below is the reply from Chris Quirke and myself to him via email*
> <snip>
>
>
> I only have one question...
>
> What's with the 'proxy responses' as opposed to actual responses?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
 
S

S. Pidgorny

G'day:

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%23D6zTE08IHA.3736@TK2MSFTNGP06.phx.gbl...

>> The current DNS problems are a repeat of multiple DNS problems of the
>> same outcome. Historically, there was no significant, Ctrl+Backspace,
>> noticeable attacks based on those vulnerabilities. All reports of exploit
>> used by criminals in the wild are unconfirmed.
>>
>
> http://www.google.com/search?hl=en&q=dns+exploit+in+the+wild&meta=

I didn't say there isn't exploit available. I said it is not used by
criminals.

In the next year we'll hear more reports that 50%, 40% etc. of all DNS
servers are still unpatched, that DNS clients are also vulnerable, and
therefore the large-scale attack is imminent. After that this will be all
but forgotten, like any previous DNS cache poisoning vulnerability. Maybe
there will be bureaucratic bodies working on mandating DNSsec, a mature and
secure protocol.

>> A side note: I will not send my bank logon after being redirected. You
>> know why.
>>
>
> You and I would not be easily fooled by this. I think would be quite easy
> to fool most people if you owned their DNS.

So here's my problem: SSL certificates, and commercial CAs, are considered
means of identifying Web sites. If DNS will somehow be made more trusted, we
won't need commercial CAs. And if commercial CAs will be a part of the new
trusted DNS then DNS will lose its versatility.

Fraud in general is older than Internet. I think most people will pick up
awareness and should not be considered clueless forever.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
 
You must log in or register to reply here.

Similar threads

J
I installed Windows 10 Pro brand new sealed the key code says not working I scratched to read the code it was valid how do I know if my activation wen
Replies
0
Views
48
Joseph Group
J
B
I've received an email for a single-use code for my Microsoft account. Is my account safe?
Replies
0
Views
56
Benjib20
B
B
I receive the error message “this microsoft account does not exist. Enter a diffrent account or request a new one .
Replies
0
Views
56
Benyamin Qassemi
B
A
  • Article
Beginning to enable a set of new features for Windows Insiders in the Dev Channel on Build 26120.961
Replies
0
Views
84
Amanda Langowski
A
D
If i buy the xbox 400 robux, do i get a code for it or does it immediately go to my account? and does it work for pc or do i need an xbox?
Replies
0
Views
176
develxx
D
Back
Top Bottom