Roger
Wed May 10 08:06:40 CDT 2006
I will agree with you that the (US) national media became (perhaps
characteristic for them) quite sensationalist about every little security
patch MS released. In part MS might be to blame as when the net
based autoupdate capability was being introduced MS did actively
engage with the media to get the message out that patching was
available and needed. I recall however months after that started
hearing major, morning blasts on the 5 am business news that there
was a new "critical" update coming from MS (while also knowing
it was addressing an issue not as of then exploited).
I am however not so sure that your quoted 80% are dissuaded from
starting to use something they have not yet decided to use due to
a news story, or a corporate message, that they might never hear
or if so misunderstand. I mean, you have a point, yes, and there is
likely an adverse impact in the minds of some. But would it be
better to not be up-front and act like a Washington (DC) spin master
speaking only of what is desired to be known?
I tend to think it better for the message to track with realities and
hence to develop a sense that the company does understand the
current situation (and thus may be accurately addressing it).
Roger
"Rob R. Ainscough" <robains@pacbell.net> wrote in message
news:uwAHQG5cGHA.4148@TK2MSFTNGP05.phx.gbl...
> Perhaps I am Roger, but my point was more focused on the huge market of
> potential consumers/users that don't touch PC because they fear them, fear
> their security, and regularly see the flaws exposed on TV. If Microsoft
> make suggestions that they "give up" or "pass the buck" that is all the
> potential consumer will hear. The PC & hence software industry has
> reached it's plateau considerably earlier than it should -- this is NOT
> good for anyone in this arena -- having the #1 OS seller tossing in the
> towel publicly doesn't help either.
>
> The problem with "Forward looking" is that term was used when XP was
> introduced, so we're seeing the same stories being told over and over --
> it appears to me to be a cycle Microsoft don't know how to resolve. If
> Microsoft don't resolve it, their world is going to be seriously limited.
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:O302mrzcGHA.4276@TK2MSFTNGP03.phx.gbl...
>> "Rob R. Ainscough" <robains@pacbell.net> wrote in message
>> news:ef$q1FycGHA.4900@TK2MSFTNGP02.phx.gbl...
>>>
http://www.eweek.com/article2/0,1895,1945808,00.asp
>>>
>>> I'm having a hard time coming to grips with this statement from
>>> Microsoft -- that's like saying we give up on the other 80% of the
>>> potential market (yes still only 1 in 5 people use the internet with
>>> primary concern being security fears). I'm hoping this article is not
>>> accurate because Microsoft have sealed their fate with statements like
>>> this -- limiting the market and squeezing as much as they can out of the
>>> existing market does NOT present a stable future.
>>>
>>> I've also read other articles reporting very high level Microsoft execs
>>> moving the blame of the security flaws over to the consumer for not
>>> having proper third party protection??
>>>
>>> I've been infected with Malware a couple of times and really have NO
>>> idea how it made it's way in when I have a host of tools to prevent such
>>> activity. Is Redmond really saying "we can't do anything about it"?
>>>
>>> Rob.
>>>
>>
>> I was not at the InfoSec conference, but let us assume that the
>> quoted passages are truthful renderings of the talk.
>>
>> From your post I get the impression that you are finding meaning
>> that I am not so sure is present. The talk is an open discussion of
>> the reality today. The "becoming impossible" is perhaps tempered
>> as I have been hearing Microsoft advise wiping compromised
>> systems for a couple years (about when rootkits started appearing
>> in common, i.e. not industrial, hacks).
>>
>> Why I think your interpretation is finding your own meaning is
>> because you overlook the fact that years ago Microsoft saw this
>> coming and have been investing in efforts to change the playing
>> field, so-to-speak.
>>
>> In the meantime, the core problem is that most people, including
>> professional admins, are incapable of pronouncing a system to be
>> clean. With the common presence of rootkit code now upon us,
>> there is no tool that will, guaranteed, find what should not be
>> there in a running system; and, if there were such a tool it would
>> soon no longer do what it could do yesterday. Offline analysis is
>> still the way to make such determinations - but this is quite likely
>> beyond the ability of the majority of PC owners (or of their pain
>> tolerance, and rightly so) and it is certainly not an (acceptible)
>> option for production servers.
>>
>> How did this happen? Three things come to mind. Code flaws
>> that allow privilege elevation and hence implanting of code where
>> it should not be possible, or, incorrectly configured systems that
>> are not protecting what needs safeguarding, or, unintentional or
>> inadvertant actions by accounts with privilege levels that allow
>> the code implanting.
>>
>> The last of these can only be addressed by users and their practices,
>> and even careful users get duped by social engineering.
>> The second has largely been addressed by the refinements in the
>> initial XP and certainly by the service packs; but, it is still possible
>> for the machine owner to alter the configured settings to make them
>> less than should be, and, there are still places/ways that the out of
>> the box config could be improved.
>> The first has been, or is being, addressed in the Microsoft world by
>> the use of a redesigned engineering process, new tools, dev training,
>> extensive code reviews, etc.. If you look at, non-IE, patches and
>> trend them over the past few years I think you will see that this has
>> already born fruit (although the bowl is still filling).
>>
>> So, how does this happen, that machines become compromised?
>> Given that Microsoft invested in the widely used update system so
>> that now large portions of the deployed base are patched within
>> a fairly short time upon patch release, the amount due to unpatched
>> systems with actively exploited flaws is much decreased. However,
>> the amount of compromise due to user practices and/or due to user
>> alterations to configurations is much unchanged (and some of this is
>> done by the software intallers users run - when will they start being
>> up front and saying what they will do that we might not like?).
>>
>> Saying that the situation today is a user problem can be heard as
>> an attempt to shift the blame. It can also be heard as a truthful
>> assessment of the current exploitation environment.
>>
>> Again, I feel your reading is overlooking some forward-looking
>> efforts that will be coming into the mainstream. For example, as
>> far as I am aware today, the kernel mode rootkit techniques, i.e.
>> the ones not detectable in running XP systems, that are in use now
>> will not work in Vista. That is not to say that ways will not come
>> about, but only that the playing field is being and will continue to be
>> shifted as a number of efforts, that are underway, mature.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>>
>>
>
>