Microsoft MVP SecuritySummit thread Page 2

Author

All Replies

Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA

reply to NanDog
Re: Microsoft MVP SecuritySummit thread

Well, our time at the Space Needle was great. Two busses took us and our Microsoft hosts there, and we spent an hour on the observation deck up at the top: it was very clear, though I never managed to make it outside to really revel in it.

After an hour we headed back down to dinner, and we had assigned seating. They alternated "MVP" with "Microsoftie", and I sat next to the guy who gave a talk about their vulnerability assessment software. Great group of people.

So I'll try to recap the day. We covered a lot of material, and I wish to be clear that I am not pretending to be the stenographer: I made more notes on things I am interested in, and I certainly will leave things out.

We started out with a talk from Mike Nash, a corporate VP of security, and pretty much at the top of the food chain for this entire group. It wasn't so much technical as it was giving the overview of how Microsoft "gets it" about security. It's fair to take exception with particular products, technologies, or initiatives, but I believe that it's hard to make the case that Microsoft has not gotten religion about security.

Mike recounted a fun story: about two years go, he and a camera crew went to the Pike Place Market - a place in downtown Seattle - to ask people what they thought about computer security: I thought of it like doing "Jaywalking".

So this was about 9 months after 9/11, and the cops noticed them at work and approached them.

Cop: What are you doing?
Mike: We're doing a video about security
Cop: No you're not

So they had to pack up and go elsewhere. It was funny to hear the reactions from two years ago on how people trust their computers, and the best answer was "I don't worry about it, I have a Mac"

Throughout this post, keep in mind that Microsoft is dealing with an enormous range, from "home users" to "enterprise users": it should not be such a surprise that running 200,000 systems (as one of our MVPs does) brings up issues that home and small business users don't even dream about.

After the Blaster worm, he ended up being the official corporate punching bag, with customers giving him 30-minute rants for 12 hours at a time for several months. I am sure I would not have wanted his job then, and this reinforced something we got at the Global Summit in April: Blaster was a watershed event at Microsoft, doing more than anything else to get them with the program.

One of the real-world issues they have heard about it the firewall before XP/SP2: many have thought that the firewall sucked, having too little configuration granularity, and he relayed a story that exhibited how much of a mess this was.

In the old days, users connecting to the Microsoft network via VPN were required to have the firewall enabled, but those inside the network had to have it disabled so you could get to local resources (fileserver, printers, etc.).

This means that if you're at home and want to print your email, these were your steps:

* enable firewall
* connect VPN
* open email in outlook
* disconnect VPN
* disable firewall
* print to local printer
* enable firewall
* reconnect VPN
* do more email stuff

This is the kind of lousy real-world user experience that helped inform them on how to do a better job.

Again, Mike was not so much giving tech details as a bigger roadmap, and it was a pretty good message.

Next was a session on Phishing/SPAM/Sender-ID, though we didn't end up getting anything about Phishing (that was covered in a later session). I think we all know how lousy the spam problem is, and he covered the steps that Hotmail is taking to combat spam and how this is being leveraged elsewhere.

There are five broad approaches to cutting down spam:

1) Heuristics: rules of thumb
2) Rules-based: specific keywords ("Make money fast!")
3) Machine learning: Bayesian filtering
4) Signature-based: like A/V, look for known spam
5) Community based: I vote that msg X is spam, it's filtered for you

Hotmail's "SmartScreen" is a combination of several of the above and ends up dumping an astonishing amount of spam every day.

They have a very large number of Hotmail users that have volunteered to help rate email: periodically, they are shown one of their own emails and asked "is this spam?", and the results help inform the global filters.

This really does require large amounts of input, because not everybody calls spam the same thing. That periodic email you get from Amazon.com (that you signed up for!) is not "spam" just because you changed your mind in the same way that "We offer Vi@gra for less" is spam.

Where this gets interesting is in Outlook 2003: the spam filters there will use the SmartScreen filters to help make it better. It will (with permission!) update the filters periodically, and it's gotten really rave reviews.

The user can maintain personal white and black lists, as well as choose to reject (say) email from .ru (Russia) or those with Cyrillic (Russian) character encoding. It really comprehensive.

Then the discussion of Sender-ID, which is filtering for mailservers and domains. The oversimplified description: if I own unixwiz.net, I can publish - in DNS - the list of IP addresses that are allowed to send email as that domain.

When your mailserver receives email purporting to be from unixwiz.net, it can see if the source IP is on the approved list. There are three cases:

1) unixwiz.net publishes SPF data, IP matches
2) unixwiz.net publishes SPF data, IP does not match
3) unixwiz.net doesn't have any SPF data

Case #1 means "it really is coming from unixwiz.net", and though it doesn't mean "not spam", it does increase accountability in that you can more easily know that the sender is who he says he is.

Case #2 is the easy one: it's spoofed, and should be dumped.

Case #3 means we simply don't know anything about the sender, so we have to go through all the usual checks.

There is a bit more to it than this, of course, but that wasn't where it got heated. It was on licensing.

Microsoft is offering a royalty-free license for this technology, but the terms are such that it requires nearly everybody to get individual licenses with Microsoft. The open-source people have soundly rejected this, and I am pretty much in that camp.

I happen to not be an open-source nutcase (who will find fault with anything Microsoft does), I believe in intellectual property, and generally like Microsoft, but I think they have made an enormous mistake here.

If they are trying to protect some legitimate interest, where not doing so would cost them something big, then I'd be OK with it, but so far nobody has been able to say what interest is being protected. There still may be one (so I have a slightly open mind), but in my book and in that of many, it's just "the same old proprietary Microsoft."

I cannot believe how embarrassingly lame and stupid this is. Oh well, they didn't ask me.

Anyway, the next segment was on the SCW (Security Configuration Wizard) found in Win2003 server SP1, and though I don't do that much with big enterprises, it was well received. The ability to rollback a security policy that (presumably) didn't work got a lot of kind words.

Then vulnerability assessment tools, and it started with the MBSA (Microsoft Baseline Security Analyzer). This runs on your machine and looks for "stuff" that is insecure: missing patches, empty admin password, etc. I am chagrined to say that I have never run it, but CalamityJane

raves about it.

One of the problems people run into is that different tools give different answers for what patches are required: Windows Update and MBSA don't agree, so who do you believe? They agreed that this was a mess, and things are in the work to make this problem go away. It's encouraging.

Then we broke for lunch, and I left the conference center to join the printing/imaging team, which was unrelated to any of my Security work.

I missed the first hour of the presentation on IE, but the ~10 minutes I saw seemed like PR and was not that interesting.

Then the session I was looking forward to: Network Access Protection. Enterprise users take note!

The idea is that a network administrator ought to have the right to know the state of every machine on his network, and NAP supports this.

Oversimplified description: if a computer on a network is "unhealthy" (A/V out of date, missing patches, bad security configuration, etc.), it gets a restricted view of the network, with access only to a few machines that let it get fixed (update A/V, get patches, etc.). Only when the machine is healthy is it given full access.

This will be particularly helpful for laptops: the idiot VP of sales gets infected while on the road, but he doesn't get to infect the rest of the company when he goes back to the office.

But this is all about "mechanism", not "policy", so the Microsoft platform only lets the IT admin set the rules for the local network. It seems to me that getting the rules tuned not quite right means that every second Tuesday of the month, everybody gets locked out one the new patches arrived (e.g., everybody is out of date at the same time).

Part of this are available now with RAS and wireless, but it won't be until Longhorn until this is supported in the big picture.

The guy who was supposed to give this presentation was sick, so we got a business-y guy as a fill-in who had never seen the slides before. I was prepared to be disappointed, but he did an outstanding job. Was completely up to speed on the big picture, never BS'd or spun, just a great save.

More info at »www.microsoft.com/nap

The last presentation was on Spyware, and CalamityJane

was totally in her element. The speaker was fantastic even though Microsoft's big picture is not nearly as compelling as we'd like it to be.

He talked about what makes spyware "spyware", and he did a very good job of showing that it's not always so clear-cut how to define things.

If software is changing your computer settings, is it "spyware"? What if it's a tweak-tool that you downloaded so you can fool with your desktop?

If software is secretly monitoring what a user does, is it "spyware"? What if it's parental-control software installed by Mom to watch the kids?

If software makes a modem call to establish an internet connection, is it "spyware"? What if it's "your ISP software" (as opposed to a porn dialer).

The definition they used was "Programs that perform certain behaviors without appropriate user consent", and he really presented this whole thing well.

Clearly spyware is really bad news, and their crash-reporting data suggests that one third of XP crashes are linked to spyware, and some non-trivial percentage of all support calls are due to this. I'm sure that the OEMs (Dell, HP, etc.) are singing a similar song.

Where the song was not so happy was how to deal with current issues. There are sticky legal issues about Microsoft uninstalling software that might be desired ("Microsoft out to crush iWon.com"), and it really didn't look like there was much beyond XP/SP2.

I believe that XP/SP2 is a huge win, but it's not helping get rid of CoolWebSearch: More than one person whined and begged for help and tools on this. Thankfully, our very own queen of spyware was able to corner some key people and get a useful dialog going. I'm encouraged that she'll get somewhere.

This ended the official part of the day, so we chatted a while with the sponsors of the MVP program, and then headed out to dinner.

They had a lovely open bar, and I ran into the hottie from the Security Response Center (Terri) that I shared dinner with at the Global MVP Summit in April - this was a pleasant surprise. I told her "I called you a hottie on BroadbandReports", and she said "and like 1000 people didn't send me that"

It was a good, but very long, day, and I'm about ready to crash. We are on the bus tomorrow at 7:15 for another day, and I hope to report again in the evening.

Good night.

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site


Friday, 04-Dec 08:02:51	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF