how-to block ads
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
2 edits | SecSummit notes for Wednesday
We've had a hard time with network access this morning: the wireless didn't work, and - believe it or not - the setup guy didn't leave long enough network cables for Ether. And now we're going through a proxy server, so I can't use ssh to get my mail. Grrr.
Our first speaker was a VP who gave a PR presentation, and already I've typed more information than warranted.
Next was a speaker on Social Engineering, and he was fantastic. He talked about the "Layer 8" problem. The normal network stack has 7 layers (physical, application, etc.) - but layer 8 is the humans.
He talked about how many ways there are to talk your way into a system, and it's clear that I would make a lousy social engineer. The sheer brazenness of the attacks is simply amazing, as is how dumb some people are.
There are essentially no computer systems that don't have human components, and one of them is often the best way past any firewall. The natural desire for most people to be helpful will be the downfall of security, and this suggests (to me) that being a selfish asshole might make you less likely to be a target.
Some tips that will help make social engineering more effective:•Be professional•Be calm•Know your mark•Do not try to fool a superior scammer•Plan your escape from the scam•Use official-looking paperwork (letterhead, etc.)•Manipulate the less fortunate•use a team if necessary•Be a woman 
He made the curious comment: said by Steve Riley:
Only amateurs ask for passwords though this does work sometimes. By building trust, one can often get this information much more reliably and without raising suspicion.
We got a fairly extended version of how to plan an attack, and one of the steps was "Making a site visit", and some tips for this were:•Blend in, dress appropriately•Get a fake ID badge (often anything that looks like a badge will work if flashed briefly enough)•observe typical entry/exit behavior•stride with confidence - look like you belong•private offices are best•ask low-level employees for information The latter point is not so much to get the direct "secret stuff" but to get tidbits to leverage better information later (e.g., "I spoke with Wilma in shipping and she said...").
When information gathering, he did touch on the technical ways that many of us do this now: nmap, whois records, websites, etc. He did mention an ICMP-based method for doing OS detection, and part of this was:There is no good reason to allow ICMP into your network I'm not sure all of us agreed, but we didn't get a chance to quiz him on it.
He was just a great speaker, very engaging.
A forensics discussion is starting now, which I will report on later.
Edit - Aw crap, "new thread" and not "post reply". Duh. Sorry, my fault.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| "Forensics"
Now a session on Forensics, and he's mainly doing it from an enterprise perspective. He's been with Microsoft for six years, and used to be a Seattle police officer. I'm taking these notes in realtime.
The traditional definition of "Forensics" has been: said by GIAC:
The employment of a set of predefined procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity" This is too limited, because it omits things like "network activity" or "PDAs", etc.
And one has to realize the distinction between forensics to a law-enforcement standard and good enough for corporate investigations: it's simply not required for most applications.
So for Microsoft, it seems to be: said by Microsoft:
"Processes and technologies for investigating potential policy violations involving Microsoft assets." It's much easier to "fire somebody" than "put them in jail".
One has to pay attention to legal/regulatory regulations on privacy: if one is sniffing the network, one has to be careful that you're not violating local laws.
Forensics is 50% science, 50% art, and there are three programs they run at Microsoft:
1) Host: regular PCs and the like, just like what you think. It's mainly focused on hardware.
2) Network: Looks to me like IDS, and focused on software
3) Devices: USB keys, phones, PDAs.
Host forensics: storage keeps going up, which makes things harder and harder to analyze. For small drives one could consider "looking at every file by hand", but when drives hold 400G, this gets a little out of hand. It's getting harder and harder to find hidden information, but it is driving better tools. The really good forensics tools are expensive - thousands of dollars.
One MVP asked "Why doesn't Microsoft have a forensic toolkit?", and the answer was good: Microsoft's goal is to protect customer data, but a forensics tool would make it easier to get into that protected data. "We don't want to make hacking tools".
It was pointed out that "forensics" is not that different from "data recovery", though the latter is more about acts of God (drive doesn't spin up) rather than malicious activity (finding the file of stolen credit card numbers). Sometimes the lines are pretty blurry.
Network forensics is where they spend more time, and this is not that big of a surprise (to me, at least). There are a handful of "security event streams", and these are things like "IDS logs", "proxy logs", "FTP logs", etc., and look for patterns and policy violations. These take up an enormous amount of storage space.
With hardware, stuff is left around after "the incident", so you can investigate after the fact, but with network forensics, it's really not possible to do after the fact unless you're capturing stuff in real time. This means that they are also the IDS people.
Major challenge: put together evidence and data sufficient so that HR people (and/or lawyers) can understand it.
The cost/benefit analysis for how much data you keep is a hard one, based on not only regulatory (how long are you legally allowed to keep something?), but on how much space is required to store the data. Some streams are huge (say, 300G/day), so they have to look back and see what the lookback time has been: if 90% of the previous cases needed only a week, they may choose to forego 10% so they don't have to fill a building with hard drives.
Device forensics is the most challenging area: "How do you do forensics on a Palmpilot or a phone?" Very large variation in devices, sometimes you know very little about them.
Important: Focus on protecting the company first, then law enforcement second. This means that in an emergency, one might need to walk on top of evidence (say, accessing a file, which resets the access time) rather than take the time to image the drive to preserve the forensic trail.
Forensics is getting harder, and not just because the size of the data. It's difficult to find qualified people that can do both the strictly technical work, plus the law-enforcement type investigative work. Complexity is simply rising at a rapid rate, and complexity makes everything harder to decode. Encryption is not helping, and multi-tiered enterprise applications are particularly difficult.
In terms of how employee machines are compromised:There's nothing worse for a laptop to allow your teenager to use it
Microsoft as a company is getting competing requests from end users: said by customers:
We want our data to be more secure said by forensics people:
We want better tools for forensics Generally, these are at odds with each other, and the "we want to be secure" will usually win. Clearly, third-party companies are not making this same value judgement.
This was a good talk: time for lunch.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
"Windows -vs- Linux security"
This was an ad-hoc presentation largely to highlight how much more secure Windows is than Linux, and I think that by comparing the # of bulletins is really irrelevant: "I read bulletins, not count them". I'll note that I have been wearing my "tux" lapel pin all week
Any way he shuffled the data, it showed that Windows Server 2003 compared favorably (generally quite dramatically so). I'll note that Windows Server 2003 with IIS 6 is really an excellent combination, and it's nothing like the insecure piece of crap like Win2000 server + IIS5.
There are so many ways to cut and slice the data that it's very hard to make blanket "A is better than B" statements. How many of these issues could have been mitigated by best practices in advance?
Item: If you firewall blocks SQL traffic at the network border (which it should), you don't care so much about MS-SQL or mySQL network vulnerabilities.
Item: If you have configured your server to disable aspects that you do not have, you don't care so much whether those disabled elements have problems.
The big scary thing is the item that you cannot protect yourself against even if you're paying attention. I don't know how many of those are found in the Linux packages, but I ought to look.
My gut is that the open source solutions give an edge to a ultra-technical user (like me) who builds things at the source level rather than waiting for RedHat to package the fixes two months later in an RPM.
Win2003 is good enough that you're not going to really pick one or the other strictly on security: there are other issues that are much more important:•skillset of staff•application(s) you're running•enterprise management issues Microsoft is the kind of the latter issue, and I think they're only going to get better.
I will be digging into this in more detail to see what shakes out, but the presentation really didn't sit well with me because it ignored issues that I think are important.
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
"MSRC/PSS Security"
This was mainly about the internal organization of how Microsoft responds to security events (done by the Microsoft Security Response Center, the MSRC), and how customers are supported.
The first presenter was Stephen Toulouse ("stepto"), who we've seen several times, and he was talking how they respond to an issue. They staff the "secure at microsoft.com" mailbox 24x7, and they get all manner of email: vulnerability reports, support questions, spam, etc.
When they get an email that's reporting what appears to be something important, they have a 24-hour response commitment to the finder (I know firsthand that they really do). They triage the item, and if it means a change in the code, they jump right on that.
So far, this is the easy part: Then there's testing.
When there is something in Internet Explorer, they have to test on all platforms in all local languages, and this means something on the order of 400 different patches to test. They have to test not only "does the patch fix the bug?", but "does the patch break other things?", and that includes "does Amazon.com still work?" and the like. This must be an awful process even before you multiply it by 400.
And if something shows up in testing, it starts all over again. Ugh, what a horrible process to have to go through: it kinda militates towards "not shipping the bugs in the first place", I'd expect.
They're trying very hard to encourage "responsible disclosure": people who report things confidentially to Microsoft are eligible for credit in the bulletins, and those who go public first are not. They have said over and over that their goal is "protect customers", so discouraging the release of details before a patch is high on their list.
They do enter into dialog with the finder, with progress reports and the like, perhaps asking for clarification. By making the finder feel like part of the process, they probably reduce the chance of him/her going public early because Microsoft was a black hole.
I would imagine that even the "responsible disclosers" are sometimes jerks, and that they probably have privately uncharitable thoughts about them, but it doesn't seem like any of that matters in any official way.
When a real issue arrives, one person is the poit man for that item, from coordinating reproductin to codefix to testing to writing the bulletins to patch release. This lets one person really get his arms around the issue and take the bullets for it.
During the whole process for a non-public vulnerability (and while things are being fixed/tested), they do make some informal assessments on "What happens if an exploit emerges before the patch is ready?", and sometimes they think about how they could accellerate release in an emergency. It's gotta be a hard balance on "get the patch out" versus "get the patch right".
The next speaker in this segment was from PSS (Product Support Services) Security which is responsible for taking care of customers who have security issues. The PSS has more of a customer focus, compared with the product focus of MSRC.
The PSS security group answers the 866-PC-SAFETY phone number to do (among other things) "really hard ugly spyware cleanup". For free. And you don't have to follow these steps first
To summarize:
"I found a new bug"... MSRC (secure@microsoft.com)
"I've been hacked!"... PSS Security (866-PC-SAFETY)
Steve
P.S. - But I still prefer to get my support from CalamityJane 
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
"Malware Discussion"
The last session of the day was a panel discussion on malware, and one of the panelists gave a fantastic talk on rootkits at the Global MVP Summit in April, and another fellow who used to be at Bell Labs some time ago. The whole group had a very deep and diverse background.
As an aside: a "rootkit" is a bit of software that compromises the kernel, so even things like "getting a file listing" can be intercepted, and badware files omitted. Once a rootkit is on a machine, you simply cannot trust anything the operating system tells you.
One of the engineers said that he encourages everybody to run as a non-admin account, but he didn't think he would really get very far until he got his wife and younger child to run OK in a non-admin account. He even got his teenaged son to do this successfully after some reluctance.
But then dad asked the son to switch back to admin account so the computer would get infected for research purposes: son got infected with very nasty spyware within 24 hours and asked for his non-admin account back. Applause erupted
--
It was commented that many viruses are very badly written from a programming point of view: but what happens when they get skillful about it? Will the entrance of "commerce" into the mix drive better malware authorship?
--
If you're an administrator and you click "OK" on that malware containing a rootkit, you're saying: said by you:
Yes, go ahead and replace my operating system This seems like a bad idea
--
It appears that there is an ongoing discussion inside of Microsoft on which kinds of tools to offer:
1) systemic tools that the masses can use without much assistance
2) specialized tools the experts use to help the masses
It's widely seen as an astonishingly difficult job to make an end-user tool: "Click here to clean the machine". Even if you discount the pure technical issues involved in really hard cases, the legal issues about disabling third-party software, false positives, and naive removal procedures that and up hosing the machine.
Some proposed starting with the expert-level tools, such as what CalamityJane might use to help a user, and slowly refine and automate to bring down to a user level (at least for some subset of badware).
It was obvious that CoolWebSearch is broadly seen as the benchmark for "really awful pain in the ass software", and I don't even remember a second place.
A topic of discussion was how to deal with encapsulated protocols, such as "RPC over HTTP" and "anyhthing over SSL": these end up getting around firewalls (the former) and IDS (the latter): how do we deal with this?
One answer: "we shouldn't be doing those things".
I've always thought that RPC over HTTP was the "firewall rule circumvention protocol", and it makes the corporate security people crazy. In the old days, port 80 was used just for "regular web traffic", but now you can run IM and and tons of other things it. So much for "network administartors defining allowed software on their networks".
Several MVPs asked for a single tool that profiles an application to see what registry/file operations it's performing so that we can configure it to run as a non-admin user. Right now, we typically use FileMon and RegMon to watch an application, and we can see which resouces it trips over, but this is tedious to coordinate.
If we find that a certain registry key needs to be written to, simply by opening the permissions on that single key may allow the application to run in a limited-user account. Hopefully, we then report to the vendor so they fix their own code. We'd like a tool that makes this easier for us. Nobody wants to wait for Longhorn.
As an aside: "Wait for Longhorn" was a kind of long-running joke: it's been "years away" for years, and it doesn't seem like it's ever going to happen. said by an MVP:
I'm going to have grandchildren before Longhorn comes out, and I'm not even married yet This session was just a bit too rushed, so it felt a little strained.
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Steve
Re: SecSummit notes for Wednesday
Today was another great day and we got down and dirty on hackers, social engineering, technology and such. It started a little weird this morning as I missed the bus (my sheet said the bus was to leave at 7:30 am) and ended up on bus full of rocket scientists (I'm not kidding), and ended up at a different building on the other side of the campus (which I discovered is rather huge). After stealing a bus and going on a compete tour of the Microsoft campus (you would think a company as smart as Microsoft would actually have a numbering scheme for their buildings rather then just plain old random numbering as there are a LOT of buildings on the campus) I arrived a couple of minute late for the first presentation (do you know how hard it is to U-turn a bus on a narrow tree lined road). Of course the morning's adventure put me in a black hat kind of mood which worked out great for the day's topics (rooting an OS is like rooting a bus right) as I was able to get totally into the topics of bad guys and what they do and how and ultimately what we can do to screw up their day.
It became very apparent today that Microsoft is evolving and this isn't the same company that built Windows 98 or NT, but is building a whole new system called Longhorn complete with a total rethink of what an OS is and what it does and how users interact with it and how it reacts and responds to different environments and threats. This type of evolution doesn't happen overnight so we have no choice but to wait for the final result (they are not even sure what they will look like when its done). That said however, Microsoft isn't going dark in a cocoon for a couple of years and does have plans, projects and products on their way to consumers, but the evolution is happening.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs: | reply to Steve
Steve & Link Logger:
Thanks much for the nice write-ups these past few days. Good job to you both.
--
Rocky is, was, and always will be Dawg E. Dawg. | |
NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
Tacoma, WA | reply to Steve
Yes, what Owlbet said! I've very much enjoyed these "up close and personal" reports of all you BBR/DSLR folks (not to mention Blake's pics!). Muchas Gracias! | |
jig
join:2001-01-05
Hacienda Heights, CA | reply to Owlbet
thirded. | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to Steve
Steve, I like your analysis of Server 2003/IIS6 vs. Linux/Apache being based on Enterprise Managment. This is very true. I am seeing more and more that this is the only place Windows has a major advantage. The Windows 2000/XP and Active Directory (Group Policy) combo just can't be beat. And until it has an equal in the Linux world, any security benefits in Linux aren't going to matter much on a large scale.
So the question really becomes one of timing: "Can Microsoft improve their security and licensing situation before Linux can become more usable for enterprises?"
If the answer is yes, Linux is going to have a long fight. If the answer is no, Microsoft is going to have to get into pharmaceuticals.
--
cat knowledge | grep understanding | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Steve
Thanks for all the information, Steve -- it's interesting to hear some of that perspective. I hope the MVPs got a reasonably equivalent chance to let that Microsoft group know where you're coming from.
Are they going to do a "where do we (meaning the MVP summit) go from here" bit?
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| It is very, very clear that Microsoft wants to know where we are coming from, and their people are pulling one or two of us aside now and then to pick our brains.
The single clear focus is "we want our customers to be secure", and though at some senior level it might be seen by the cynical as "the company PR line", everybody that we have dealt with at our level has really, really meant it.
I have a bit more to say about this, but I need to get going. Last night the cool people among us which excludes me went to this bar/pool hall with a raft of Microsoft people, and I have to find out who this "Noreen" person is that has been bantered around on one of the mailing lists by those who were there.
More later.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Steve :The single clear focus is "we want our customers to be secure", and though at some senior level it might be seen by the cynical as "the company PR line", everybody that we have dealt with at our level has really, really meant it. Hi Steve,
I guess I want to be cynical about this up to a point, because I do appreciate that Microsoft is sincere, but I'm more curious about what Microsoft wants for its already-infected customers -- many of whom exist entirely outside an enterprise environment. What do they propose doing for them?
The problem I see for Microsoft is that it might make zero business sense for them to get involved in cleanup when I assume that getting Longhorn released is a really big deal for them.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by psloss : I guess I want to be cynical about this up to a point, because I do appreciate that Microsoft is sincere, but I'm more curious about what Microsoft wants for its already-infected customers -- many of whom exist entirely outside an enterprise environment. What do they propose doing for them? I think that the whole "company line" on spyware is really unsatifying. Microsoft clearly knows that this is a problem (though that didn't stop us from reminding them once or twice), and their "we're looking at it" really felt like the "B" answer.
Part of the difficulty (other than the usual "they're Microsoft") is the legal climate for messing with software that is one one-hundred point oh percent badware. If there is even 1% of "valid purpose" for some piece of crap that we would all terminate without prejudice, they face all kinds of repercussions that we don't have to think about.
Microsoft has a lot of lawyers, and the only reason we didn't meet any is that there were no rocks laying around.The problem I see for Microsoft is that it might make zero business sense for them to get involved in cleanup when I assume that getting Longhorn released is a really big deal for them. Well, the XP/SP2 experience belies that notion. They spent hundreds of millions of dollars and pushed back Longhorn in order to get Service Pack 2 out the door, and this was a non-revenue upgrade.
I don't think even the most serious critic of Microsoft could say that SP2 wasn't a good thing, and I believe it's unlikely that Microsoft will sit on its hands until Longhorn is shipped.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
1 edit | reply to psloss
said by psloss :I guess I want to be cynical about this up to a point, because I do appreciate that Microsoft is sincere, but I'm more curious about what Microsoft wants for its already-infected customers -- many of whom exist entirely outside an enterprise environment. What do they propose doing for them? Based on what we have seen delivered on our meeting with Microsoft back in April, they did come through on their promises back then which of course means we tend to believe the things that they said they would deliver at this meeting. Microsoft hears from their consumer users and it costs them money to man the help desk and such. They look at the crashes reported to Microsoft and know that malware is responsible for a lot of the crashes their consumers see and view that as a blemish on the 'user experience' their consumer have, so yes they are concerned about existing 'infection'.
So I guess my questions would be why isn't this an area being handled by third parties, or at least an area being handled well by third parties, what would happen if Microsoft entered this market space or did something to directly impact this market space? Also I must admit that I'm happy to live in Canada where at least a little common sense exist in our judicial courts (but it is eroding quickly I'm afraid), as some of the cases seen in the US over the last couple of years in this area have been nothing short of stupid so there are legal out for some adware/spyware companies based in the US.
I would tend to agree that having the company who builds the OS, handle attacks against it would be the best solution as they do have lots and lots of expertise, and frankly far more then any third party company.
edit -> correct the quote blocks
Blake | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | reply to Steve
said by Steve :Part of the difficulty (other than the usual "they're Microsoft") is the legal climate for messing with software that is one one-hundred point oh percent badware. If there is even 1% of "valid purpose" for some piece of crap that we would all terminate without prejudice, they face all kinds of repercussions that we don't have to think about. Yeah, and I think Microsoft is basically in a no-win situation; there are downsides to any action they might take in the area of malware cleanup, including inaction.
But I don't know that I'd want to emphasize the inaction, if that's in fact the best choice they have. From my own morale standpoint, I'd rather not be reminded that Microsoft can't help us in this area, even if logically I think I understand why.
said by Steve :Well, the XP/SP2 experience belies that notion. They spent hundreds of millions of dollars and pushed back Longhorn in order to get Service Pack 2 out the door, and this was a non-revenue upgrade. I don't think even the most serious critic of Microsoft could say that SP2 wasn't a good thing, and I believe it's unlikely that Microsoft will sit on its hands until Longhorn is shipped. Good point, but I also believe that the SP2 changes are based on the assumption that the underlying install is good -- i.e., uncompromised.
Given that assumption, meticulously applied security practices and common sense can keep non-SP2 systems clean; failing that, help from third party software will also work. But, largely speaking, that's just not the way that consumers run Windows. And since most run as admin, they are a double-click or two away from giving away their system to the bad guys. (With or without SP2's enhancements, which an admin can turn off.)
I still think that going beyond the SP2 changes will be much tougher than the "step" that was taken going from XP to XP SP2. Not so much the internal, technical design changes as getting Microsoft's customers -- figuratively, "everyone" -- to adopt those changes. SP2 broke some software, but if Longhorn breaks a lot of software, I'll be curious to see whether smaller vendors with "legacy" software will support it. (It's tough enough to get some vendors to fix defects that are largely unrelated to Windows.)
I dunno...maybe it's just that it's hard for me to be enthusiastic about Microsoft's commitment, since I believe it's essentially impossible for them to be fully committed to dealing with the really messy stuff, despite how central their software is to the situation.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
| |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| said by psloss :said by Steve :But I don't know that I'd want to emphasize the inaction, if that's in fact the best choice they have. From my own morale standpoint, I'd rather not be reminded that Microsoft can't help us in this area, even if logically I think I understand why. Microsoft is doing something about it for example we have seen Microsoft going after spammers and such in court, they are also working on changing the legal issues with governments and working with law enforcement to capture those responsible and so much more and then some.
Yes it is a very difficult situation to deal with, but Microsoft is a very smart bunch of people and they are working on all sorts of ideas and in some cases its a matter of laying down the ground work before the idea can be implemented. One of the things which was interesting was how many Intrusion/Infection Analysis cases they do as they are looking at how people get malware on systems or hide it on systems and all that information is being collected and analyzed and ideas and plans thought of.
I left Redmond thinking life for hackers isn't going to get any easier (alas the social engineering aspects are certainly going to increase as fixing gullible people is perhaps more then what can be expected of Microsoft), so I feel very comfortable with my choice of Windows as an OS from a security perspective.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Khaine
join:2003-03-03
Australia
| reply to Steve
Wow, just wow
I hope that someday I will be able to go to these summits, as these talks sound great
Thanks for informing us of whats going on
Don't have too muhc fun  | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Link Logger
said by Link Logger :Microsoft is doing something about it for example we have seen Microsoft going after spammers and such in court, they are also working on changing the legal issues with governments and working with law enforcement to capture those responsible and so much more and then some. Hi Blake,
In this case, the "it" I was referring to was helping consumers clean up their infected computers.
The more law enforcement resources that Microsoft can put on prosecution, the better, but even with some bad guys in custody, the crap they left behind on thousands of computers can be still be used by others.
Helping people clean up their computers is incredibly time consuming, so I believe I understand why there are so few people like Calamity Jane (thankfully, though, there are); however, if Microsoft expressed an interest in getting involved, I would have rather greater expectations about what they could potentially do versus spyware fighters groups like SpywareInfo or CastleCops.
But I don't know that cleaning up systems is predominantly an issue of intelligence so much as it is commitment of resources. And the duration of time that spyware fighters have been cleaning up infected computers has already surpassed Microsoft's refocused SP2 effort, which I assume to be largely complete.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | I think Microsoft is going to do something - I just don't know what that is yet. It seems like SP2 is helping a lot, making it easier to avoid getting infected in the first place, but I'd be surprised if Microsoft didn't come out with some pretty good tools that address this.
Someday.
Edit - I don't want to be too flippant about this: there was a lot of discussion on this, and the MS Research people have quite a few approaches in mind for dealing with this, but it's not even clear what "we" want.
Do we want more specialized tools that spyware experts can use to help the masses, or do we want a "click here to get rid of all your spyware" end user tool? The former seems a lot easier than the latter.
There was a widespread desire for a CoolWebSearch tool, though it seems to me that this is a bit too "tactical" and not enough "strategic".
Thankfully, they hooked up with CalamityJane to find out what's really required, and that will certainly help guide their direction.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
|
