See Full Story
Last week at the RSA conference in soggy California, Microsoft presented the most comprehensive plan I've ever seen to address a security problem. Granted, they currently have massive exposure, but it caused me to wonder what would happen if everyone followed their lead and focused on the human aspects of the problem rather than just the technical. From the Linux folks out there, I can hear the resounding "No" with regard to following Microsoft's lead in anything, but for those who at least think they have an open mind, let's explore this idea.
First off I would like to say that I do NOT usually get involved in Flame-wars, but this begs for a reply. Yes the most comment "exploit" as you call it here is the user. "My virus-scanner, firewall, whatever will catch it", How often I've heard that phrase is second only to "but I don't give anybody else my password". The problem here, and dare to deny it, when your system treats you like, and assumes you are an idiot... You are most likely to remain just that. Yes it is very possible that linux developers, just as windows developers can write unsecure code. The differance, however, is that open code can be more quickly fixed. How many users out there gleefully set thier passwords to "12345678" etc... . Would it not be possible, as it is on linux to check a password-list for the password chosen, and reject it if found in that list? But then that would, of course reduce userfriendlyness.
First-Analogies like having a house in downtown bagdag versus having one in an omish community, or whether to use troops to protect a mythical city versus wizards does not tell anyone anything. They are simply stupid. Its a way of writing alot and saying nothing. Its easy to hide behind vast generalities, especially when they are silly generalities.
Second- So the writter points out viruses and worms use social engineering as well as technical engineering. Really!!!???? No kidding!!!??? Why, I would never have known this if microsoft would not have pointed this out!!!! But seriously now, everyone knows this and has known it for a long time. I don't need microsoft to point it out for me. Microsoft is blaming everyone else for its very own failures. That is typical of microsoft and their mouth pieces (which this writter is one). No kidding we need to better educate computer users. No kidding we need to enact better legislation against spammers, hackers, etc. We also need to WRITE SECURE CODE!!! My company goes to great lengths to ensure we understand proper security procedures and impliment them. My company has been doing that for years before microsoft made its presentation. My company NEEDS more secure products from microsoft.
Sorry but it is ridiculous to try to put this all on the end user...of course it is also ridiculous that microsoft writes such code that is so easily breached. Probably even more ridiculous that writters like this one defend louse code!
Before weighing the merits of this article, one should consider the Fact that Rant for Rent Rob is a paid PR flack for Microsoft.
It's official! Follow the link below:
'Editor's note: Microsoft Corp. is a client of the Enderle Group, the consulting firm headed by Rob Enderle.'
Need I say more?
Ok, first and foremost I disagree that MS shouldn't just focus on the technical aspacts of security. They write software and as such should take responcibility for their shortcomings. I DO agree that this is not an MS centered problem and will probably always plague all software writers. However, known problems need to be fixed and fixed properly. No more buggy patches and no more excuses about it being the end users fault.
Yes, end users need to be educated about their actions but other precautions need to be in place since it's impractical to turn every computer user into a security expert.
What if MS did get it right? Great! we'd all benefit if they came up with some new (and SIMPLE) ideas on how to help tackle security. I wouldnt go out and buy their products since they don't seem to suit my taste but I wouldn't shun them just for getting it right. Especially if they let others use their ideas.
You noted that Linux could have an e-mail worm that could be made to spread by social engineering, like Windows worms, and that is a human problem, not technical.
I don't dispute the possibility, but note that Linux *already* effectively has safeguards that seriously slow down the spread of such worms: To execute an attachment, a Linux user must save it to a file, then set a protection bit marking it executable, then run it from the saved location. Three steps, and at least the middle one is not a one-click operation (at least not in any Linux installation I have seen).
By contrast, running an e-mail attachment in Windows is typically one or two mouse clicks away. This explains why these social engineering worms can spread faster than countermeasures against them can be mounted.
As long as no popular Linux e-mail client makes misguided extensions to simplify running attachments, I think we are safe. And by now the people writing such programs are aware of Microsoft's mistake and know to avoid it.
Easy. Vendors worldwide would receive a rush order for a few billion pairs of ice skates. Btw, many have noticed that a) "The Enderle Group" seems to consist entirely of .. Rob Enderle, b) the majority of his published work seems to be either gushing PR-bunny fluff or Pavlovian attack-dog pieces, and c) that far too many of his stated-as-gospel "facts" have been easily proven false with a simple Google search. He is thus generally considered to have negative credibility, tho sometimes worth reading for the comic relief provided by his stereotype blatantly ignorant sycophant persona. Some seem to believe this (comedy) is his true goal.
"The exploit being used against the Windows platform most often is not technical."
Mr. Enderle: an "exploit" (which is a word microsoft has avoided like the plague) is a security flaw that allows privelage escalation withOUT user interface. This means, that no user has to click OK or execute the program, he just has to have his computer ON. These are things like buffer overflows that allow arbitrary command execution.
If you are talking about the lastest viruses that people have to download and execute then they are NOT security flaws, they are simply malicious applications that users CHOOSE to download and run that their own personal detrement. They might as well be downloading little desktop-traversing animals to amuse themselves.
To say that Microsoft doesn't have an abundance of exploits (keyword: exploits) is ludicrous, and requires NO furthur explaination.
And you would think that a professional columnist would have enough sense NOT to take sides (and bash the opposition) in the linux vs windows war.
Perhaps in the future you should take more time on security pages and forums and less time at dictionary.com
Ah, so what you object to is the notion that “People are flawed” and can be exploited. I think you’ll find that this word was used long before there were computers. I used the word correctly in context, but it did require some thought. Something that appears beyond you at the moment, perhaps if you take a breath you’ll find that this piece had little to do with platforms at all.
The purpose of this piece was to suggest that some of what Microsoft was doing would benefit, in many ways, all of us regardless of platform and that maybe that kind of behavior should be emulated and encouraged. Clearly you still want to have a war. I’d hoped to reposition your hate against those that write these “malicious applications” which currently are doing more than just “desktop traversing animals”.
The lack of empathy for the standard Windows user experiencing these problems in your post is obvious and forms the reason why I, and others, believe folks like you actually write these things. To me it appears clear that you feel people should be punished for wanting to run small emailed applications to amuse themselves. In a world filed with hostility I think that is a very sad thing.
My sorely misled friend, if I objected to the notion that "People are flawed" I would have posted "I object to the notion that people are flawed." I am also quite aware that there were MANY words used prior to the invention of computers, and do not appreciate your condescension.
I also do not appreciate your evasion of my argument.
Firstly, I understand your use of the word "exploit" in the context as a refrence to the countless people who have been "exploited" into believing that they should download some attachment and or run a program.
I was pointing out that in the history or microsoft there have been infinitely more very disctinct exploits that have been abused by thousands of worms and thousands of hackers millions of times than malicious programs that require user activation. Your statement, which you may have forgotten already, "The exploit being used against the Windows platform most often is not technical." is wrong. And therefore you are wrong. I will cheerfully field any arguments you have with the above statements.
I take personal offence to your attempts to label me as a coder of malicious programs, a conclusion that you based on an assumption that you extrapolated from my post. I never attacked the end user. I made my statement because you needed a clearer differentiation between exploiting a person and exploiting an OS. A differentiation that you failed to make in the only statement that I questioned. I never made any refrence to your article, nor did I question its over-used, and unoriginal thesis: "People are the weak link in the security chain." the shared thesis of countless articles written by the likes of people far more poisoned, and angry than even yourself.
I've never used linux or unix before. But I AM aware of countless forums onwhich hundreds of posts abound with name-calling argue in circles about linux vs windows. I thought that your linux bashing was a clear attempt to call out these (as you call them) "linux zealots" and move focus from your flawed "article" to another topic entirely. Furthurmore I find YOUR name-calling and (yes, they are) personal attacks childish and unprofessional.
I think that if you were truly interested in the open discussion of securities (regardless of OS)that you would field these comments with straight answers and or return questions, instead of just pulling hair and biting.
Now that you are done "reading" my responce, please read it once more before you continue polishing the brass on the titanic. Admit that your statement was wrong, or tell me... LUCIDLY... why I am incorrect.
I frankly can’t figure out why you are so upset. I wrote the piece, I get to choose the way I mean a word not you. You say you understand how I intended the word (exploit) but then say I need a clearer differentiation between my meaning and yours. If you understood, why is that? If you are saying I could be clearer, that is always the case, and will always be the case so I’ll concede that point. But I think you are asking me to read your mind and that is beyond my capability and desire at this moment.
You say that others more poisoned and angry have pointed out that people can be exploited, that others have done this I have no doubt, I have done it countless times. I don’t get the poisoned and angry part. If this is true, then why would I need to be angry? Granted it does upset me that people I know and love are exploited and harmed in this way but I have a hard time thinking that this is a bad thing.
You say you never attacked an end user before, but you exhibit so much anger and hate that it seems likely, if your statement is true, that this is only because you haven’t yet had the opportunity. People who hate like you seem to often have difficulty controlling their anger, but that is your problem and not mine.
You ask “if I was truly interested in a discussion of securities etc.”, first “securities” are stocks and bonds, and second the “security” I was talking about had little to do with the topic you seem to want to address even though it is clear (given you have never run UNIX or Linux) you are completely unqualified to have it. Why would I waste my time and yours? The topic was on supporting Microsoft when they do something that benefits all of us, what about that position do you disagree with? If you simply want to find someone to argue with, find someone else please.
In the end, I find your statements reflect more on you than you likely intended and perhaps that is something you should reflect on going forward.
What if the moon is green? What if aliens come to get us tomorrow? Man I just love it. Now we have gone from Microsoft is secure to what if it was... and as far a Linux. Linux or the unix OS do not have the inherent security issues that would allow gullible people to infect there machine like Microsoft and if this author know anything about Unix (linux) he would have known this. Man what a joke!
Sometimes you hope people will rise to look at the bigger picture and see the common good. Clearly you aren’t one of those people. I find it interesting that you personally believe that Linux and UNIX users can not be tricked into applying a hostile patch, running a hostile utility, or into giving up their passwords. Having done security audits for a number of years I know this belief be incredibly naďve, as people remain people regardless of the platform they use.
But, that aside, the lack of any empathy for the users that are currently being hit with wave after wave of viruses is more telling, as is the inability to look at what Microsoft is doing and admit that at least some of it will benefit all, regardless of platform. I continue to believe that if this part were emulated by the Open Source community maybe there is a chance we all could be safer. I think the BSD folks get this, and I’ll bet at least some of the Linux folks do as well. I think Linus in particular would agree, but, unfortunately they, and he, did not write this post and increasingly it is posts like this that define Linux and Linux increasingly defines Open Source.
I guess some folks like playing the villain in any story; it is a shame is all.
First, why do you feel the need to attack people personally:
Talking about thinking:
"Something that appears beyond you at the moment, perhaps if you take a breath you’ll find that this piece had little to do with platforms at all."
"Sometimes you hope people will rise to look at the bigger picture and see the common good. Clearly you aren’t one of those people."
It appears that you feel the need to bash people who point out your flaws. That is not very commendable and somewhat pitiful for a "respected" journalist. Neither attacked your personally, only disagreed with your less than "learned" remarks.
That being said, you still have no concept of
security in the *NIX world. If one of my users does to something stupid, it is confined to that user and the files he owns(I even control the amount of disk space they have available). Not to mention, what programs they run, what files they can look at and even what directories they can traverse. I could go on, but suffice it to say that the granularity of what happens in *NIX makes it almost impossible to pull the same kind of crap we have had to put up with for years. Microsoft Windows was NOT written to be multi-user and was not even network capable originally without add-ins. Later they decided that the internet was neat and they would make it work in Windows. They did this with ZERO thought of security and it shows.
You state that you have been in the "security" business for some time. If thats the case, then you know alot of the crap you just spouted, is just that, crap. If thats not the case, then I would suggest attending a few seminars and maybe picking up a copy of "UNIX for Dummies" and checking out the section on permissions before spouting out about your great security knowledge. It shows that you don't have much "security" knowledge and even less credibilty.
Now instead of attacking me personally(although I did throw a few well deserved jabs) please feel free to prove me wrong......I wait your enlightend answer
Now this is amazing, you post that I have bashed folks personally. Then you proceed to do the same with me. My point in both pieces is the writers in their obvious dislike for Microsoft have, as usual, missed the bigger picture and the need to help the people attacked as opposed to just spout the typical Linux dogma. In the first case I asked the person to “take a breath”, in the second “to look at the common good” how is that bashing? Like you they were quick to type and slow to comprehend. Unfortunately the forums encourage this behavior no matter how foolish.
If you look again you’ll find that they are simply spouting the typical “Microsoft Sucks” mantra that you have now picked up. Lose your hate for a moment. UNIX platforms have failed security audits as long at they have been audited. No platform is absolutely secure, and permissions are an area where those that actually do security for a living spend a lot of time. If you were to look into this, you’d find that the real exposures (to the data itself) have historically been with people, and practices, that have preceded computers by decades.
The “zero thought” comment regarding Microsoft suggests you have either lived in a cave for the last 3 years or are just another Microsoft basher and not a particularly well informed one at that. Strangely enough, I’ve been doing this long enough to know that you have actually studied this very little or you wouldn’t have hung your hat on permissions. You seem only to want to argue and to showcase knowledge you don’t actually have, which is a shame.
But this wasn’t about platform security at all, this was about making this a more secure world for all of us because neither Linux nor UNIX are general use platforms and may never be. My goal in this was to get people thinking about the broader issue of being human and of securing other humans. These viruses hurt all of us by taking away resources that could be better used to build new products, deliver services, and, hopefully, continue the economic recovery we are all hurt regardless of what OS we use and worship. While the Linux zealots seem to revel in the damage these things are causing, I’d hoped that others would take a more measured view and agree that while Microsoft has a lot to fix, maybe if everyone approached the problem in a similar broad way the world would be a better place.
What’s wrong with saying that Microsoft can get it right once in awhile?
And your answer likely is because Microsoft is a <insert expletives here>. So, in the end, this, for you, isn’t about security at all, it is simply about creating an opportunity where your hate for a company of people you have probably never actually met can be vented. My guess is you are just another Zealot who feels that people who run a platform you don’t, deserve what they get, who is defined by the hate you feel, and who probably hasn’t entertained the possibility that you might be wrong in some time.
Shame you can’t focus your efforts on something that is for the broader good, but folks like you simply don’t, and, while that is certainly a shame it, fortunately, isn’t my problem.
Personally, I like this article for an objective view and the expressed hope that all OS's be treated as tools. We run AIX, LINUX and MS and each has it's place. I am a Microsoft Administrator that is also expected to be knowlegeable about Oracle on AIX and Linux. Niether of which help me to centralize security and management of my workstations, at which MS excels. Sure, I have beefs with MS. They could borrow some good ideas from RedHat...such as when running as a restricted user in Linux, and opening a root program, I am prompted for root password. Microsoft only has the "runas" command which is essentially useless except for certain tasks. Since this is one reason so many users are allowed to run as administrator accounts, this is in itself a major problem with implementing security. Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then.
I would like to first off comment about your last statement "How many linux users here actually run thier Linux boxes other then root. Huh?". I personally do not know anybody who does run thier linux box as root. I teach people how to use linux and so do my friends and the first thing we emphasize to them is to never run as root. For the people who decide to try linux and with no instruction (i.e. doesn't read documentation , etc..) run thier box as root. This is because the misconception they get from running windows they think that running as root is totally exceptable. Not to just say users who try linux come from using windows maybe they used Mac OS 9.X or earlier where it just boots up with no concern of creating a user to log into the machine with.
Also I have no problem with people using windows if they want I prefer to use linux I find that it fits my needs better then windows does. I am a Network admin and I admin about 150 windows and Mac computers. MS excels at centralized security and management for windows machines. Windows has some support for Macs and really no support for linux machines. If "MS" really wants to excel in centralized management and security maybe they need to work on interoperating with other OSs. MS needs to imporve the interoprobility with Macs. Microsoft may have SFU (services for unix) but give me a break unix utilities running on top of windows really no use and I have to say I have used them and they suck. So in my opinion the only interoprobility between linux and windows is because of the open source community.
Also I agree with the point in the article about the human factor. The human factor is the biggest risk to security in my opinion. People don't always think before they do something which is why it doesn't matter what OS you run its not going to be secure because of the human factor. That is something I learned while working with users.
"Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then. "
Actually I normally run as a normal user. I only su or log in as root when I have a reason to.
Oh, and I'm not a systems admin or anything that requires much working knowledge or responcibility.