Last week at the RSA conference in soggy California, Microsoft presented the most comprehensive plan I’ve ever seen to address a security problem. Granted, they currently have massive exposure, but it caused me to wonder what would happen if everyone followed their lead and focused on the human aspects of the problem rather than just the technical. From the Linux folks out there, I can hear the resounding “No” with regard to following Microsoft’s lead in anything, but for those who at least think they have an open mind, let’s explore this idea.
First off I would like to say that I do NOT usually get involved in Flame-wars, but this begs for a reply. Yes the most comment "exploit" as you call it here is the user. "My virus-scanner, firewall, whatever will catch it", How often I've heard that phrase is second only to "but I don't give anybody else my password". The problem here, and dare to deny it, when your system treats you like, and assumes you are an idiot... You are most likely to remain just that. Yes it is very possible that linux developers, just as windows developers can write unsecure code. The differance, however, is that open code can be more quickly fixed. How many users out there gleefully set thier passwords to "12345678" etc... . Would it not be possible, as it is on linux to check a password-list for the password chosen, and reject it if found in that list? But then that would, of course reduce userfriendlyness.
My sorely misled friend, if I objected to the notion that "People are flawed" I would have posted "I object to the notion that people are flawed." I am also quite aware that there were MANY words used prior to the invention of computers, and do not appreciate your condescension. I also do not appreciate your evasion of my argument. Firstly, I understand your use of the word "exploit" in the context as a refrence to the countless people who have been "exploited" into believing that they should download some attachment and or run a program. I was pointing out that in the history or microsoft there have been infinitely more very disctinct exploits that have been abused by thousands of worms and thousands of hackers millions of times than malicious programs that require user activation. Your statement, which you may have forgotten already, "The exploit being used against the Windows platform most often is not technical." is wrong. And therefore you are wrong. I will cheerfully field any arguments you have with the above statements. I take personal offence to your attempts to label me as a coder of malicious programs, a conclusion that you based on an assumption that you extrapolated from my post. I never attacked the end user. I made my statement because you needed a clearer differentiation between exploiting a person and exploiting an OS. A differentiation that you failed to make in the only statement that I questioned. I never made any refrence to your article, nor did I question its over-used, and unoriginal thesis: "People are the weak link in the security chain." the shared thesis of countless articles written by the likes of people far more poisoned, and angry than even yourself. I've never used linux or unix before. But I AM aware of countless forums onwhich hundreds of posts abound with name-calling argue in circles about linux vs windows. I thought that your linux bashing was a clear attempt to call out these (as you call them) "linux zealots" and move focus from your flawed "article" to another topic entirely. Furthurmore I find YOUR name-calling and (yes, they are) personal attacks childish and unprofessional. I think that if you were truly interested in the open discussion of securities (regardless of OS)that you would field these comments with straight answers and or return questions, instead of just pulling hair and biting. Now that you are done "reading" my responce, please read it once more before you continue polishing the brass on the titanic. Admit that your statement was wrong, or tell me... LUCIDLY... why I am incorrect.
Personally, I like this article for an objective view and the expressed hope that all OS's be treated as tools. We run AIX, LINUX and MS and each has it's place. I am a Microsoft Administrator that is also expected to be knowlegeable about Oracle on AIX and Linux. Niether of which help me to centralize security and management of my workstations, at which MS excels. Sure, I have beefs with MS. They could borrow some good ideas from RedHat...such as when running as a restricted user in Linux, and opening a root program, I am prompted for root password. Microsoft only has the "runas" command which is essentially useless except for certain tasks. Since this is one reason so many users are allowed to run as administrator accounts, this is in itself a major problem with implementing security. Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then.
"Oh, how many Linux users here actually run thier Linux boxes other than root. Huh? Pretty vulnerable then. " . Actually I normally run as a normal user. I only su or log in as root when I have a reason to. . Oh, and I'm not a systems admin or anything that requires much working knowledge or responcibility.
I would like to first off comment about your last statement "How many linux users here actually run thier Linux boxes other then root. Huh?". I personally do not know anybody who does run thier linux box as root. I teach people how to use linux and so do my friends and the first thing we emphasize to them is to never run as root. For the people who decide to try linux and with no instruction (i.e. doesn't read documentation , etc..) run thier box as root. This is because the misconception they get from running windows they think that running as root is totally exceptable. Not to just say users who try linux come from using windows maybe they used Mac OS 9.X or earlier where it just boots up with no concern of creating a user to log into the machine with. Also I have no problem with people using windows if they want I prefer to use linux I find that it fits my needs better then windows does. I am a Network admin and I admin about 150 windows and Mac computers. MS excels at centralized security and management for windows machines. Windows has some support for Macs and really no support for linux machines. If "MS" really wants to excel in centralized management and security maybe they need to work on interoperating with other OSs. MS needs to imporve the interoprobility with Macs. Microsoft may have SFU (services for unix) but give me a break unix utilities running on top of windows really no use and I have to say I have used them and they suck. So in my opinion the only interoprobility between linux and windows is because of the open source community. Also I agree with the point in the article about the human factor. The human factor is the biggest risk to security in my opinion. People don't always think before they do something which is why it doesn't matter what OS you run its not going to be secure because of the human factor. That is something I learned while working with users.
First-Analogies like having a house in downtown bagdag versus having one in an omish community, or whether to use troops to protect a mythical city versus wizards does not tell anyone anything. They are simply stupid. Its a way of writing alot and saying nothing. Its easy to hide behind vast generalities, especially when they are silly generalities. Second- So the writter points out viruses and worms use social engineering as well as technical engineering. Really!!!???? No kidding!!!??? Why, I would never have known this if microsoft would not have pointed this out!!!! But seriously now, everyone knows this and has known it for a long time. I don't need microsoft to point it out for me. Microsoft is blaming everyone else for its very own failures. That is typical of microsoft and their mouth pieces (which this writter is one). No kidding we need to better educate computer users. No kidding we need to enact better legislation against spammers, hackers, etc. We also need to WRITE SECURE CODE!!! My company goes to great lengths to ensure we understand proper security procedures and impliment them. My company has been doing that for years before microsoft made its presentation. My company NEEDS more secure products from microsoft. Sorry but it is ridiculous to try to put this all on the end user...of course it is also ridiculous that microsoft writes such code that is so easily breached. Probably even more ridiculous that writters like this one defend louse code!
Before weighing the merits of this article, one should consider the Fact that Rant for Rent Rob is a paid PR flack for Microsoft. It's official! Follow the link below: http://www.eweek.com/print_article/0,3048,a=110659,00.asp 'Editor's note: Microsoft Corp. is a client of the Enderle Group, the consulting firm headed by Rob Enderle.' Need I say more?
Ok, first and foremost I disagree that MS shouldn't just focus on the technical aspacts of security. They write software and as such should take responcibility for their shortcomings. I DO agree that this is not an MS centered problem and will probably always plague all software writers. However, known problems need to be fixed and fixed properly. No more buggy patches and no more excuses about it being the end users fault. Yes, end users need to be educated about their actions but other precautions need to be in place since it's impractical to turn every computer user into a security expert. What if MS did get it right? Great! we'd all benefit if they came up with some new (and SIMPLE) ideas on how to help tackle security. I wouldnt go out and buy their products since they don't seem to suit my taste but I wouldn't shun them just for getting it right. Especially if they let others use their ideas.
You noted that Linux could have an e-mail worm that could be made to spread by social engineering, like Windows worms, and that is a human problem, not technical. I don't dispute the possibility, but note that Linux *already* effectively has safeguards that seriously slow down the spread of such worms: To execute an attachment, a Linux user must save it to a file, then set a protection bit marking it executable, then run it from the saved location. Three steps, and at least the middle one is not a one-click operation (at least not in any Linux installation I have seen). By contrast, running an e-mail attachment in Windows is typically one or two mouse clicks away. This explains why these social engineering worms can spread faster than countermeasures against them can be mounted. As long as no popular Linux e-mail client makes misguided extensions to simplify running attachments, I think we are safe. And by now the people writing such programs are aware of Microsoft's mistake and know to avoid it.
Easy. Vendors worldwide would receive a rush order for a few billion pairs of ice skates. Btw, many have noticed that a) "The Enderle Group" seems to consist entirely of .. Rob Enderle, b) the majority of his published work seems to be either gushing PR-bunny fluff or Pavlovian attack-dog pieces, and c) that far too many of his stated-as-gospel "facts" have been easily proven false with a simple Google search. He is thus generally considered to have negative credibility, tho sometimes worth reading for the comic relief provided by his stereotype blatantly ignorant sycophant persona. Some seem to believe this (comedy) is his true goal.
"The exploit being used against the Windows platform most often is not technical." Mr. Enderle: an "exploit" (which is a word microsoft has avoided like the plague) is a security flaw that allows privelage escalation withOUT user interface. This means, that no user has to click OK or execute the program, he just has to have his computer ON. These are things like buffer overflows that allow arbitrary command execution. If you are talking about the lastest viruses that people have to download and execute then they are NOT security flaws, they are simply malicious applications that users CHOOSE to download and run that their own personal detrement. They might as well be downloading little desktop-traversing animals to amuse themselves. To say that Microsoft doesn't have an abundance of exploits (keyword: exploits) is ludicrous, and requires NO furthur explaination. And you would think that a professional columnist would have enough sense NOT to take sides (and bash the opposition) in the linux vs windows war. Perhaps in the future you should take more time on security pages and forums and less time at dictionary.com
What if the moon is green? What if aliens come to get us tomorrow? Man I just love it. Now we have gone from Microsoft is secure to what if it was... and as far a Linux. Linux or the unix OS do not have the inherent security issues that would allow gullible people to infect there machine like Microsoft and if this author know anything about Unix (linux) he would have known this. Man what a joke!
Loading ...
What If Microsoft Got Security Right?
Posted by: Rob Enderle March 1, 2004 06:30 AMLast week at the RSA conference in soggy California, Microsoft presented the most comprehensive plan I’ve ever seen to address a security problem. Granted, they currently have massive exposure, but it caused me to wonder what would happen if everyone followed their lead and focused on the human aspects of the problem rather than just the technical. From the Linux folks out there, I can hear the resounding “No” with regard to following Microsoft’s lead in anything, but for those who at least think they have an open mind, let’s explore this idea.
I also do not appreciate your evasion of my argument.
Firstly, I understand your use of the word "exploit" in the context as a refrence to the countless people who have been "exploited" into believing that they should download some attachment and or run a program.
I was pointing out that in the history or microsoft there have been infinitely more very disctinct exploits that have been abused by thousands of worms and thousands of hackers millions of times than malicious programs that require user activation. Your statement, which you may have forgotten already, "The exploit being used against the Windows platform most often is not technical." is wrong. And therefore you are wrong. I will cheerfully field any arguments you have with the above statements.
I take personal offence to your attempts to label me as a coder of malicious programs, a conclusion that you based on an assumption that you extrapolated from my post. I never attacked the end user. I made my statement because you needed a clearer differentiation between exploiting a person and exploiting an OS. A differentiation that you failed to make in the only statement that I questioned. I never made any refrence to your article, nor did I question its over-used, and unoriginal thesis: "People are the weak link in the security chain." the shared thesis of countless articles written by the likes of people far more poisoned, and angry than even yourself.
I've never used linux or unix before. But I AM aware of countless forums onwhich hundreds of posts abound with name-calling argue in circles about linux vs windows. I thought that your linux bashing was a clear attempt to call out these (as you call them) "linux zealots" and move focus from your flawed "article" to another topic entirely. Furthurmore I find YOUR name-calling and (yes, they are) personal attacks childish and unprofessional.
I think that if you were truly interested in the open discussion of securities (regardless of OS)that you would field these comments with straight answers and or return questions, instead of just pulling hair and biting.
Now that you are done "reading" my responce, please read it once more before you continue polishing the brass on the titanic. Admit that your statement was wrong, or tell me... LUCIDLY... why I am incorrect.
.
Actually I normally run as a normal user. I only su or log in as root when I have a reason to.
.
Oh, and I'm not a systems admin or anything that requires much working knowledge or responcibility.
Also I have no problem with people using windows if they want I prefer to use linux I find that it fits my needs better then windows does. I am a Network admin and I admin about 150 windows and Mac computers. MS excels at centralized security and management for windows machines. Windows has some support for Macs and really no support for linux machines. If "MS" really wants to excel in centralized management and security maybe they need to work on interoperating with other OSs. MS needs to imporve the interoprobility with Macs. Microsoft may have SFU (services for unix) but give me a break unix utilities running on top of windows really no use and I have to say I have used them and they suck. So in my opinion the only interoprobility between linux and windows is because of the open source community.
Also I agree with the point in the article about the human factor. The human factor is the biggest risk to security in my opinion. People don't always think before they do something which is why it doesn't matter what OS you run its not going to be secure because of the human factor. That is something I learned while working with users.
Second- So the writter points out viruses and worms use social engineering as well as technical engineering. Really!!!???? No kidding!!!??? Why, I would never have known this if microsoft would not have pointed this out!!!! But seriously now, everyone knows this and has known it for a long time. I don't need microsoft to point it out for me. Microsoft is blaming everyone else for its very own failures. That is typical of microsoft and their mouth pieces (which this writter is one). No kidding we need to better educate computer users. No kidding we need to enact better legislation against spammers, hackers, etc. We also need to WRITE SECURE CODE!!! My company goes to great lengths to ensure we understand proper security procedures and impliment them. My company has been doing that for years before microsoft made its presentation. My company NEEDS more secure products from microsoft.
Sorry but it is ridiculous to try to put this all on the end user...of course it is also ridiculous that microsoft writes such code that is so easily breached. Probably even more ridiculous that writters like this one defend louse code!
It's official! Follow the link below:
http://www.eweek.com/print_article/0,3048,a=110659,00.asp
'Editor's note: Microsoft Corp. is a client of the Enderle Group, the consulting firm headed by Rob Enderle.'
Need I say more?
Yes, end users need to be educated about their actions but other precautions need to be in place since it's impractical to turn every computer user into a security expert.
What if MS did get it right? Great! we'd all benefit if they came up with some new (and SIMPLE) ideas on how to help tackle security. I wouldnt go out and buy their products since they don't seem to suit my taste but I wouldn't shun them just for getting it right. Especially if they let others use their ideas.
I don't dispute the possibility, but note that Linux *already* effectively has safeguards that seriously slow down the spread of such worms: To execute an attachment, a Linux user must save it to a file, then set a protection bit marking it executable, then run it from the saved location. Three steps, and at least the middle one is not a one-click operation (at least not in any Linux installation I have seen).
By contrast, running an e-mail attachment in Windows is typically one or two mouse clicks away. This explains why these social engineering worms can spread faster than countermeasures against them can be mounted.
As long as no popular Linux e-mail client makes misguided extensions to simplify running attachments, I think we are safe. And by now the people writing such programs are aware of Microsoft's mistake and know to avoid it.
Mr. Enderle: an "exploit" (which is a word microsoft has avoided like the plague) is a security flaw that allows privelage escalation withOUT user interface. This means, that no user has to click OK or execute the program, he just has to have his computer ON. These are things like buffer overflows that allow arbitrary command execution.
If you are talking about the lastest viruses that people have to download and execute then they are NOT security flaws, they are simply malicious applications that users CHOOSE to download and run that their own personal detrement. They might as well be downloading little desktop-traversing animals to amuse themselves.
To say that Microsoft doesn't have an abundance of exploits (keyword: exploits) is ludicrous, and requires NO furthur explaination.
And you would think that a professional columnist would have enough sense NOT to take sides (and bash the opposition) in the linux vs windows war.
Perhaps in the future you should take more time on security pages and forums and less time at dictionary.com