Slashdot Mirror
MS Invites Security Questions
daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"
Why does microsoft not eat it's own dogfood? As a network administrator
I'm contstatly struggling with rights on workstations. I know that MS
gives admin right to all of it's own users. (I live in seattle I've seen
it.) But I can think of no security hole larger then giving out rights
to users who *SHOULD* not need them.
There is a laundry list of applications written *by* Microsoft that do
not work properly without additional rights.
This has been true sense NT 3.51. How did this happen? Upgrading to
longhorn it not a soulution. If I worked for Microsoft this would be
my first priority. Take away rights, fix existing applications.
"think of it as evolution in action"
My Question
Why don't you open up your source? I have an analogy to Open and Closed source:
With closed source, you are in a room full of razor blades everywhere and you are blindfolded. With Open Source, you are in a room full of razor blades everywhere and you are NOT blindfolded, so you can see where the exit is and perhaps avoid getting too cut up.
Which is really safer, closed or open source? Would you rather be blindfolded?
The dangers of knowledge trigger emotional distress in human beings.
We should show them the /. effect and send nothing but linux security questions on how to fortify your linux distro ;-)
The Technomancer
"Men of lofty genius when they are doing the least work are most active."-
Guarenteed question. Answer: According to many studies that we've funded; yes.
"selection"? ;P
One that hath name thou can not otter
If the Microsoft team gets to pick which questions are answered, I doubt this will be akin to Achilles waving his naked foot right under Paris' nose, since questions like, "Why is Microsoft's security better than Linux security?" are more likely to get answered than questions like, "When did Microsoft hire a team of security gurus?"
I Am My Own Worst Enemy
Almost EVERY website that deals with security have commented on M$FT and their security. That would be a good place for Mr.Ben English to start. Not to troll, but I think this is just another PR stunt by M$FT!
Slashdot asks what kind of story will really bring the M$ bashing to an all time high?
It would be nice to see the questions that don't get answered. It would be interesting to see if some questions get glossed over or ignored because of some inherant design flaw.
Maybe someoen would make a lost of all the questions and group all the simular ones together in order to create somethign like this. I guess microsoft is feeling the heat from other vendors stating that microsoft isn't as secure as thier products.
How do you keep your jobs?
I'm assuming you've got some excellent blackmail material on someone in HR but I'd like to know for sure.
They will ignore everything and give generic answers to worthless questions such as "how do I secure my home computer". The answer will probably be something like "use the microsoft firewall and the microsoft anti-spyware program, and a microsoft antivirus program on your geniuine microsoft windowxs xp operating system".
Nothing to see here, move along.
a selection ...
translation
easily answered questions made up or planted by microsoft employs. so they dont have to answer the hard hitting questions.
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
Just hype to cover their asses and to keep the sheeple happy!
You obviously get some kind of referrer bonus for sending people to their site. I count three links to shinyfeet.com in your post.
And really, who the hell would want an email address with "ShinyFeet" in it?
This space intentionally left blank.
This is pretty much the most basic question possible, but what do you consider to be the range of behaviors that qualify as security bugs?
For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?
If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?
Simple enough, really.
Ancay Iway askway ywhay eythay on'tday useway igpay atinlay?
I'dway atherray eatway ymay ownway eadhay anthay anslatetray everythingway omfray igpay atinlay ustjay otay ackcray intoway omeone'ssay ystemsay.
Can I ask why they don't use pig latin? I'd rather eat my own head than translate everything from pig latin just to crack into someone's system. See what I mean? Maybe it's Friday and I'm the only one seeing the humor...
I'm sure they will just beat around the bush like they always do. Gates's arrogance will trickle off.
Comment removed based on user account deletion
1) Why can't you get software out the door that doesn't contain security flaws that you will be spending the next 6 years trying to fix, and still not get it right?
2) Word association: Microsoft -> buffer overflow.
3) Do you understand the concept of "Deny All Except" or has it ever been mentioned to you?
4) Do the 1 million monkeys Douglas Adams referred to work in Redmond?
5) Why is Bill Gates such an ass?
6) Who will protect us from Microsoft?
Ok. So it was more than one question. But one wasn't technically a question.
I guess millions? dunno, but I remember everyone saying that about yahoo and others thinking hotmail was perverted sounding.
do you have shinyfeet?
Come on, does anyone really think that Microsoft is going to select any of the tough questions that they really don't want to address? This is a sham. It gives them a way to say that they responded to users concerns, when in reality they will pick and choose things that can make them look good or give them a chance to attack open source. The more people who participate in this sham the more it servers their purposes.
I'm an American. I love this country and the freedoms that we used to have.
Ability to use metaphor implies capability for higher thought... Is this useful in a business environment? What are the upscaling interoperability and B2B / B2C / B2D implications of using higher thought if it disassociates your personal intelligence quotia from the actual intelligence quotia of the low-TCO due to high-WorkerProd with minimal training requirements? Security with open source is no good, because your TCO suddenly becomes higher, and that includes updating and everything - we've done studies. Next time you submit a question, please use plain English and technical terms so we can aid you to the best of our training.
My little site.
How can you be betraying your feduciary responsibilities to shareholders by delaying products in the name of security, which history has proven that your corporate customers don't give a damn about anyway.
To avoid shareholder lawsuits of you not acting in what has historically been shown to be the best for your shareholders, why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held?
The second part we can almost say that about: it would at least give them the chance to boast.
I predict we won't see an answer to either part.
See what I've been reading.
Has ZDNET given up even the pretense of being a tech magazine? Have they finally embraced the fact that they are nothing more then a thinly veiled publicity arm of Microsoft?
Where are the real journalists asking the tough questions to the executives of MS and other tech firms. Instead they invite questions from the public there the "experts" will pick the softballs and spew on an on about how safe, secure and super-duper-keen-nifty windows is compared to that communist linux.
evil is as evil does
42
With ActiveX, when all the junk spyware sites would try to install software, it was impossible to always deny the publisher install rights, but you could easily ALWAYS allow publishers to load up your computer with the worst junk imaginable.
If you've ever been to a retirement home using Internet Explorer on a shared computer, you would laugh at how much junk computers would be loaded with.
Along came Firefox, and with it the freedom from training folks to click a million times no to a million ActiveX dialogs. Pop-ups and other forms of nastyness reduced.
All of a sudden a fire seems to have been lit under Microsoft around security and its browser.
Aside from the above listed changes, what other positive changes do you think Microsoft will introduce as a result of some competition, particularly in the browser space, but also elsewhere.
How could you consider this even vaugely unbiased, when ZDNet have a HUGE great Microsoft advert at the top of the page ?
Sheesh.
Our business model depends on selling licenses to use our products.
Based on past performance, the MS security gurus should be asking questions of the general public.
Quick background on Mako: http://www.microsoft-watch.com/article2/0,1995,176 4087,00.asp
Having previously been a contractor at Microsoft and being intimately familiar with the security setup of their online properties (Hotmail, passport, messenger, etc.) the dynamic systems protection area was one that would get the most play (and benefit) on the server side. Automagically monitoring system state and port management would be extremely useful if it was a part of the server OS.
Do not taunt Happy-Fun Ball
Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
Tarsnap: Online backups for the truly paranoid
ActiveX Web Controls: What the hell were you thinking?
Why?
Instead of flooding them with so many questions that they can easily ignore the hard hitting ones, how about a Slashdot Interview style selection of good questions which we then submit as a group.
Is there an easy way to see which files have been denied access to (and what types of access) so admins can set ACLs quickly to allow regular users to use programs which normally require administrator access, but shouldn't (ie simply accounting)?
Maybe this would generate a whole new set of jokes similar to the Radio Yerevan jokes. Now, please complete this template with your jokes: The Microsoft Experts were asked: "<Is it true that...>" The Microsoft Experts answers: "<In principle yes, but...>"
I'm sorry, the number you have dialed is an imaginary number. Please rotate your phone 90 degrees and dial again.
Microsoft apparently has fine-grained access, rights and permissions built into WindowsXP. Where are the tools to manage those permissions?
By the way - HOME users need those tools, too. They would (could) go a long way to preventing zombification.
You're looking for quotes? See my journal.
Microsoft has been inviting security questions for ages. But I assume this time they are preparing to actually answer them?
Microsoft: the plan is simple and reliable -- build a new OS entirely and then write a 'legacy' VM on top of it to run the current and old stuff. You can be secure and overcome the old crap. Why aren't you doing that?
And why is it still stuck on IE5, especially if MSFT plans to "upgrade" MSFT Office?
-- Tigger warning: This post may contain tiggers! --
Vhy?
Vhy oh Vhy?
that's what I personaly like to ask them.
"667 - Neighbour of the beast"
what does that popup box that says "All your base are belong to us" mean?
And what does it mean by "Finished downloading software" when I click on the link to confirm that email that I got from my bank?
My friend says I'm a zombie, but I haven't noticed any hair falling out - why is this?
So? every once in a while I have seen a MS ad on Slashdot? Course that isn't when I am running Firefox with adblock
That's my question, but we all know the answer, don't we boys and girls?
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
So you can fuckoffay
Microsoft is constantly telling folks lies, and then creating "independent" verifications about them on performance issues. Witness the veritest reports
So you know as we all do that every morning Microsoft engineers are waking up, and KNOWING that these tests are totally bogus and blatently rigged, go out and lie like crazy to their customers about what the results prove.
Even if the product is faster, at least avoid creating such crap tests. I remember the garbage J2EE benchmarking as well, and wonder what microsoft is thinking getting up every day to push this stuff?
In the security world, trust plays a very important role in security. In addition to putting locks on doors, a business does well to hire employees it can trust.
In the long term, do you see any value in working to establish trust with your customers? My mother currently would share info with google she would never consider sharing with Microsoft, which I thought was interesting.
I love this message! MOD PARENT UP!
My take on the answer: competition (linux) and changing conditions (internet) have simply changed the "sweet spot" between security and time to market.
A harsher world means getting better or dying.
my question I keep getting this strange error message "0-\/\/-/\/-3-|) by Cowboy Neal, He Be 1337 hax0r " is that a security threat that I should worry about?
Win2003 has some functionality somewhat like that... Internet Explorer Enhanced Security Configuration... its under the add/remove windows components and its installed by default on Win2003... it is kinda a pain but when you head to a site it asks you if you want to add it to the 'acceptable' sites... might not be the perfect solution for this but it is a start
sig goes here!
That's all?
From their website:
Referral Program
Referral program provides you with a $5 or $10 referral per user that signs up and supplies your Shinyfeet username in the referral ID field.
"Very funny, Scotty. Now beam down my clothes."
What is the reason for not allowing me to move the security slider for the internet zone past Medium? Do you think everyone that uses Windows XP isn't technically/internet savvy enough to know what they're doing when they wish to drop the security level, at their own understanding of the possible risks?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
When a security hole is discovered, how much accountability rests with the developer(s) responsible for the hole/bug? Have serious holes led to programmers being fired? Is there any sort of incentive for building bug-scarce code?
WTF?
M$ + Security + Guru != Knowledge
M$ stop calling your people security gurus, they are just peons/pawns that you've namebranded for the press.
M$ -10 karma points
oh, I forgot about that one. who pays for email services now a-days anyway?
I'm just looking to offer a little insight and get a few ads knocked out of my emailer. I don't need no shinyfeet money....
uh, but if you do sign up for one of those paid subscriptions... (check the sig)
do you have shinyfeet?
Dear Microsoft...
I heard some "Linux" thing is more secure than Windows. Where can I buy this product from Microsoft?
"Dear Microsoft - it's long been known by us shareholders that your stock has only flown so high because you understood the proper tradeoffs between security (slow and unprofitable) and time to market (== profit == shareholder value)."
Oh, wake up. It's because the company has behaved with a total disregard for anything other than money.
Probably because that would set a legal precedence for suing the creators of ever OSS Operating System every security flaw ever exploited in their software as well. Spam has to be relayed somehow.....
Linux is really boring from an os standpoint. Now Plan 9......
Microsoft discontinued IE for the Mac a couple years ago after Apple rolled out Safari. I doubt there will be any more updates for Mac IE.
This just goes to show you what a great company microsoft is.
They are really making an effort to provide end users with the best possible experience, and they are just demolishing their competitors with their lower prices, better products, superior customer service and overall they are just nice people.
Oh, one more thing Bill, you misspelled my name on the check. That's an 'a' not an 'o'. Care for a reach around?
Have you ever read one of their EULAs? If those are considered law, then they're not legally obligated to do anything of the sort. Then again, even if they were, they probably still wouldn't.
Having said that, I can't say that it's the way I think things should be.
Game! - Where the stick is mightier than the sword!
Dear microsoft: WTF?
Thank you.
what the heck do you want something like that for? I've got more browsers than I shake a stick at on my Mac!
A: Ben English.
B: How long?
A: Ben English since I was born, mate!
Because osx has Safari. I wouldn't expect a new version IE, much like i wouldn't expect safari to be made available(konquerer doesn't count) for the PC platform. Office on apple doesn't mean jack, much like iTunes and Quicktime means jack.
Have you ever been to a turkish prison?
But like Microsoft, the best work was in the 80's.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Because it's not 1977 anymore. When you chose to use Microsoft products, you know what you're getting into. If I repeated hit myself in the head with a hammer, does the hammer manufacturer owe me damages?
I've got the O'Reilly XP Hacks book, but I'd like to see official, supported stuff from the horse's whatzit.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Microsoft has all the momentum of a run-away train. What makes you so popular?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Windows cannot be hardend to the point the linux.
Default Linux is harder than Windows but there are still more levels of protection that can be activated.
seLinux is now default. Lids is still a addon. Lids disables root only way to reconfigure is use a boot disk even deleting logs can be stoped. This is a system breaching persons worst nightmare. Break into a system and not be able to cover there tracks and not able to do major damage.
Basicly Operating systems are flawed at this point but linux is proactive adding features to stop the flaws even if the happen.
Why should we have to pay them for an anti-virus product? (or need one?)
The parent is joking. A shareholder derivative suit alleging a violation of fiduciary duty will be preempted by the business judgment rule. As long as Microsoft decisionmakers were not self-dealing and looked at the relevant research, there is no basis for such a suit.
A NYC lawyer blogs. http://www.chuangblog.com/
I've got a question here. When I find security bugs in your software, how on earth can they be submitted for you to fix them? The support page offers little guidance.
Last time I found a security bug in IE, I ended up e-mailing it to Scobleizer who thankfully picked up on it quickly. This doesn't seem like a very effective system though!
-dgr
That's my question right there! Why has it taken so long to take security seriously?
"Microsoft Security Guru"??...that's my oxymoron for the day.
You ask us "How can you be betraying your fiduciary [konqueror spell check used, thank you] responsibilities to shareholders by delaying products in the name of security ... why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held."
Don't worry, our future products (TM) will always be buggy. The only problem is that we are out of start-ups to screw out of mature programs because all the developers and startups are now geared to Linux, that evil unAmerican cancer that's draining the life blood out of the stocks you were so foolish to buy from us. In time, if you click your heels together three times and chant, "No stock is better than Microsoft stock," we promise that you will feel better. This works remarkably well for our software users and is the basis of our famous $50/hour phone support. If you are really lucky, hardware manufacturers will collude with us to lock our Linux and all other software, leaving nothing but buggy junk for those without keys. At that time Microsoft will internally switch to Linux and our relative productivity will dynamically soar, and the predicted dinosaur domination will be a reality.
Have a nice day.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Here is the question I submitted:
0 4/09-19OfficeGSPPR.asp
During the Microsoft anti-trust trial, Jim Allchin, group vice president for platforms, testified [1] that there were security flaws in Windows so grave that to reveal the source code would be to threaten US national security, including specifically US armed forces in Afghanistan. Within a couple of years, Microsoft was providing [2] that same source code to foreign governments including China's.
Is it safe to assume that Microsoft was able to fix all of these flaws before revealing the code? If so, can you provide any details on the nature of the flaws and on the process to identify and fix them? E.g., did it require large scale changes to Windows' architecture?
1. http://www.eweek.com/article2/0,3959,5264,00.asp
2. http://www.microsoft.com/presspass/press/2004/sep
Where the hell are the WMD Bill???
Fuck. Off.
It would be nice to have a button on IE that let you "add current site to trusted sites".
Ask, and you shall be given. This IE5 tweak (works under IE6 too) adds two options to the "Tools" menu: Add to trusted zone and Add to restricted zone
Also, it might be nice to have a "trust once" button, to temporarily trust a site for a single visit.
You can get a similar effect by setting the site to restricted after you're done with it.
It's a serious question - I hear my previous employer talk about how they're obligated to maximize shareholder profits all too often to justify sleezy behavior; and would like to know what the "right" answer to this excuse is.
Why can't you come out with security patches faster than the open source commmunity you so abhor? You have more trained professionals than open source, ones that are paid to work for you all day long. And, if viruses exist for my OS, doesn't that mean that there is some hole in the OS it can crawl through? Shouldn't you fix your OS fore free rather than charging even more just for a piece of mind?
I am Spartacus
My Windows XP was obviously pirated, is a pirated version as secure as the genuine version?
If all else fails... RTFM
You sure?
The research shows that poorly secured OS's do vastly better in the market than secure OS's - perhaps due to upgrade revenue, perhaps due to time-to-market.
Security is an expensive, difficult, and labor intensive process; and it's not clear that there is any positive ROI on having a focus on security for the bulk of the market.
If Microsoft is ignoring this research, or, worse, looked at the research but making decisions to the contrary, isn't that a breach of their duties?
Have these Microsoft security "gurus" been hiding out on Tattooine for the past 10 years?
Look at me, I go and see Star Wars, and I'm already a Trekkie!
Comment removed based on user account deletion
and according to linux zealots administrating networks in their basements: NO!!!! OMG!!! ROTFL!!! WTF mate?
and so before I get modded as troll, I'm sure most agree it's not so much the system but the person administrating it to keep it secure.
Also, it might be nice to have a "trust once" button, to temporarily trust a site for a single visit.
This is rife for abuse. Remember that once you trust a site, its ActiveX can change all the entire rules for trust.
Sure, you run without ActiveX on, even for trusted sites. But J. Random Luser who sees the "Trust Once" option doesn't. And he doesn't realize that by trusting a site once, he's giving them the ability to take control his computer forever.
The article says that Microsoft will respond to ZDNet Australia readers. That's it. And why Australia and not world wide? Was that a randomly selected country or did Microsoft have a specific reason for choosing it? If MS's Q and A's are anything like the so-called "studies" they do, it won't even be worth the time reading the replies.
Comment removed based on user account deletion
I'd be really distraught. I'd probably spend a week not eating, drinking heavily and listen to really depressing music. I'd also give up computers, move to a mountain and become a monk of some esoteric religion. I'd have to after havening finished my life long quest so abruptly.
Man, that would suck.
Linux is really boring from an os standpoint. Now Plan 9......
If you mean for desktop/home users to manage it themselves, I guess that could be useful (not that I think using IE is a good idea at all)
;)
In a corp environment, we don't want users to be able to touch those things, and we (at least I) use vbscript/WMI to change things like that. (MicrosoftIE_Security under \root\cimv2\Applications\MicrosoftIE is where it's at). Other stuff can be accessed in the registry. Making scripts to manipulate those lists isn't hard.
Haven't used IE in so long I've almost forgot what it looks like
///<sig
To me, it seems almost like discussing the problems of intellectual property in communism. There are so many other, much more important, issues about communism -- it's founded on an absurd philophical model and a historical perspective that's outright wrong. It's pointless to begin discussing IP issues, since there are so much more fundamental problems to discuss before that even becomes relevant.
Who cares if the security model of Windows is absurd? I mean, seriously, what can you expect from a system that is not only absurdly abstracted, but even abstracted in 50 redundant ways, and which has a kernel-level windowing system, a monolithical kernel, etc. ad nauseam. Is security even an issue?
_Microsoft_ _security_ _gurus_
Wow, that's beyond oxymoron.
I see 57005 people
"Microsoft security gurus"
Thats gotta be some kind of double negitive or ironic in some way -- i just cant quite put my finger on it.
Mike
I heart the RIAA & MPAA, im sure its mutual...
Now they are interested!
And we are now allowed to ask questions about their horrible security problems!
This is bullshit! They were made aware of the problems before they became problems, convinced themselves that there were no problems and now they invite questions about them!
Fuck 'em; just fuck 'em!
They only field questions until May 30th. I wanted to ask them if they wish me happy birthday (the 31st). :(
Stasis is death. Embrace change.
microsoft......support....guru..... I'm trying to understand those three words in the same sentance and having great difficulty.
Join the Slashcott! Feb 10 thru Feb 17!
Isn't the term "Microsoft security gurus" an oxymoron?
/. Q&A from the US military's "human rights and Geneva Conventions gurus"?
What's next, a
(sigh)
http://www.liacs.nl/~wichert/strace/http://www.lia cs.nl/~wichert/strace/
If the user do not have the Administrator power, a malware will not write to your Windows register, create files in system folders, change IE properties and so on.
I think that Microsoft should give more attention to this details and show the users how bad a Administrator account can be bad for you, intead of waisting millions in new "protection" software.
For thouse that want to watch the videos...
They are all in portuguese (sorry for that), and the SO in the test did not have any updates or any antivirus installed.
How to create a normal account and secute drive Cl
http://rapidshare.de/files/1815234/segms1.exe.htm
Sober.G running as a normal userl
http://rapidshare.de/files/1815305/segms2.exe.htm
Sober.G running with Administrator Powersl
http://rapidshare.de/files/1815380/segms3.exe.htm
Sasser running as a normal userx e.html
http://rapidshare.de/files/1815590/segms-sasser.e
Sober.P(O) running as a normal usere .html
http://rapidshare.de/files/1815661/segms-sober.ex
Dear Micro$oft, do you know why people still insist on using your products??
cause i have no F*kn idea
I need to harden my system better...
Can you tell me how to get Debian working on my laptop?
Security! That's a good one! But seriously, what do you guys really do at Microsoft?
> I would add that the security track record of Windows 2000 (awful) actually compares pretty well to the security track record of Linux 2000 (the awful Redhat 5/6 for example).
Redhat 5??? Let's see. I distinctly recall putting 5.2 on a new box in 19-fucking-97. By the year 2000, I was using 7.3. So, with apologies with people with their head up their ass, you have you head squarely placed up you ass.
given microsoft's excellent track record in security (based on documents published by microsoft,) what does the open source community need to emulate the good practices of microsoft?
given that microsoft does not disclose security flaws in its product to protect the users from malicious attacks reaching them before patches are made, how will the oss community improve on its disclosure rules and prevention of possible news regarding security flaws?
you get my point. just make their claims work against them. i am interested to see their response (that is if they respond at all.)
Live your life each day as if it was your last.
Microsoft is building Trusted Computing/DRM into it's next generation of operating systems. This provides no real security benefits to costumers, but rather provides security to the business models of the members of the RIAA, MPAA, and BSA. On the other hand, Microsoft is pitching this as improving security. Indeed, I suspect that the number Bill Gates gives for security spending at Microsoft includes DRM initiatives. Why should we trust Microsoft's announcements on security, when it is obvious that a large amount of the information released by Microsoft is spins and lies, with no real substance? Or is there some sort of substance that I am missing?