Slashdot Mirror
MS Invites Security Questions
daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"
If the Microsoft team gets to pick which questions are answered, I doubt this will be akin to Achilles waving his naked foot right under Paris' nose, since questions like, "Why is Microsoft's security better than Linux security?" are more likely to get answered than questions like, "When did Microsoft hire a team of security gurus?"
I Am My Own Worst Enemy
This is pretty much the most basic question possible, but what do you consider to be the range of behaviors that qualify as security bugs?
For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?
If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?
Simple enough, really.
Comment removed based on user account deletion
They are trying. Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003, despite a few jumps and hoops.
See Aaron Margosis' blog on msdn.
A choice quote:
"My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y'all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They "su", do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as "User", and your customers need to see you doing it. If you run into issues, don't add yourself back to the admins group - file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, "You're not setting a very good example. I am disappointed.""
So when Longhorn is released we can see if they made good on this idea, but until then, they openly agree with you and are working towards making it the standard to not run as root.
-David
The second part we can almost say that about: it would at least give them the chance to boast.
I predict we won't see an answer to either part.
See what I've been reading.
With ActiveX, when all the junk spyware sites would try to install software, it was impossible to always deny the publisher install rights, but you could easily ALWAYS allow publishers to load up your computer with the worst junk imaginable.
If you've ever been to a retirement home using Internet Explorer on a shared computer, you would laugh at how much junk computers would be loaded with.
Along came Firefox, and with it the freedom from training folks to click a million times no to a million ActiveX dialogs. Pop-ups and other forms of nastyness reduced.
All of a sudden a fire seems to have been lit under Microsoft around security and its browser.
Aside from the above listed changes, what other positive changes do you think Microsoft will introduce as a result of some competition, particularly in the browser space, but also elsewhere.
I think you were revealed as a troll the minute you used M$.
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
Quick background on Mako: http://www.microsoft-watch.com/article2/0,1995,176 4087,00.asp
Having previously been a contractor at Microsoft and being intimately familiar with the security setup of their online properties (Hotmail, passport, messenger, etc.) the dynamic systems protection area was one that would get the most play (and benefit) on the server side. Automagically monitoring system state and port management would be extremely useful if it was a part of the server OS.
Do not taunt Happy-Fun Ball
Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
Tarsnap: Online backups for the truly paranoid
Instead of flooding them with so many questions that they can easily ignore the hard hitting ones, how about a Slashdot Interview style selection of good questions which we then submit as a group.
We should show them the /. effect and send nothing but linux security questions
And it would be just as much a waste of effort. The current design of windows is so flawed when it comes to security if microsoft actually listened to their customers, would have to revamp their entire security model in the OS breaking just about everything in windows. Microsoft is in a very tight spot right now with their design of windows and anything more than lipservice on their part would mean making a very hard decision to change the OS so fundamentally that it is not compatible with its predecessors and is something they cannot afford to do. As it stands, the security or lack of security in windows will remain for quite some time. There are tricks they can use to minimize the damage once security has been breached. For example, Upgrade the active/x layer to allow a 'read-only' mode for a given process wherein the first thing the web browser does when it starts up is to neuter itself. Whether you run IE as administrator or not, it's a safe bet that more harm than good can be done letting it run silently. By having IE issue a call to a one-way demotion of privileges, along with a 'this application is trying to do this. Enter your administrator password to override for this one time occasion', would vastly improve but not solve the security problems. With this simple trick, spyware infested web sites would have a much harder time installing their wares without you knowing about it. Again, it wouldn't solve that security problem, but it would greatly improve it.
Then again, maybe, yeah. We SHOULD ask them how to secure our linux boxes better. At least I'd get a kick out of the reaction from the microsoft soldiers.
Is there an easy way to see which files have been denied access to (and what types of access) so admins can set ACLs quickly to allow regular users to use programs which normally require administrator access, but shouldn't (ie simply accounting)?
If this was true ms would have their *regular users* not running as adminstrators. The receptionists run as administrator!
I just don't see Aaron Margosis comments anything but lip service. Microsoft don't even try!"think of it as evolution in action"
Their jobs are kept through a giant siphon of money from the generally clueless public. I believe nobody has ever really taken Microsoft's flaws seriously. "Bugs are bugs, reboots are reboots -- that's just how it is, man! That or go command-line unix, right?"
Not enough people understand. When a virus/worm spreads through the net, people need to get hit over the head and be told that Microsoft shares at least part of the blame in this. (your clueless admin gets part of it too!)
Because of spin and propaganda, people have ACCEPTED these security flaws as part of computing. Only relatively recently has there been enough of an uproar to get MS to do additional PR work (Trustworthy Computing) to liven up their security image a little.
You know Microsoft has a Linux lab, right? The problem is they probably could answer your questions and possibly seal up a few security issues that could have bitten you in the ass later. Your right about Windows being a flawed model, but they said the same thing about Unix 20 years ago. All security models are flawed that allow people in to do things like "run programs" and "view data".
I've yet to see a secure os and it's not from lack of effort. I've been looking for an os that doesn't suck for years.
Linux is really boring from an os standpoint. Now Plan 9......
I've got a question here. When I find security bugs in your software, how on earth can they be submitted for you to fix them? The support page offers little guidance.
Last time I found a security bug in IE, I ended up e-mailing it to Scobleizer who thankfully picked up on it quickly. This doesn't seem like a very effective system though!
-dgr
Nah, it's more like you are in a field and you know there are land mines out there somewhere. With closed source you are relying on the army that buried the landmines to find them, defuse them and just maybe keep you from stepping on them. With open source you have a technical geologic survey of the area available for everyone to see, but the only geologists that have the ability to read the surveys are out to discredit the army. Generally the army has a bit more credibility so lots of people tend to follow their advice even though from time to time someone looses a leg.