MS Invites Security Questions

daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"

What I asked

[Dante]

Why does microsoft not eat it's own dogfood? As a network administrator
I'm contstatly struggling with rights on workstations. I know that MS
gives admin right to all of it's own users. (I live in seattle I've seen
it.) But I can think of no security hole larger then giving out rights
to users who *SHOULD* not need them.

There is a laundry list of applications written *by* Microsoft that do
not work properly without additional rights.

This has been true sense NT 3.51. How did this happen? Upgrading to
longhorn it not a soulution. If I worked for Microsoft this would be
my first priority. Take away rights, fix existing applications.

Re:What I asked

[dwlovell]

They are trying. Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003, despite a few jumps and hoops.

See Aaron Margosis' blog on msdn.

A choice quote:
"My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y'all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They "su", do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as "User", and your customers need to see you doing it. If you run into issues, don't add yourself back to the admins group - file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, "You're not setting a very good example. I am disappointed.""

So when Longhorn is released we can see if they made good on this idea, but until then, they openly agree with you and are working towards making it the standard to not run as root.

-David

Re:What I asked

[Dante]

"They are trying. Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003 Aaron Margosis, despite a few jumps and hoops."

If this was true ms would have their *regular users* not running as adminstrators. The receptionists run as administrator!

I just don't see Aaron Margosis comments anything but lip service. Microsoft don't even try!

Re:What I asked

[sconeu]

Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003, despite a few jumps and hoops.

Please have your admin install the following, and then you may try to run them as a non-admin user:
* The Sims

* Mavis Beacon Teaches Typing 15

I Just Asked them the Big Question

[mfh]

My Question
Why don't you open up your source? I have an analogy to Open and Closed source:

With closed source, you are in a room full of razor blades everywhere and you are blindfolded. With Open Source, you are in a room full of razor blades everywhere and you are NOT blindfolded, so you can see where the exit is and perhaps avoid getting too cut up.

Which is really safer, closed or open source? Would you rather be blindfolded?

Re:I Just Asked them the Big Question

Microsoft's Answer:

With Open Source, you are in a room full of razor blades and you can see, but it's really too much of a strain on you to get yourself to the exit safely. You can't possibly do it, and you might actually try to take a razor and cut someone else.

With closed source (or really, just MS) you are blindfolded because you are far too stupid to avoid getting hurt, and we really can't trust you not to use those razors to attack someone else. So we are going to hold your hand and gently lead you to the door.

What they won't tell you is the door only leads to more razors, and the guy holding your hand probably put them there in the first place (but that won't stop him from charging you to hold your hand).

Re:I Just Asked them the Big Question

[Emperor+Skull]

Nah, it's more like you are in a field and you know there are land mines out there somewhere. With closed source you are relying on the army that buried the landmines to find them, defuse them and just maybe keep you from stepping on them. With open source you have a technical geologic survey of the area available for everyone to see, but the only geologists that have the ability to read the surveys are out to discredit the army. Generally the army has a bit more credibility so lots of people tend to follow their advice even though from time to time someone looses a leg.

Could the key word be...

[sznupi]

"selection"? ;P

Unbiased?

[nizo]

If the Microsoft team gets to pick which questions are answered, I doubt this will be akin to Achilles waving his naked foot right under Paris' nose, since questions like, "Why is Microsoft's security better than Linux security?" are more likely to get answered than questions like, "When did Microsoft hire a team of security gurus?"

Re:Unbiased?

[jerometremblay]

Microsoft is full of brilliants people with good ideas and good intentions.

However other forces within the company are sometimes (some will argue always) taking over. If the suits decide that they prefer more features over less bugs, or if they set impossible deadlines, good peoples aren't enough.

Isn't the WWW full of them...?

[guyfromindia]

Almost EVERY website that deals with security have commented on M$FT and their security. That would be a good place for Mr.Ben English to start. Not to troll, but I think this is just another PR stunt by M$FT!

In other news...

[cainpitt]

Slashdot asks what kind of story will really bring the M$ bashing to an all time high?

Re:In other news...

[Doc+Ruby]

That would be "the truth". The truth about Microsoft is unparalleled bashing grounds.

what doesn't get answered

[sumdumass]

It would be nice to see the questions that don't get answered. It would be interesting to see if some questions get glossed over or ignored because of some inherant design flaw.

Maybe someoen would make a lost of all the questions and group all the simular ones together in order to create somethign like this. I guess microsoft is feeling the heat from other vendors stating that microsoft isn't as secure as thier products.

Question:

[lunchlady55]

How do you keep your jobs?
I'm assuming you've got some excellent blackmail material on someone in HR but I'd like to know for sure.

We all know what will happen.

[Psionicist]

They will ignore everything and give generic answers to worthless questions such as "how do I secure my home computer". The answer will probably be something like "use the microsoft firewall and the microsoft anti-spyware program, and a microsoft antivirus program on your geniuine microsoft windowxs xp operating system".

Nothing to see here, move along.

a slection eh ?

[oh_the_humanity]

a selection ... translation easily answered questions made up or planted by microsoft employs. so they dont have to answer the hard hitting questions.

Re:does this apply to online (hotmail?)

[avalys]

You obviously get some kind of referrer bonus for sending people to their site. I count three links to shinyfeet.com in your post.

And really, who the hell would want an email address with "ShinyFeet" in it?

What's considered a security bug?

This is pretty much the most basic question possible, but what do you consider to be the range of behaviors that qualify as security bugs?

For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?

If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?

Simple enough, really.

Beating around the bush

[camelmix]

I'm sure they will just beat around the bush like they always do. Gates's arrogance will trickle off.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I have a question...

[WAR-Ink]

1) Why can't you get software out the door that doesn't contain security flaws that you will be spending the next 6 years trying to fix, and still not get it right?

2) Word association: Microsoft -> buffer overflow.

3) Do you understand the concept of "Deny All Except" or has it ever been mentioned to you?

4) Do the 1 million monkeys Douglas Adams referred to work in Redmond?

5) Why is Bill Gates such an ass?

6) Who will protect us from Microsoft?

Ok. So it was more than one question. But one wasn't technically a question.

Re:I have a question...

[radish]

How on earth did that get modded "Informative"?

Don't do it, it's a trick

[frovingslosh]

Come on, does anyone really think that Microsoft is going to select any of the tough questions that they really don't want to address? This is a sham. It gives them a way to say that they responded to users concerns, when in reality they will pick and choose things that can make them look good or give them a chance to attack open source. The more people who participate in this sham the more it servers their purposes.

Time 2 Market vs Security & Fiduciary duties

[team99parody]

Dear Microsoft - it's long been known by us shareholders that your stock has only flown so high because you understood the proper tradeoffs between security (slow and unprofitable) and time to market (== profit == shareholder value).

How can you be betraying your feduciary responsibilities to shareholders by delaying products in the name of security, which history has proven that your corporate customers don't give a damn about anyway.

To avoid shareholder lawsuits of you not acting in what has historically been shown to be the best for your shareholders, why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held?

I asked

[RealAlaskan]

Gates recently declared security to be ``Job One''.

Why wasn't it a high priority from the begining, and why haven't we seen any meaningful results?

The first part of that question is legitimate, and not flame bait.
The second part we can almost say that about: it would at least give them the chance to boast.

I predict we won't see an answer to either part.

Re:I asked

[RaffiRai]

Not to defend MS, but that's trolling. "Security" wasn't a high priority in the beginning because it didn't exist as a highly important factor until like 1999. XP is based on 2000 which is based on NT 4.0 which is based on NT 3.51. There's no way they could have forseen security being as important to the computer world as it is now. Granted, it took them a bit to realize it, but they can't change the entire NT codebase without releasing a new OS, which they're doing. SP2 is about all they can do without making fundamental changes.

Why am I defending MS? I don't like them..

Re:I asked

[praxis]

If you take a look at the vulnurabilities found in the first six months of Windows 2000 Server being on the market and the vulnurabilities found in the first six months of Windows Server 2003 being on the market, you'll note that the number has gone down dramatically (I don't remember the exact figures). Also, for many vulurabilities, a default 2003 installation will not expose the vulnurable area whereas a default 2000 installation will. Those are meaningful results.

What the hell.

[killjoe]

Has ZDNET given up even the pretense of being a tech magazine? Have they finally embraced the fact that they are nothing more then a thinly veiled publicity arm of Microsoft?

Where are the real journalists asking the tough questions to the executives of MS and other tech firms. Instead they invite questions from the public there the "experts" will pick the softballs and spew on an on about how safe, secure and super-duper-keen-nifty windows is compared to that communist linux.

Answering template

[gmuslera]

Dear Microsoft customer:

42

Benefits of Firefox and competition

[augustz]

With ActiveX, when all the junk spyware sites would try to install software, it was impossible to always deny the publisher install rights, but you could easily ALWAYS allow publishers to load up your computer with the worst junk imaginable.

If you've ever been to a retirement home using Internet Explorer on a shared computer, you would laugh at how much junk computers would be loaded with.

Along came Firefox, and with it the freedom from training folks to click a million times no to a million ActiveX dialogs. Pop-ups and other forms of nastyness reduced.

All of a sudden a fire seems to have been lit under Microsoft around security and its browser.

Aside from the above listed changes, what other positive changes do you think Microsoft will introduce as a result of some competition, particularly in the browser space, but also elsewhere.

They have it backwards

[starling]

Based on past performance, the MS security gurus should be asking questions of the general public.

What I posed

[Amoeba]

What I posed to them was "What is the current status of the Mako project and which of the 3 focus areas has been the most difficult to implement and why? We've seen some movement in the firewall/anti-virus area but I've read or seen little regarding the dynamic-systems-protection or behavioral blocking."

Quick background on Mako: http://www.microsoft-watch.com/article2/0,1995,176 4087,00.asp

Having previously been a contractor at Microsoft and being intimately familiar with the security setup of their online properties (Hotmail, passport, messenger, etc.) the dynamic systems protection area was one that would get the most play (and benefit) on the server side. Automagically monitoring system state and port management would be extremely useful if it was a part of the server OS.

My question...

[cperciva]

On March 2nd, I reported to the Microsoft Security Response Center a serious flaw in the implementation of Hyper-Threading on recent Intel processors requiring operating system patches. On May 13th, FreeBSD issued a patch, and several other operating systems have followed suit since then.

When will Microsoft issue a patch or advisory concerning this?

Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...

Slashdot Interview Questions

[bizard]

Instead of flooding them with so many questions that they can easily ignore the hard hitting ones, how about a Slashdot Interview style selection of good questions which we then submit as a group.

Re:/. em

[pg110404]

We should show them the /. effect and send nothing but linux security questions

And it would be just as much a waste of effort. The current design of windows is so flawed when it comes to security if microsoft actually listened to their customers, would have to revamp their entire security model in the OS breaking just about everything in windows. Microsoft is in a very tight spot right now with their design of windows and anything more than lipservice on their part would mean making a very hard decision to change the OS so fundamentally that it is not compatible with its predecessors and is something they cannot afford to do. As it stands, the security or lack of security in windows will remain for quite some time. There are tricks they can use to minimize the damage once security has been breached. For example, Upgrade the active/x layer to allow a 'read-only' mode for a given process wherein the first thing the web browser does when it starts up is to neuter itself. Whether you run IE as administrator or not, it's a safe bet that more harm than good can be done letting it run silently. By having IE issue a call to a one-way demotion of privileges, along with a 'this application is trying to do this. Enter your administrator password to override for this one time occasion', would vastly improve but not solve the security problems. With this simple trick, spyware infested web sites would have a much harder time installing their wares without you knowing about it. Again, it wouldn't solve that security problem, but it would greatly improve it.

Then again, maybe, yeah. We SHOULD ask them how to secure our linux boxes better. At least I'd get a kick out of the reaction from the microsoft soldiers.

Corollary:

[temojen]

Is there an easy way to see which files have been denied access to (and what types of access) so admins can set ACLs quickly to allow regular users to use programs which normally require administrator access, but shouldn't (ie simply accounting)?

Re:Corollary:

[csirac]

Over at sysinternals.com, there's filemon, and regmon. These are real-time registry/file activity loggers, will show which processes access which files with the result code (open success/fail/permission denied/disk full/file not found/etc). These are absolutely invaluable tools, especially when you come across a new virus that your virus scanner doesn't pick up and general bug hunting... sysinternals has the most useful tools that I really miss from the unix world.

Where are the tools?

[disposable60]

Microsoft apparently has fine-grained access, rights and permissions built into WindowsXP. Where are the tools to manage those permissions?

By the way - HOME users need those tools, too. They would (could) go a long way to preventing zombification.

Strange error message:

[a_greer2005]

my question I keep getting this strange error message "0-\/\/-/\/-3-|) by Cowboy Neal, He Be 1337 hax0r " is that a security threat that I should worry about?

Re:/. em

[jojo+tdfb]

You know Microsoft has a Linux lab, right? The problem is they probably could answer your questions and possibly seal up a few security issues that could have bitten you in the ass later. Your right about Windows being a flawed model, but they said the same thing about Unix 20 years ago. All security models are flawed that allow people in to do things like "run programs" and "view data".

I've yet to see a secure os and it's not from lack of effort. I've been looking for an os that doesn't suck for years.

Re:I question the "guru" title

[jojo+tdfb]

If they're guru's... why are there still issues after hundreds of "fixes" over the years?

The same reason Linus and hundreds of other people still do patches to Linux. No software is truly finished and secure. Not even Hello World. There's a really nasty buffer overflow in that one. I don't even know why people still use it.

How can users submit bug reports?

[jondt]

I've got a question here. When I find security bugs in your software, how on earth can they be submitted for you to fix them? The support page offers little guidance.

Last time I found a security bug in IE, I ended up e-mailing it to Scobleizer who thankfully picked up on it quickly. This doesn't seem like a very effective system though!

-dgr

Re:How can users submit bug reports?

[core_tripper]

https://s.microsoft.com/technet/security/bulletin/ alertus.aspx found @ http://www.microsoft.com/technet/security/default. mspx

don't worry, be happy.

[Erris]

Dear Valued Cu^H^H Shareholder,

You ask us "How can you be betraying your fiduciary [konqueror spell check used, thank you] responsibilities to shareholders by delaying products in the name of security ... why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held."

Don't worry, our future products (TM) will always be buggy. The only problem is that we are out of start-ups to screw out of mature programs because all the developers and startups are now geared to Linux, that evil unAmerican cancer that's draining the life blood out of the stocks you were so foolish to buy from us. In time, if you click your heels together three times and chant, "No stock is better than Microsoft stock," we promise that you will feel better. This works remarkably well for our software users and is the basis of our famous $50/hour phone support. If you are really lucky, hardware manufacturers will collude with us to lock our Linux and all other software, leaving nothing but buggy junk for those without keys. At that time Microsoft will internally switch to Linux and our relative productivity will dynamically soar, and the predicted dinosaur domination will be a reality.

Have a nice day.

Re:/. em

Come on now, bit much to ask that Longhorn can run OS9 apps isn't it?