Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Invites Security Questions

Posted by Zonk on from the what's-a-bug? dept.

daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"

22 of 259 comments (clear)

  1. What I asked by Dante · · Score: 5, Insightful

    Why does microsoft not eat it's own dogfood? As a network administrator
    I'm contstatly struggling with rights on workstations. I know that MS
    gives admin right to all of it's own users. (I live in seattle I've seen
    it.) But I can think of no security hole larger then giving out rights
    to users who *SHOULD* not need them.

    There is a laundry list of applications written *by* Microsoft that do
    not work properly without additional rights.

    This has been true sense NT 3.51. How did this happen? Upgrading to
    longhorn it not a soulution. If I worked for Microsoft this would be
    my first priority. Take away rights, fix existing applications.

    --
    "think of it as evolution in action"
    1. Re:What I asked by dwlovell · · Score: 4, Interesting

      They are trying. Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003, despite a few jumps and hoops.

      See Aaron Margosis' blog on msdn.

      A choice quote:
      "My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y'all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They "su", do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as "User", and your customers need to see you doing it. If you run into issues, don't add yourself back to the admins group - file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, "You're not setting a very good example. I am disappointed.""

      So when Longhorn is released we can see if they made good on this idea, but until then, they openly agree with you and are working towards making it the standard to not run as root.

      -David

  2. I Just Asked them the Big Question by mfh · · Score: 3, Insightful

    My Question
    Why don't you open up your source? I have an analogy to Open and Closed source:

    With closed source, you are in a room full of razor blades everywhere and you are blindfolded. With Open Source, you are in a room full of razor blades everywhere and you are NOT blindfolded, so you can see where the exit is and perhaps avoid getting too cut up.

    Which is really safer, closed or open source? Would you rather be blindfolded?

    --
    The dangers of knowledge trigger emotional distress in human beings.
  3. Unbiased? by nizo · · Score: 5, Interesting

    If the Microsoft team gets to pick which questions are answered, I doubt this will be akin to Achilles waving his naked foot right under Paris' nose, since questions like, "Why is Microsoft's security better than Linux security?" are more likely to get answered than questions like, "When did Microsoft hire a team of security gurus?"

    --
    I Am My Own Worst Enemy
    1. Re:Unbiased? by jerometremblay · · Score: 4, Insightful

      Microsoft is full of brilliants people with good ideas and good intentions.

      However other forces within the company are sometimes (some will argue always) taking over. If the suits decide that they prefer more features over less bugs, or if they set impossible deadlines, good peoples aren't enough.

  4. In other news... by cainpitt · · Score: 5, Funny

    Slashdot asks what kind of story will really bring the M$ bashing to an all time high?

    1. Re:In other news... by Doc+Ruby · · Score: 4, Insightful

      That would be "the truth". The truth about Microsoft is unparalleled bashing grounds.

      --

      --
      make install -not war

  5. what doesn't get answered by sumdumass · · Score: 4, Insightful

    It would be nice to see the questions that don't get answered. It would be interesting to see if some questions get glossed over or ignored because of some inherant design flaw.

    Maybe someoen would make a lost of all the questions and group all the simular ones together in order to create somethign like this. I guess microsoft is feeling the heat from other vendors stating that microsoft isn't as secure as thier products.

  6. Question: by lunchlady55 · · Score: 5, Funny

    How do you keep your jobs?
    I'm assuming you've got some excellent blackmail material on someone in HR but I'd like to know for sure.

  7. We all know what will happen. by Psionicist · · Score: 5, Insightful

    They will ignore everything and give generic answers to worthless questions such as "how do I secure my home computer". The answer will probably be something like "use the microsoft firewall and the microsoft anti-spyware program, and a microsoft antivirus program on your geniuine microsoft windowxs xp operating system".

    Nothing to see here, move along.

  8. Re:does this apply to online (hotmail?) by avalys · · Score: 4, Funny

    You obviously get some kind of referrer bonus for sending people to their site. I count three links to shinyfeet.com in your post.

    And really, who the hell would want an email address with "ShinyFeet" in it?

    --
    This space intentionally left blank.
  9. What's considered a security bug? by Anonymous Coward · · Score: 5, Interesting

    This is pretty much the most basic question possible, but what do you consider to be the range of behaviors that qualify as security bugs?

    For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?

    If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?

    Simple enough, really.

  10. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  11. Don't do it, it's a trick by frovingslosh · · Score: 4, Insightful

    Come on, does anyone really think that Microsoft is going to select any of the tough questions that they really don't want to address? This is a sham. It gives them a way to say that they responded to users concerns, when in reality they will pick and choose things that can make them look good or give them a chance to attack open source. The more people who participate in this sham the more it servers their purposes.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  12. Time 2 Market vs Security & Fiduciary duties by team99parody · · Score: 4, Insightful
    Dear Microsoft - it's long been known by us shareholders that your stock has only flown so high because you understood the proper tradeoffs between security (slow and unprofitable) and time to market (== profit == shareholder value).

    How can you be betraying your feduciary responsibilities to shareholders by delaying products in the name of security, which history has proven that your corporate customers don't give a damn about anyway.

    To avoid shareholder lawsuits of you not acting in what has historically been shown to be the best for your shareholders, why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held?

  13. I asked by RealAlaskan · · Score: 4, Interesting
    Gates recently declared security to be ``Job One''.

    Why wasn't it a high priority from the begining, and why haven't we seen any meaningful results?

    The first part of that question is legitimate, and not flame bait.
    The second part we can almost say that about: it would at least give them the chance to boast.

    I predict we won't see an answer to either part.

    --
    See what I've been reading.
  14. Answering template by gmuslera · · Score: 4, Funny
    Dear Microsoft customer:

    42

  15. They have it backwards by starling · · Score: 5, Funny

    Based on past performance, the MS security gurus should be asking questions of the general public.

  16. My question... by cperciva · · Score: 4, Interesting
    On March 2nd, I reported to the Microsoft Security Response Center a serious flaw in the implementation of Hyper-Threading on recent Intel processors requiring operating system patches. On May 13th, FreeBSD issued a patch, and several other operating systems have followed suit since then.

    When will Microsoft issue a patch or advisory concerning this?

    Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
    --
    Tarsnap: Online backups for the truly paranoid
  17. Re:/. em by pg110404 · · Score: 4, Interesting

    We should show them the /. effect and send nothing but linux security questions

    And it would be just as much a waste of effort. The current design of windows is so flawed when it comes to security if microsoft actually listened to their customers, would have to revamp their entire security model in the OS breaking just about everything in windows. Microsoft is in a very tight spot right now with their design of windows and anything more than lipservice on their part would mean making a very hard decision to change the OS so fundamentally that it is not compatible with its predecessors and is something they cannot afford to do. As it stands, the security or lack of security in windows will remain for quite some time. There are tricks they can use to minimize the damage once security has been breached. For example, Upgrade the active/x layer to allow a 'read-only' mode for a given process wherein the first thing the web browser does when it starts up is to neuter itself. Whether you run IE as administrator or not, it's a safe bet that more harm than good can be done letting it run silently. By having IE issue a call to a one-way demotion of privileges, along with a 'this application is trying to do this. Enter your administrator password to override for this one time occasion', would vastly improve but not solve the security problems. With this simple trick, spyware infested web sites would have a much harder time installing their wares without you knowing about it. Again, it wouldn't solve that security problem, but it would greatly improve it.

    Then again, maybe, yeah. We SHOULD ask them how to secure our linux boxes better. At least I'd get a kick out of the reaction from the microsoft soldiers.

  18. Where are the tools? by disposable60 · · Score: 3, Insightful

    Microsoft apparently has fine-grained access, rights and permissions built into WindowsXP. Where are the tools to manage those permissions?

    By the way - HOME users need those tools, too. They would (could) go a long way to preventing zombification.

    --
    You're looking for quotes? See my journal.
  19. Re:Corollary: by csirac · · Score: 4, Informative

    Over at sysinternals.com, there's filemon, and regmon. These are real-time registry/file activity loggers, will show which processes access which files with the result code (open success/fail/permission denied/disk full/file not found/etc). These are absolutely invaluable tools, especially when you come across a new virus that your virus scanner doesn't pick up and general bug hunting... sysinternals has the most useful tools that I really miss from the unix world.