How Microsoft Fights Off 100,000 Attacks A Month

100,000 a month...? by bhunachchicken · 2006-12-08 05:07 · Score: 5, Funny

So, who's doing the other 99,999 then...? :)

--
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel

Re:100,000 a month...? by hotdiggitydawg · 2006-12-08 06:26 · Score: 4, Funny

My guess would be some fella called "Windows Update"...

Thanks! by moore.dustin · 2006-12-08 05:09 · Score: 5, Funny

Thanks for passing all those protection and security measures you develop to your customers! Wait a tic...

--
Invexi - a Phoenix, AZ based web design and web development company.

Re:Thanks! by Anonymous Coward · 2006-12-08 05:16 · Score: 0, Offtopic

WHERE IS SARAH CONNOR

How about the best step . . . by OverlordQ · 2006-12-08 05:09 · Score: 4, Insightful

Keeping your vital data physically disconnected from the outside Internet. I know it'll cut off people who work remotely, but if it's that important, it's worth it.

--
Your hair look like poop, Bob! - Wanker.

Re:How about the best step . . . by bugnuts · 2006-12-08 05:27 · Score: 4, Insightful

MS is big, and vital data are distributed in not-so-vital chunks throughout the organization and in different ways.

Combined, it's all vital. But imho, saying "just cut the plug on the network" is not feasible and horribly short-sighted. MS has several web applications, update servers, search engines... what are you saying again? You propose they cut all that off, too? The damage is just as bad (if not worse) if their update servers get hacked instead of their personnel database.

Network security covers a little more than just "vital data".
Re:How about the best step . . . by Anonymous Coward · 2006-12-08 05:31 · Score: 2, Informative

"Keeping your vital data physically disconnected from the outside Internet."

Beyond that, Microsoft needs to control what executable code its employees can grab off the Internet. Apparently, even non-IT workers there can download and install almost anything. I know a contractor in technical support that just translates the phone conversations and really isn't a technical person at all. He just speaks multiple languages. And from what he tells me, he has no restrictions on his computer from installing software off the internet.
Re:How about the best step . . . by danpsmith · 2006-12-08 06:47 · Score: 1

Keeping your vital data physically disconnected from the outside Internet. I know it'll cut off people who work remotely, but if it's that important, it's worth it.

Not only that, but if you think about it, providing remote access allows another point of entry for attack. All employees that use the remote access, even if trustworthy, can't be trusted to follow all security precautions when they aren't even at the office to begin with. If you are allowed full control over files remotely, you are basically exposing inside information to outside security risks, as even the neighbor kid could potentially delete your files if your employee is too sloppy security wise at home.

--
Judges and senates have been bought for gold; Esteem and love were never to be sold.
Re:How about the best step . . . by diersing · 2006-12-08 07:09 · Score: 2, Interesting

Thats great, as long as the people that use the vital data (executives, accounting, legal, sales, tech support, etc) don't need to get to the internet. Or do you have a kiosk set up that everyone queues up at?
I've worked for two large (150,000+) Fortune 100 companies. One was a bank and the other... the other employeed scientest and lets just say their IP, is the lifeblood of the business. And in my experience, no one is interested is disconnecting the data, it just isn't feasible (simple, yes). With two factor authentication, an IDS, and regular auditing a good remote access system is, IMHO, safer then LAN access. If its designed and implemented well there is nothing to worry about.
The thing you have to remember about information security is, if its not available to the users that are authorized, its considered down time and in most businesses, down time of the critical data is unacceptable.
Re:How about the best step . . . by Oddscurity · 2006-12-08 07:50 · Score: 3, Interesting

I've wondered about this update server before... does WinXP actually validate the stuff it downloads before installing it? Even if the update server is hard to compromise, some malware writer could have their malware auto-update by editing the hosts file.

--
Indeed!
Re:How about the best step . . . by Anonymous Coward · 2006-12-08 08:35 · Score: 0

Not only that, but if you think about it, providing remote access allows another point of entry for attack. All employees that use the remote access, even if trustworthy, can't be trusted to follow all security precautions when they aren't even at the office to begin with. If you are allowed full control over files remotely, you are basically exposing inside information to outside security risks, as even the neighbor kid could potentially delete your files if your employee is too sloppy security wise at home.

That's why we use NAP.
Re:How about the best step . . . by jacksonj04 · 2006-12-08 10:13 · Score: 2, Interesting

I don't believe so, as anyone can run a WUS server which keeps a local copy of updates for other machines on the domain to install. I've not read anything on the auth mechanisms used, but that doesn't mean there isn't something out there.

--
How many people can read hex if only you and dead people can read hex?

How to fend of 100,000 attacks a month by LatexBendyMan · 2006-12-08 05:10 · Score: 5, Funny

They probably just run linux...

Re:How to fend of 100,000 attacks a month by aliendisaster · 2006-12-08 05:48 · Score: 3, Interesting

Actually, they do...to a point:

http://news.netcraft.com/archives/2003/08/17/wwwmi crosoftcom_runs_linux_up_to_a_point_.html
(old article and I wasn't able to duplicate their test so it may have changed)

--
Freedom is a state of mind. A mind is a state of being. Stay the fuck out of my mind and my being. - Corporate Avenger
Re:How to fend of 100,000 attacks a month by Anonymous Coward · 2006-12-08 05:52 · Score: 1, Funny

I hope those cocksmoking teabaggers remember to pay their $699 SCO licensing fee...
Re:How to fend of 100,000 attacks a month by Savage-Rabbit · 2006-12-08 06:00 · Score: 2, Funny

They probably just run linux...

Gee.. that's a surprise! I always thought Microsoft fended off attackers by throwing chairs at them...

There... now your cliché isn't lonely any more...

--
Only to idiots, are orders laws.
-- Henning von Tresckow
Re:How to fend of 100,000 attacks a month by Overly+Critical+Guy · 2006-12-08 06:29 · Score: 2, Funny

They throw Beowulf clusters of naked and petrified statues of Natalie Portman as hot grits run down their pants expect in Russia where they throw you when you're not welcoming your new overlords or when old people aren't using the Internet in Korea.

--
"Sufferin' succotash."
Re:How to fend of 100,000 attacks a month by Savage-Rabbit · 2006-12-08 07:16 · Score: 4, Funny

They throw Beowulf clusters of naked and petrified statues of Natalie Portman as hot grits run down their pants expect in Russia where they throw you when you're not welcoming your new overlords or when old people aren't using the Internet in Korea.

Dude.... I wanted a quiet gathering of a few friendly clichés not a whole cliché convention!

--
Only to idiots, are orders laws.
-- Henning von Tresckow
Re:How to fend of 100,000 attacks a month by Anonymous Coward · 2006-12-08 07:56 · Score: 0

...profit!
Re:How to fend of 100,000 attacks a month by StarvingSE · 2006-12-08 08:03 · Score: 1

When is slashdot going to start making t-shirts with all these great memes on it??? I know I'd buy one :)

I mean come on... In soviet russia, T-shirt wears you! or I, for one, welcome our /. t-shirt wearing overlords.

instant classics!!!

--
I got nothin'
Re:How to fend of 100,000 attacks a month by markmier · 2006-12-08 08:23 · Score: 2, Funny

I *AM* an overlord, you insensitive clod!
Re:How to fend of 100,000 attacks a month by Jerry · 2006-12-08 08:32 · Score: 4, Interesting

A few days ago I used Netcraft to take a look at what Microsoft was using for its severs.
There were 355 servers listed. A few are "unknow", a few more are "Solaris" and some I don't recognize, but at least 1/3rd of them are Linux.

--
Running with Linux for over 20 years!
Re:How to fend of 100,000 attacks a month by geekoid · 2006-12-08 09:05 · Score: 1

You set us up the bomb!

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Re:How to fend of 100,000 attacks a month by bvdbos · 2006-12-08 09:56 · Score: 1

http://www.thinkgeek.com/slashdot/tshirts/62c9/
Re:How to fend of 100,000 attacks a month by Anonymous Coward · 2006-12-08 11:05 · Score: 0

I, for one, welcome our /. t-shirt wearing overlords

This is a Simpsons meme.
Re:How to fend of 100,000 attacks a month by Firehed · 2006-12-08 11:31 · Score: 2, Insightful

Now someone mod this post up to +5, Insightful and put the whole thing on a shirt, with the caption of "The Slashdot Moderation System at Work".

--
How are sites slashdotted when nobody reads TFAs?
Re:How to fend of 100,000 attacks a month by Anonymous Coward · 2006-12-08 12:15 · Score: 2, Interesting

I believe this is because Akamai does load balancing for them. I was at one of their 'gatherings' and the search guys claimed they ran the whole system on windows boxes which was apparently quite the challenge as windows boxes have not been traditionally used in that manner.

That's funny... by stag_beetle · 2006-12-08 05:10 · Score: 5, Funny

I thought the first thing you were supposed to do to protect against attacks was to ensure you aren't using Microsoft products in any part of your infrastructure...

Re:That's funny... by mdm-adph · 2006-12-08 05:14 · Score: 3, Interesting

reminds me of the story from a long while back about a site touting the greatness of Windows Server Software (might have actually have been a Microsoft site) -- well, somebody gets an error message one day, and it turns out the site was running Apache on Unix.

--
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Re:That's funny... by stag_beetle · 2006-12-08 05:24 · Score: 0, Offtopic

Troll?! Don't you guys have a sense of humor?
Re:That's funny... by maxwell+demon · 2006-12-08 06:04 · Score: 1

Troll?! Don't you guys have a sense of humor? You must be new here. Slashdot humor always takes forms like "In Soviet Russia ...", "Imagine a Beowulf cluster ..." or "1. ... 2. ??? 3. Profit!"

--
The Tao of math: The numbers you can count are not the real numbers.
Re:That's funny... by slashwritr · 2006-12-08 06:14 · Score: 3, Interesting

I thought that those sites were actually Apple "enthusiast" sites, and they were running on Linux? This site confirms it; the article was in 2004, though, and those sites might be on Apple servers now.
Re:That's funny... by Anonymous Coward · 2006-12-08 06:29 · Score: 0

In Soviet Russia, Beowulf clusters YOU!

1: Be in Soviet Russia
2: Cluster mass amounts of social rejects
3: ???
4: PROFIT!

From Beowulf: "Actually, the thrid step is taping them have sex with what little girls there are"
Re:That's funny... by Lord+Ender · 2006-12-08 07:16 · Score: 1

You are about as good at telling jokes as a clown fish.

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Re:That's funny... by Anonymous Coward · 2006-12-08 09:12 · Score: 0

Well, yeah, but the point is that they aren't doing that. If they're able to lock things down and also "eat their own dogshit" then it's probably worthwhile to look to see how they do it.
How would you secure a network, given the constraints that you're not allowed to run anything other than MS Windows (and also MS applications!!), and you're not allowed to unplug the network from the Internet?

One word: by Salo2112 · 2006-12-08 05:11 · Score: 0, Troll

linux!

Over 100,000 every month by Rik+Sweeney · 2006-12-08 05:12 · Score: 2, Funny

The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie.

A network powered by Fedora Core 6...

--
Summation 2

Re:Over 100,000 every month by IAmATuringMachine! · 2006-12-08 06:56 · Score: 1

Fedora Core 6? What's that? I'm not really into Pokémon.

--
"Computer Science is no more about computers than astronomy is about telescopes."
-E. W. Dijkstra
Re:Over 100,000 every month by Fred_A · 2006-12-08 07:37 · Score: 4, Interesting

Actually I don't know how they count their attacks, but just attach a host to the network for a while and observe and you'll see automated attacks nonstop.
On my LAN gateway I have had a continuous stream of background SSH and misc Windows services attacks for years plus the occasional attempt at something more creative. Taking each of these into account I could probably arrive at thousands, if not tens of thousands per month.
I don't know how many machines MS has online but since the article doesn't really say what counts as an attack, the number seems to be ridiculously small.

--

May contain traces of nut.
Made from the freshest electrons.

Yeah, but... by Anonymous Coward · 2006-12-08 05:14 · Score: 0

... do they run Linux?

I'm surprised... by pdbaby · 2006-12-08 05:17 · Score: 4, Insightful

The article seems to say they only use Microsoft solutions to provide their security.
I'm surprised they don't even have a little something from RSA. Is their solution that good (jokes aside!), or are they just suffering from major Not Invented Here syndrome?

--
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"

Re:I'm surprised... by Anonymous Coward · 2006-12-08 05:26 · Score: 0

The thing with Microsofts NIH syndrome is that I only understood it after developing ABM (Anything But Microsoft) syndrome. Now I understand perfectly where the monopolist bastards are coming from.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 05:33 · Score: 1, Informative

RSA is making their physical asset. They carry smart cards. RTFA.

http://www.rsasecurity.com/node.asp?id=1173
Re:I'm surprised... by db32 · 2006-12-08 05:45 · Score: 4, Insightful

Do you honestly believe they would admit to using anything other than MS? Do you remember the noise that was made about their website being protected by a company using linux servers to protect it from denial of service stuff? Do you remember the noise that was made when that linux based company signed up with their silly streaming media shit and was able to stream windows media more efficiently from linux boxes than what equivilent Windows boxes could do? (The worst part about this was that it could only stream windows media content to windows computers, and linux clients could't do anything with the streaming media from the linux server).

Give MS some credit...their Marketing/PR departments aren't stupid enough to talk about everyone else products used to secure their network, but I have a hard time believing that their technical folks are stupid enough to restrict themselves to MS products. I mean I have heard people explain to me how MS Proxy is the best proxy ever, or how that other stupid MS firewall/proxy/server thing is the best for boundary protection...but I assume those people will never work in security at a decent sized company for long if at all. MS products have their uses as much as I dislike many of them...but if I ever had anyone working for me try to use an MS product for something like boundary protection I would slap them, repeatedly, in front of the whole IT department.

--
The only change I can believe in is what I find in my couch cushions.
Re:I'm surprised... by yo_tuco · 2006-12-08 05:47 · Score: 1

"The article seems to say they only use Microsoft solutions to provide their security."

Apparently, Microsoft indirectly uses Linux on the front lines by partially outsourcing the management of their DNS servers. But the date on TFA is 2001. I have no idea if that is true today.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 06:00 · Score: 0

Probably not accurate anymore.. i mean my memory may be bad but wasn't Hotmail all linux (before the buyout) back in 2001 until Microsoft converted everything to windows?
Re:I'm surprised... by morgan_greywolf · 2006-12-08 06:13 · Score: 2

Seriously. They might have a number of Microsoft products involved in running their VPN, but I'll bet it's mixed in with offerings from Cisco or Juniper. They could still claim it was an "all MS solution" since a Cisco ASA, for instance, is a "hardware appliance" and doesn't involve the use of software at all! (Damn, I can't say that with a straight face...)

--
My blog
Re:I'm surprised... by Anonymous Coward · 2006-12-08 06:15 · Score: 0

But this change was to protect from DOS attacks when their system got hit. It wasn't some "legacy" service that they intended to eventually migrate. But who knows.
Re:I'm surprised... by Da_Weasel · 2006-12-08 06:23 · Score: 4, Informative

Not exactly. Here is a quote from a case study that Microsoft published regarding the migration of hotmail from FreeBSD to Windows 2000.

"The original builders of the application created a two-tier architecture built around various UNIX systems. FreeBSD, a UNIX-like system similar to the Linux operating system, was used to run the front-end Web servers that handled login, Microsoft Outlook Express, and Web-based content delivery tasks."
...

"During June and July of 2000, the Hotmail site was converted from FreeBSD running Apache Web services to Windows 2000 Server running Microsoft Internet Information Services 5.0."

You can read the case study here: http://www.microsoft.com/technet/interopmigration/ case/hotmail/default.mspx

--
If you must!
Re:I'm surprised... by ampmouse · 2006-12-08 06:23 · Score: 2, Informative

Hotmail ran on FreeBSD until after 2001, but microsoft bought hotmail in 1998. So, microsoft was running hotmail on FreeBSD for over 4 years.
Re:I'm surprised... by mackyrae · 2006-12-08 06:28 · Score: 1

Actually, it is still correct. If you downloaded the Vista betas and RCs, you'd know they still use Akamai for some of their servers. And according to that article in The Register, "Following the debacle Microsoft has partially offloaded its DNS servers to Akamai Technologies - which tests suggest is running these servers on Linux." If they're still using Akamai, they're still using Linux.

--
look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
Re:I'm surprised... by bmajik · 2006-12-08 06:39 · Score: 5, Informative

funny you mention that - all outbound internet traffic from Microsoft's internal network goes through...

wait for it..

Microsoft ISA Server.

There may be other stuff out in front of that, but I have no evidence that there is.

I happen to dislike ISA server - because all of my traffic to the outside world goes through it, and if i notice it, its because it did something i didn't like (like forgot how to resolve hostnames - that's pretty common). I used to complain about it every day.. i'd say stuff like "ISA server makes me want to quit my job" or "maybe i could buy a 28.8 modem and get reliable fast internet access while at work). But, ISA server has gotten a lot better and the # of times a week I curse my existance has gone way down. I'll complain to co-workers that "there is no excuse for this - i've run Squid before and there are never any problems", but to be honest, i've never run a squid cluster with over 100 nodes serving over 100,000 PCs, so its not precisely apples to apples. And i've never put pre-production Squid code into a production environment -- which is exactly what we do with everything we make. My inbox has been on beta exchange for months, and over half the domain controllers here in Fargo are running Longhorn server builds.

Same thing with wireless. We deployed WPA before most of the outside world had heard of it. Internally, it was the only way to get wireless at all. If your device didn't do WPA, you didn't get to connect.

There are a few well-known "MS uses linux!!!!@#$!@#$ OMGZORZ!!!" stories out there, so i'll address the ones i am familiar with

MS uses Linux to host MS.Com

False. Microsoft.Com runs on windows servers. Microsoft has contracted with akamai to do geocaching of various web properties, and akamai uses linux to a large extent. This is why when you look at some MS.Com "machines" with tools like nmap, they'll come back as Linux boxes. they aren't MS machines, they aren't in any MS datacenter, and they aren't MS managed.

Hotmail is all linux

False. Hotmail was never linux. Hotmail has a distributed architecture, and at the time of acquisition, the front end machines were FreeBSD, and the back ends were Ultra enterprise 4500s. Eventually, the FE's were moved to Windows Server. My understanding is that they tried the transision using NT4 and it was miserable, and tried again with W2k and it was much much better. Eventually, all the Fe's got moved onto one of the server products (i dont remember if it was w2k or w2k3 before it was "done") and the hotmail capacity went UP.. i.e. re-writing the hotmail stuff natively for the new windows based platform has allowed hotmail to run more efficiently on less hardware, with lower management costs. The backend machines were still enormous sun boxes last time i asked about it a few years ago.. for a few reaons. 1) the investment in those was huge 2) the filesystem was completely customized for the application. I wouldn't be surprised if the back ends have also moved off of Sun machines. The back end boxes apparently did almost nothing with CPUs.. but lots and lots of disk IO. The custom filesystem is probably the biggest reason that moving back ends didn't happen earlier.

It's important to Microsoft to run our own stuff everywhere we can, because it demonstrates to customers that the product can meet their capacity needs, and because real world use is the best test of big complex systems. There are a few things we are NOT self hosting on yet - for instance, I am in the Business Division and while we sell a variety of ERP programs (from companies we've acquired), we still use 3rd party ERP systems to run "Microsoft, the Company". Those of you with ERP experience will understnad that this is not something you transition "over nite" or "just because". It is a goal for us in the Business Division to move MS onto our ERP stuff internally - it adds additional credibility to our products when we can tell customers "it can run Microsoft, so it can probably run your stuff". And our competitors _love_ saying things like "why buy MS's version of blah, they dont even use it themselves!"

--
My opinions are my own, and do not necessarily represent those of my employer.
Re:I'm surprised... by UnknowingFool · 2006-12-08 06:47 · Score: 2, Interesting

I would think the article should be more appropriately titled: How Microsoft Implements VPN Security to Fend off 100,000 Attacks. I have no doubts that MS uses companys' solutions like routers and firewalls as part of their overall security. This article was all about VPN security.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Re:I'm surprised... by multipartmixed · 2006-12-08 07:16 · Score: 1

Do you remember the guffaws resounding throughout /. and other geek websites when MS first tried to transition hotmail from freebsd to Windows NT?

--

Do daemons dream of electric sleep()?
Re:I'm surprised... by db32 · 2006-12-08 07:35 · Score: 1

Well the hosting MS.com thing is what I was refering to, however, I deliberately avoided saying that exactly because I know that to not be the case. It is exactly as you described, the akamai thing, I just couldn't remember any of the names involved. I made no "MS uses linux!!!!@#$!@#$ OMGZORZ!!!" claim. I just mentioned the MS/linux related stories and how MS did quite a song and dance avoiding saying anything clearly about either situation.

Beyond that I don't know how WPA has anything to do with this at all. That is a bit like saying our network was Ethernet and we deployed it while most of the world was still using coax. Completely unrelated.

Again, I have a VERY hard time believing they are using ISA server for boundary protection for their enterprise network. I wouldn't be terribly surprised if they used it in some fashion internally for some mystery bloat reason, but it would be dumb. Further it would largely be equally stupid to field some linux box with squid running for a very large enterprise. I imagine they would be smart enough to invest in something like BlueCoat stuff or Sidewinder stuff or any number of enterprise level products rather than relying on some small business level product like ISA server.

--
The only change I can believe in is what I find in my couch cushions.
Re:I'm surprised... by bmajik · 2006-12-08 07:53 · Score: 1

Oh - i didn't mean to put words in your mouth and accuse _you_ of the OMGZORZ stuff. I was just addressing commonly heard points of view that are related to the topic at hand.

WPA was somewhat of a departure at the time from WEP, because it had some aspect of certificates and key management. Our WPA stuff is linked to our domain credentials and gets pushed down via group policy / certificate enrollment. _that_ certainly wasn't very common in 2001 or so.

As far as ISA server goes - I can't say for sure or not. Last time i looked, the external hostnames of the proxy cluster were tideXX.microsoft.com (i.e. tide55.microsoft.com). (I'm not disclosing secret info here or anything either - any cursory examination of HTTP logs would reveal lots and lots of hits from these addresses).

Assuming you can find a sufficiently ethical/legal way to do tcp fingerprinting, you might try it on one of those machines and see what it comes back as. I can't say for sure that you're wrong, but i absolutely know for a fact that all my outbound traffic goes through ISA server. There are some good reasons to use it, btw. HTTPS stream inspection, for one, and also, for policy based logging, allowing non-HTTPS traffic out but according to centralized rules, etc.

--
My opinions are my own, and do not necessarily represent those of my employer.
Re:I'm surprised... by Jerry · 2006-12-08 08:36 · Score: 1

A few days ago I used Netcraft to take a look at what Microsoft was using for its severs.
There were 355 servers listed. A few are "unknown", a few more are "Solaris" and some I don't recognize, but at least 1/3rd of them are Linux.

--
Running with Linux for over 20 years!
Re:I'm surprised... by Anonymous Coward · 2006-12-08 08:37 · Score: 0

come on boy!, NT is dead.
Re:I'm surprised... by sbben · 2006-12-08 08:42 · Score: 1

Do you remember the noise generated when Microsoft started talking to Novel?

Sometimes flirting with the enemy can be advantageous as it shows they recognize the competition and its presence. Let's face it, Microsoft isn't necessarily ahead when it comes to security.
Re:I'm surprised... by db32 · 2006-12-08 09:11 · Score: 1

ISA server really has no benefit beyond it is cheaper than the dedicated devices. A BlueCoat is WAY more impressive caching/proxy/filtering proxy and has far more capabilities (BlueCoat is not software you install on a Win/Lin/Etc server, it is a device). I'm not sure what exactly you mean by HTTPS stream inspection since the whole point is that it is encrypted and can't be looked into. ANY application level proxy should be inspecting all HTTPS/HTTP/SMTP/FTP/etc protocol stuff for well formed commands (IE most MTAs send commands in a particular order, so if they don't happen in that order you can reasonably assume that there is a high probability it is a script kiddie/spam zombie) but unless you are the victim of a MitM type attack they shouldn't be able to look into HTTPS data. Really the features you mention should be a bare minimum for something on the boundary.

--
The only change I can believe in is what I find in my couch cushions.
Re:I'm surprised... by multipartmixed · 2006-12-08 09:20 · Score: 1

So is FreeBSD 2.x. What's your point?

--

Do daemons dream of electric sleep()?
Re:I'm surprised... by Christopher_Edwardz · 2006-12-08 10:02 · Score: 1

The article seems to say they only use Microsoft solutions to provide their security.

emphasis mine on the following.
from the article:
a program run from the network scans the computer for security

The scanning program coordinates with Microsoft's methods for deploying patches

Microsoft's preferred antivirus software must be installed

They never mention that the "scanning program" is a miker$of product. It could be, but the article doesn't say. With all the marketing buzziness, you'd guess they'd have mentioned this.
They surely use another company's product for their anti virus. I do not believe they've bought a viable antivirus company yet.
I would guess they are using something like a ported copy of nessus or similar. It would be the height of embarrassment for them to admit to using Linux to probe for security flaws.
Other than that it is a fluff marketing piece. I wouldn't have expected them to be truthful or even aware of the number of successful breaches at miker$of.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 10:04 · Score: 0

It's what made hotmail the pile of rubbish it is today. Before MS, hotmail was the gMail of its day.
Re:I'm surprised... by EvilSS · 2006-12-08 10:16 · Score: 1

I think he is refering to SSL to SSL bridging in ISA 2004:

[From MS Site]For Web servers that require authenticated and encrypted client access, ISA Server 2004 provides end-to-end security and application-layer filtering using SSL-to-SSL bridging. Unlike most firewalls, ISA Server 2004 inspects encrypted data before it reaches the Web server. The firewall decrypts the SSL stream, performs stateful inspection, and then re-encrypts the data and forwards it to the published Web server.
http://www.microsoft.com/technet/isa/2004/produc tevaluation/features.mspx

It can only do this for servers hosted behind it (you have to provide the certs so it can decrypt the traffic).

--
I browse on +1 so AC's need not respond, I won't see it.
Re:I'm surprised... by necrogram · 2006-12-08 10:54 · Score: 1

I know the Bluecoats can do this as well with the SSL cards (and matching software licence). I've been doing the Bluecoat thing for a few years, and bad assed is an understatment. The granularity in the product, esp with the policy stuff, is amazing. after demo-ing it, there words "squid what? ISA who?" was all i could say.
Re:I'm surprised... by db32 · 2006-12-08 10:54 · Score: 1

Heh, I don't know that I am impressed by that. It seems like a pretty bad idea and not much of a feature. But hey ActiveX and other such nonsense being able to do whatever it wants to the OS through the web browser is a feature too...

--
The only change I can believe in is what I find in my couch cushions.
Re:I'm surprised... by bmajik · 2006-12-08 10:56 · Score: 1

That is what i am referring to, but i am talking about it in the opposite direction.

We use ISA server as an outbound proxy, so when i make an https connection to whereever, ISA presents me a cert that i trust (because what i trust is controlled via my domain membership) and then makes another https connection on my behalf, and then does stateful inspection between the two connections. So it proxy's the clear-text https connection.

This is good if you are a company and you want to be able to figure out what is going in and out of your network if you need to.

--
My opinions are my own, and do not necessarily represent those of my employer.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 13:05 · Score: 0

Why is it suprising they use ISA server, it is Common Criteria Certified to EAL4+? have you bothered to check vulnerability count for ISA over the last few years, or should I say the LACK of vulnerabilities for the product. ISA is perhaps one of the best Firewall products on the market at the moment. My only gripe with it is I wish it had a few more features.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 14:05 · Score: 0

Right.

So you used to dislike Microsoft ISA Server. Presumably when you were in IT.

Which, funny you mention that, was not mentionned by the grand parent.

Then, after telling us how that thing got so much better, you get on a tangent about wireless?? (I'm glad WPA was deployed in MS before I heard of it. Why couldn't I get the patch to install it then - I had to download some crap from NetGear?)

Finally you get off spouting "truthes" that anybody with an IQ above 20 - and cares - has known for the past, errr... 5 years?

Go write useless crap somewhere else, Marketing Bob.
Re:I'm surprised... by Anonymous Coward · 2006-12-08 17:17 · Score: 0

The main problem with this is approach is that it prevents the client from seeing and verifying the server's certificate.
Re:I'm surprised... by bmajik · 2006-12-09 05:34 · Score: 1

When I was in IT I did unix stuff exclusively.

When I disliked ISA server is when it ruined my browsing experience with a much higher frequency than it does today. My involvement with it has always been the same - i forget all about it until it tells me that it can no longer find the hostname of the site i was _just_ looking at 30 seconds ago.

I used to call the helpdesk (god what a PITA) once or twice a month "isa server 24 is f@#$ked up and not resolving host names, please kick it" and they'd never have any idea what i was talking about.

I haven't bothered anyone about ISA server in years. It very rarely does something that makes me remember that it's still there, which is a good thing.

I wish i could tell you more about how some of this stuff is deployed, but i cant precisely because i am working on a product team doing testing, not doing IT work -- infact, I've never done IT work inside of Microsoft. (disclaimer: i consider producing commercial software and IT to be different things. There is certainly a software development aspect of IT, but typically its internal, and i'd still refer to it as software development as opposed to network ops or system administration. Producing productized software is a different activity IMO.)

--
My opinions are my own, and do not necessarily represent those of my employer.

ok, sure .. .this is somehow news because by zappepcs · 2006-12-08 05:17 · Score: 3, Insightful

this is a story about how MS is doing security... however, 2 factor authentication has been in use for decades, even before computers became the common day things they are today. In the military, I've seen where it takes 3 people and two keys just to open a door to a secured space. The tech is new, and hopefully now that MS is telling people that is how they do things, perhaps banks and other people with my personal information stored up will start doing the same??? sigh

--
Support NYCountryLawyer RIAA vs People

Re:ok, sure .. .this is somehow news because by GeckoX · 2006-12-08 05:22 · Score: 4, Insightful

Where did it mention that MS is doing anything groundbreaking or revolutionary here?

This is simply an article about how MS, arguably the most targeted entity out there, secures their business.

Further, it appears to work very well for them, without sacrificing their employees ability to work.

Really, what are you trying to say here? Should it require 3 people and 2 keys to log into your office over VPN every day to get some work done? Somehow I thing not, but that still leaves me wondering what is your point?

--
No Comment.
Re:ok, sure .. .this is somehow news because by Anonymous Coward · 2006-12-08 05:24 · Score: 0

terminator 2 style
Re:ok, sure .. .this is somehow news because by zappepcs · 2006-12-08 05:35 · Score: 1

The point is that I'm glad that it works for MS, its been working for other people/groups/companies for decades, in several forms... I just hope that this example of how well it works will inspire banks to follow the example

--
Support NYCountryLawyer RIAA vs People
Re:ok, sure .. .this is somehow news because by maxwell+demon · 2006-12-08 05:48 · Score: 1

Further, it appears to work very well for them, without sacrificing their employees ability to work.

Of course should it not work well, Microsoft wouldn't tell you. Or would you really expect them to say "well, we have security problems caused by this MS product ..."? There are a lot of reasons why they won't do that. First, it would of course make bad advertising for the products. Second, it would also make bad advertising of MS itself (along the lines of "they can't even keep their own network safe"). And third, it would give attackers a hint where to target their attack.

So the fact that MS claims that it works well in reality doesn't tell you much. Maybe it works well, maybe it doesn't, but all you really can say is that it isn't so bad that they can't cover all problems which might occur.

--
The Tao of math: The numbers you can count are not the real numbers.
Re:ok, sure .. .this is somehow news because by wtansill · 2006-12-08 05:55 · Score: 3, Insightful
perhaps banks and other people with my personal information stored up will start doing the same??? sigh
You really do not want to go there. Let's say you have the following (reasonably typical) scenario:
1. You have a checking account
2. You have a 401(k) through your company
3. You have a Visa credit card
4. You have a MasterCard credit card
Each institution where you maintain an account decides to require two-factor authentication.
- Do the security keys interoperate, or do you have to now have four seperate tokens?
- Your spouse wishes to log in as well, can (s)he use the same tokens, or does (s)he have to have their own?
- Spend a lot of time on the road? Want to check your account(s) from your hotel room? Take all your tokens. Which, BTW, means that the spouse cannot check while you are away unless each account issues one token per spouse or other authorized account user (which, BTW, adds cost for the institution).
- You have an emergency of some sort and must have access to your account, but forgot/lost your token, the battery died, whatever. Is there a secondary mechanism that will allow you to access your account which does not rely on the use of the security token? If so, you've just doubled the institution's cost of doing business with no net benefit to the institution.
Add to that the scary fact that two-factor authentication does nothing to prevent man-in-the-middle attacks -- someone can still get hold of your session and possibly access your supposedly secure accounts -- and the luster dims for the two-factor scheme.
It works well in some limited instances, but I shudder to think of the possibilities if it's ever adopted on a wide scale.
--
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
Re:ok, sure .. .this is somehow news because by zappepcs · 2006-12-08 06:13 · Score: 1

While there is that problem, and related problems, most everyone in the western world (covers me and my family) have mobile devices whether that is a phone, pda, or pager. These devices can be registered with the service in question as the place to send the token for 2nd factor authentication. To eliminate man in the middle, there are other methods rather than straight https. Sure, that might require that you install some app(let) on your machine and limit you to using only machines with that app(let) installed, but this still allows quite secure remote access to your data with a much reduced risk. Certainly much safer than current methods of remote access to that data.

--
Support NYCountryLawyer RIAA vs People
Re:ok, sure .. .this is somehow news because by Da_Weasel · 2006-12-08 06:28 · Score: 1

Hahaha...that would be really funny! I was just thinking about my company hiring two people to follow me home each night just so they could require three people to be present for me to access the VPN...hahaha

I really don't know why I found that so funny, but i'm still laughing...heheh

Do more people and more keys make something more secure? O_o

--
If you must!
Re:ok, sure .. .this is somehow news because by wtansill · 2006-12-08 06:56 · Score: 1

While there is that problem, and related problems, most everyone in the western world (covers me and my family) have mobile devices whether that is a phone, pda, or pager. These devices can be registered with the service in question as the place to send the token for 2nd factor authentication.
I'm referring to the physical token that you have to have in hand in order to supply the second authemtcation factor. For instance, RSA makes a physical device that creates a six digit random number at one minute intervals. This device (the "token") is synced up with the provider's service and you have to supply the number from the physical device along with your password when you log in.
Even assuming that you can set up your laptop or PDA to be "the device" as you seem to suggest, you still have to register with multiple services, most likely loading (potentially conflicting) software for each, with all the problems that entails.
Unless and until the technique is standardized (an institution can recognize physical devices from multiple device providers, or can interoperate with one or more programs provided by security vendors), I don't think we will see widespread adoption. Even then, it can be compromised without much effort. See this link http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html/ for a discussion on how easily this can be accomplished

--
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
Re:ok, sure .. .this is somehow news because by Anonymous Coward · 2006-12-08 06:59 · Score: 1, Insightful

Two factor authentications like most kids cereals is "part" of a complete breakfast. You can't depend on two factor auth alone, but when it is combined with other things like sufficiently complex passwords, good security hygiene, and strong encryption what you end up with is good security. Not perfect security. Companies are also beginning to realize that it is no longer about the perimeter. You have to protect the inside as well. Probably the single most important piece of security is not technological, but procedural. Segregation of duties.
Re:ok, sure .. .this is somehow news because by Basje · 2006-12-08 07:37 · Score: 1

No, it needs two keys, period.

The three people are part of the prescribed protocol, but the problem is people not following the protocol but using a shortcut instead.

--
the pun is mightier than the sword
Re:ok, sure .. .this is somehow news because by johneee · 2006-12-08 09:15 · Score: 2, Insightful

I don't know about that, but I do have accounts in three different banks, and they do have two factor authentication - bank card and pin - for some of the access I have to them. Mostly it works pretty well...

--
- ------- There are ten kinds of people in the world. Those who understand binary, and those who... Huh?
Re:ok, sure .. .this is somehow news because by Lord+Ender · 2006-12-08 09:40 · Score: 1

Once very computer comes with a smart-card reader (very inexpensive) you could keep a smart card in your wallet! They're credit card sized. You could store your keys for multiple financial services on the same card. It wouldn't cost much at all, it would just take a little bit of cooperation between the banks.

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Re:ok, sure .. .this is somehow news because by drew · 2006-12-08 09:41 · Score: 1

# Spend a lot of time on the road? Want to check your account(s) from your hotel room? Take all your tokens. Which, BTW, means that the spouse cannot check while you are away unless each account issues one token per spouse or other authorized account user (which, BTW, adds cost for the institution).
# You have an emergency of some sort and must have access to your account, but forgot/lost your token, the battery died, whatever. Is there a secondary mechanism that will allow you to access your account which does not rely on the use of the security token? If so, you've just doubled the institution's cost of doing business with no net benefit to the institution.

Well, in those cases, I guess we'd just be completely screwed. I mean, it's not like there was ever a time that we didn't have easy online access to all of our bank account information, was there?

Personally, I wouldn't mind the situation that you describe. It would give me secure access to all of my account information when I am at home, when I am most likely to want it. When I am not at home, I can just keep doing what I've always done in the past- call my bank, or *gasp*, go there in person. Since I pretty much only use online banking when I am at home as it is, I think it would be a reasonable trade off- a little extra security for very little lost convenience.

--
If I don't put anything here, will anyone recognize me anymore?
Re:ok, sure .. .this is somehow news because by SanityInAnarchy · 2006-12-08 21:28 · Score: 1

Do the security keys interoperate, or do you have to now have four seperate tokens?
Ideally, I now have one token: A private key. Each institution now has my public key and my social security number. If I ever have to generate a new public key, I can use the social security number and whatever other means they now use if I walk into the bank. Short of that, they trust anyone who has a matching private key.

Your spouse wishes to log in as well, can (s)he use the same tokens, or does (s)he have to have their own?
Presumably, everyone has their own key. However, nothing is stopping the bank from allowing multiple keys, each with their own level of access. Bonus is if one key is compromised, we can use the other key to revoke access from the first, without actually having to walk into the bank.

Spend a lot of time on the road? Want to check your account(s) from your hotel room? Take all your tokens.
Roger, I take my one token. Probably some sort of USB device I can plug into my laptop. Boo hoo, I lost some pocket space.
You know what? I think I'll stop locking my car. I'll leave the key in the ignition to save pocket space.

Which, BTW, means that the spouse cannot check while you are away unless each account issues one token per spouse or other authorized account user
Ok, but remember, it's not the bank that issues tokens in this case. It's the bank that accepts tokens.

(which, BTW, adds cost for the institution).
In what way?
Set some sane limit, like five tokens per account. Allow fully trusted users to admin the tokens. Assume ridiculously secure tokens by today's standards -- let's say 4096-bit RSA keys. Hmm, 5 * 4096 = 20480 bits, or 2560 bytes -- 2.56 kilobytes.
Now, most free email services, even five years ago, gave us several megabytes of storage, and this is less than ten kilobytes of storage. And really, who am I going to trust with my account other than my spouse? Allow a megabyte and I can allow hundreds of people access...
Remember, I can do this all myself -- all the institution has to do is install some software and accept my single public key the first time, when I set up the account.

You have an emergency of some sort and must have access to your account, but forgot/lost your token, the battery died, whatever. Is there a secondary mechanism that will allow you to access your account which does not rely on the use of the security token? If so, you've just doubled the institution's cost of doing business with no net benefit to the institution.
Oh! Is that so?
Sorry, Paypal, the party's over, your business isn't profitable. You can go home now.
Really -- suppose you forget/lose your token. There are mechanisms in place for this all the fuck over. If you forget your bank account number, they can look it up, given your name and social security number. Lose your social security card, you can get a new one, given a sufficient number of alternate methods of authentication.
Shit, if it costs so much, have them charge the users some small fee for the arduous labor of resetting someone's key when they ask for it.
It doesn't have to be instantaneously automagic. In fact, it isn't with my bank -- I forget my password, I have to call the bank and ask them (politely) to reset it, or walk in, and I have to provide my account number, my name, my birthday... But it works, and it eliminates the problem of remembering stuff.
Essentially, we're already here, although it's really one-factor authentication. But two-factor authentication really isn't any harder -- the only difference is that "something you have" is really "something your mysterious USB device knows", rather than "something you know". And personally, I'd be willing to pay for the hardware to make it work.

--
Don't thank God, thank a doctor!
Re:ok, sure .. .this is somehow news because by Blackknight · 2006-12-09 04:11 · Score: 1

By law all banks must move to two-factor authentication. Both of my banks have already implemented it.
Re:ok, sure .. .this is somehow news because by WuphonsReach · 2006-12-09 09:30 · Score: 1

You have an emergency of some sort and must have access to your account, but forgot/lost your token, the battery died, whatever. Is there a secondary mechanism that will allow you to access your account which does not rely on the use of the security token? If so, you've just doubled the institution's cost of doing business with no net benefit to the institution.

You mean like physically going to a bank branch and presenting some sort of credentials? (And jumping through whatever hoops are needed.)

Seriously though, what possible emergency would require account access in more then 24-48 hours that could not be handled by keeping a spare credit card in reserve?

--
Wolde you bothe eate your cake, and have your cake?

If all else fails... by jbeaupre · 2006-12-08 05:19 · Score: 3, Funny

They whip out the OEM image CD and reinstall. The down side is they have to get rid of all those AOL icons and replace Norton AV each time.

--
The world is made by those who show up for the job.

Re:If all else fails... by just_another_sean · 2006-12-08 06:51 · Score: 1

Not to mention changing the wallpaper, setting default apps to Firefox, Thunderbird and WinAMP and editing the global policy to disallow MSN Messanger to run at all.

--
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal

Seems unlikely that they'd run Linux by coleopterana · 2006-12-08 05:25 · Score: 3, Insightful

I've noticed that the best way to find problems with your own product is to have your employees (forced to) use it on a daily basis. I'm no Microsoft fan nor a software engineer but it seems to me to be the quickest way to find holes that testing didn't uncover. Now that in itself presents an interesting question: does that make it harder to find SECURITY problems if you're testing your product behind all those corporate protections (assuming they work)? It's no real-world experience to do that.

what counts as an "attack"? by Doctor+Crumb · 2006-12-08 05:26 · Score: 5, Interesting

Honestly, my own computers fight off thousands of "attacks" a month, if you lower the bar enough. Are there worms knocking on port 137? Or are these actual hackers with stolen passwords/passcards?

Re:what counts as an "attack"? by Crudely_Indecent · 2006-12-08 05:36 · Score: 1

My company servers are also under constant attack. On top of that, I've had two users succumb to spyware keyloggers and had two separate accounts compromised. Email is under constant attack, web servers, ssh and ftp servers, the firewall, the routers..... Dictionary attacks abound, script kiddies run amok...

--

"Lame" - Galaxar
Re:what counts as an "attack"? by joe+155 · 2006-12-08 05:48 · Score: 1

My own home computer since Nov. 30th has "fought off" over 760 attacks. All it took me to do this is just run firestarter. Does this mean that I'm having an all out war with some hackers?... or does this mean that one person who is on the same network as me (stupid appartment blocks with their crazy internet set ups) is too stupid to have updated to SP2?

Come to think of it maybe this is whats going on here...

God I wish it was a crime to not properly maintain your computer.

--
*''I can't believe it's not a hyperlink.''

Crash... by Anonymous Coward · 2006-12-08 05:27 · Score: 0, Funny

and burn!

Re:Crash... by JensenDied · 2006-12-08 12:03 · Score: 1

some mod miss the Hackers Reference?
"Crash Override"/"Acid Burn"
http://en.wikipedia.org/wiki/Hackers_(film)

--
09:F9:11:02 - 9D:74:E3:5B - D8:41:56:C5 - 63:56:88:C0

Balance? by Rob+T+Firefly · 2006-12-08 05:28 · Score: 4, Insightful

The software giant fights off more than 100,000 attacks every month

I wonder how the number of attacks on other sites enabled by botnets of compromised Windows machines compares to this. Are they taking more or less than their software dishes out to the rest of the world?

--
Slashdot Burying Stories About Slashdot Media Owned

Re:Balance? by cswiger2005 · 2006-12-08 09:18 · Score: 2, Interesting

If you've run a honeynet, you'll find that you tend to see between ~300 and ~1500 or so "attacks" per IP address per day-- about 80% TCP-based, about 15% UDP-based, and about 5% ICMP-based. I'm not sure a simple ICMP ECHO_REQUEST qualifies as an "attack" (although there are plenty of security vendors who will claim it is, simply to inflate their numbers), but ICMP redirects which try to tell a host to send local traffic to a remote IP surely does qualify as a hostile attack.

Assuming that there's about 1000 attacks per day on average, or 30K per month per IP, suggests that Microsoft only has three or four Internet-routable machines, which clearly isn't the case-- perhaps they are only counting attacks which make it through the front line of their existing firewalls, or they are aggregating a single source IP which launches the same viral payload against many destination IPs as a single "attack"...?

--
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
Re:Balance? by zuiraM · 2006-12-09 10:36 · Score: 1

Presumably, the majority of what they are getting slammed with originates with said botnets. XP phone home? ;)

I can only pray.... by styryx · 2006-12-08 05:28 · Score: 0, Troll

I can only pray that this is the 'quiet before the storm'!

But then again, it's not like M$ attacks anyone, ever... is it? Been annoying any crackers/hackers/consumers/people recently? Friendly with Linux users and developers etc., are we?

"You reap what you sow."

Slashvertisement by HairyCanary · 2006-12-08 05:29 · Score: 2

The article reads like an advertisement for Microsoft products. The article has a nice catchy subject line and the proceeds to explain how Microsoft leverages such neat toys as Exchange proxies, Microsoft Office Communicator, etc. The article is so heavy on naming each little piece of software that it reads like a big advertisement. How much do you want to bet it is a press release from Microsoft reprinted by Computerworld?

Re:Slashvertisement by jjohnson · 2006-12-08 05:34 · Score: 1

No kidding. It's not enough to wade through interstitial ads to get to a page that's 60% ads sprinkled randomly throughout the text of the article; the article itself has to be a marketing blowjob for MS.

We've reached the advertising singularity!

--
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Re:Slashvertisement by stevesliva · 2006-12-08 06:19 · Score: 1

The article reads like an advertisement for Microsoft products.
Perhaps ComputerWorld is partial to Microsoft. The more I become familiar with tech industry news, the more apparent it becomes that various news outlets have a tendency to be very credulous with the companies they are most familiar with. Other companies tend to have their PR very much sliced and diced and taken with a grain of salt.

Though I may be confusing the "news" with the blogs since the bloggers seem to be absolved of all attempts at impartiality, though. But the blogs are definitely interesting when they point to the biases of the staff.

--
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
Re:Slashvertisement by WuphonsReach · 2006-12-09 09:36 · Score: 1

Perhaps ComputerWorld is partial to Microsoft. The more I become familiar with tech industry news, the more apparent it becomes that various news outlets have a tendency to be very credulous with the companies they are most familiar with. Other companies tend to have their PR very much sliced and diced and taken with a grain of salt.

For another example, see the recent PC Magazine where they fawn all over Vista and DirectX 10 as being "products of the year". Maybe it would be more credible at the end of 2007 to award them such kind words, but it stretches credibility past the breaking point to do so in 2006.

I'm so glad that they send me that rag for free. Because there's no way in hell I'd pay to receive it anymore.

(Virtualization is much more interesting and important then what benefits the marketing droids think DirectX 10 will bring to the masses.)

--
Wolde you bothe eate your cake, and have your cake?

Yahoo Ping Department by suso · 2006-12-08 05:32 · Score: 4, Funny

Tommorow we're going to hear from the ping department at Yahoo.

I always wondered what they do with all those echo requests.

Re:Yahoo Ping Department by binarybum · 2006-12-08 05:58 · Score: 3, Interesting

huh, I almost always use ping www.yahoo.com when I'm testing a DNS.
does everyone default to this for some reason that I'm not aware of? Is that what you're referring to?

--
ôó
Re:Yahoo Ping Department by Da_Weasel · 2006-12-08 06:00 · Score: 4, Funny

They are building up a stock pile of pings. It's all part of a diabolical plan to rule the universe through their pingopoly. Soon we shall all bow before their pingy-ness-ish-ness. Those who obey their pingy commands will recieve their daily ration of echo packets, everyone else will be left wanting... MMWhhaAHahHAhahahAHahahHAh!!!!

--
If you must!
Re:Yahoo Ping Department by MrP-(at+work) · 2006-12-08 06:06 · Score: 2, Insightful

I think its very common.

I know everyone here always does ping yahoo.com to test DNS/network connections.

We also ping google.com somtimes too

I feel bad for them

--
[an error occurred while processing this directive]
Re:Yahoo Ping Department by moore.dustin · 2006-12-08 06:35 · Score: 3, Interesting

This is hilarious! I always ping yahoo.com when DNS testing too! I choose it because they have a reliable service and consistent response times.... and I never Yahoo! and I would not want to do this to a service/site I like/use :)

--
Invexi - a Phoenix, AZ based web design and web development company.
Re:Yahoo Ping Department by cswiger2005 · 2006-12-08 08:51 · Score: 1

If I'm testing a DNS server, I try pinging it before doing anything else, and then graduate to using "dig" to see whether the DNS server can look up other hostnames...

--
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
Re:Yahoo Ping Department by snarkth · 2006-12-08 16:18 · Score: 1

It's simple, fool.

They'll have a database of every IP in existence.

Next step is pr0fit, of course. ;)

snarkth
Re:Yahoo Ping Department by WuphonsReach · 2006-12-09 09:25 · Score: 1

Guilty here as well... because Yahoo! seems to always be up and ping'able. I guess if they were really annoyed, they'd firewall off ping responses.

--
Wolde you bothe eate your cake, and have your cake?

The difficult part is legislations/conventions by Sigg3.net · 2006-12-08 05:33 · Score: 0

The difficult part is finding a way to define 'employees' under 'detainees', that would allow them to do this.

--
Defining Statistics and Social Research

Marketting Material by dave562 · 2006-12-08 05:34 · Score: 5, Informative

That article wasn't very informative. It only talks about the security functionality offered by Microsoft products (specifically VPN/ISA and Exchange). It doesn't even address what kind of attacks are being launched against the company beyond the typical "Virus emails." In other words, it's just thinly disguised marketting material put out under a header that seems interesting.

I wonder how they got to the 100,000 number. If you count port scans and IP spoofs then my home network sees thousands of attacks every month.

You mean more security makes things more secure?!? by Anonymous Coward · 2006-12-08 05:38 · Score: 0

Jesus, this is mindblowing.

The Money to make it work. by jsheedy · 2006-12-08 05:49 · Score: 1

You have to realize, that though they do get a that many attacks per month, they have the money to dump into network security to sure up what the issue are. Not just the software side, but the actual people able to monitor all those incoming attacks. Plus the systems they (hackers)are trying to attack/hack are ones they MS programmed. Who other then MS should know their software. They programmed it, they should be able to protect it. If there are issues, throw more bodies, and money into it so that it gets fixed. Does that help all the other companies that use MS products, I would guess eventually, but most companies don't have the resources, or the money to spend that MS has. Something more impressive would be a solution they sold to someone, that has one IT person on staff, they receive 100k of attacks per month, and they run without issue.

--
Quid Pro Quo, nothing more, nothing less.

Their ultimate solution is all Microsoft ... by Erris · 2006-12-08 05:54 · Score: 1

Those with the skills to steal it have no use for it.

--
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.

Statistics...gotta 'luv em by djupedal · 2006-12-08 05:55 · Score: 5, Funny

The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie.

If MS is using the routine fuzzy-math they tend to throw out when attempting to make the company seem more powerful and dominating than is backed up by reality, the '100,000 attacks' could be 99,999 pieces of spam email and one ping-flood.

See, this is how MS routinely tries to brainwash Joe and Jane consumer. Toss out a statistic that is impossible to verify, along with just enough verbal imagery to impress non-tech savvy spenders and you're on your way to profitsville!

'data-heavy internal network...' That is some pretty shiny bull-shit, by the way...data-heavy! As opposed to what? I can see those steel grey towering industrial strength routers, embedded into solid concrete bunkers, laced with 50 cm MIL spec reinforcing bar that is tied deep in bedrock, far below the cavernous data centers the brave MS engineers toil without end to feed, with miles and miles of 1 meter thick ethernet cables, snaking like giant blood veins, throbbing quietly as the beast that is MS R&D works around the clock for the good of mankind.

Makes me proud to be an American, I 'tell ya!

Re:Statistics...gotta 'luv em by Anonymous Coward · 2006-12-08 06:33 · Score: 0

I can see those steel grey towering industrial strength routers, embedded into solid concrete bunkers, laced with 50 cm MIL spec reinforcing bar that is tied deep in bedrock, far below the cavernous data centers the brave MS engineers toil without end to feed, with miles and miles of 1 meter thick ethernet cables, snaking like giant blood veins, throbbing quietly as the beast that is MS R&D works around the clock for the good of mankind.

that's more like how I picture google's headquarters.
Re:Statistics...gotta 'luv em by InsaneGeek · 2006-12-08 06:58 · Score: 1

From your tone, it's pretty obvious that believe that 100,000 is an unreasonable number. Why would you believe that the company who has the largest OS marketshare by an order of magnitude, has the largest OS name recognition would not have at least that number. 100,000 would seem on the very low-end of attacks, the thought of being able to infect the largest OS maker in the entire world has got to make a number of people salivate. Do you really think there are only a handful of people in the world interested in targetted attacks against MS infrastructure, is that why you are so passionate that the number seems out of line?

Additionally, I'm pretty sure you didn't read the article as it states specifically that they filter out 9 million spam messages, which coincidentally is a number larger than 100,000 per month (a factor of >2700 times). The data-heavy stuff was not in the article, it's from the submitter and I have no idea where he got it from.

I'm a unix admin, and could easily see through the BS you were posting, how you got modded up as insightful is a perfect example of your second sentence. "Toss out a post that moderators won't verify, along with just enough verbal imagery to impress non-tech savvy moderators and you're on your way to being modded up!". You either are complete moron, or brilliantly sneaky in intentionally creating a post that actually goes against itself but has enough dazling BS in it to fool people to fool them.
Re:Statistics...gotta 'luv em by djupedal · 2006-12-08 07:29 · Score: 1

A UNIX, sorry, I mean 'unix' admin.

Hey, everybody! Look!! A 'unix admin'!

Lucky day! And you used factorials and everything. I am NOT worthy, honestly. Sorry, but this is a bit overwhelming - I have to take a moment..pinch myself & make sure I'm not dreaming.

Wait until I tell the guys on the loading dock! Those drop-outs are going to be green with envy all thru the night shift. Am I good or what!!?? I hooked one for the books this time :)

The data-heavy stuff was not in the article, it's from the submitter and I have no idea where he got it from.

Really? Is it that hard to make the connection?

Ok, since it appears to be a bit too much of a stretch for you, I'll connect the dots and make it simple - you'll still have to do a bit of thinking, but I believe in you, or I wouldn't waste time helping to prop you up. Clear your mind and let things come into focus. You can do it - don't let me down!

The article and the submitter are both from the same PPT marketing ploy.

What I can't figure out, however, is where the hell are you from? What did I ever do to you? Did you miss another promotion? Someone steal your favorite wastebasket? What? Holidays got you down? Another price hike on cheap wine-in-a-box...those bastards!

I'm here for you, whatever your particular tragedy is. Don't worry about me - I can take it. Keep thrashing until all the demons run away.

Oh, and thanks for taking a run at me, really. As dull of an effort it was, I'm flattered nonetheless.
Re:Statistics...gotta 'luv em by Anonymous Coward · 2006-12-08 09:00 · Score: 0

A unix admin. wow

I think I fucked a unix admin one time. In the mouth. for money. No, twice. Yep, two times since the little bastard bit me right when he started gagging the first time. wtf? I just got a nice rhythm goin and he started doing that mommy! mommy! thing, you know, like they all do when they think they're gonna spunk shorts?

mommy! mommy! - shit! I hate that!

AND the punk spit. I told him if he was only going to partition my server and not cough up the 5 qui this time, then he was not allowed to spit. Not my stuff. No way my stuff goes on the floor. That is premium stuff, man, not to be wasted. He offered to lick it up, but I had to get back on the help desk, stat, before that bitch shift-leader found us and started screaming for 1/2 the action, again.

I have got to start hanging out with better people.

mommy! mommy!
Re:Statistics...gotta 'luv em by InsaneGeek · 2006-12-08 09:16 · Score: 1

So you weren't going for the brilliantly sneaky and were instead going for the moron one then. Nice to know
Re:Statistics...gotta 'luv em by InsaneGeek · 2006-12-08 10:08 · Score: 1

I think you meant "5 quid" instead of "5 qui"

100,000 is very low for automated attacks by 192939495969798999 · 2006-12-08 05:56 · Score: 3, Insightful

100,000 is very low, on a typical home machine if you're getting hundreds or thousands of attempts by bots, then surely the biggest software maker is getting millions. However, if they mean 100,000 attacks by individuals per month, meaning someone directly trying to "hack into microsoft", that seems impressively high. Wouldn't at least several of those get in through social engineering alone (i.e. pretend to be hot girl, get password, etc.)?

--
stuff |

Re:100,000 is very low for automated attacks by Anonymous Coward · 2006-12-08 10:35 · Score: 0

Pretending to be a hot girl is harder than it sounds. I always get caught... something about my beard.
Re:100,000 is very low for automated attacks by Phleg · 2006-12-08 16:46 · Score: 1

Not saying anything about the number they get, then assuming there was a high number of direct attempts (i.e., 100,000) the attacks would likely have an even worse chance of working than if it were low. One of the primary reasons users are vulnerable to social engineering attacks is that they're rare (per individual). If this was something that happened routinely to every employee once every month or two, they'd probably be easy to spot. Of course, the additional volume might outweigh the drop in successes-per-attempt, but it's interesting to think about nonetheless.

--
No comment.

OpenBSD Firewalls by Retardican · 2006-12-08 05:57 · Score: 1

shhhhh.. Don't leak this one... Remember Hotmail anyone?

--
Will the War in Iraq get better or worse in 2007? Vote here

Re:OpenBSD Firewalls by Anonymous Coward · 2006-12-08 06:15 · Score: 1, Informative

IIRC Hotmail was *not* OpenBSD, but rather it was FreeBSD. Or at least their servers were. I used hotmail primarily before Microsoft purchased them, and it was pretty amusing to me back then because for a while it was actually still running on BSD machines. And once they had switched over to Windows, the service was horribly slow, unreliable, and generally crap. Finally MS picked up the slack and fixed all the problems.
Re:OpenBSD Firewalls by r00tman · 2006-12-08 06:17 · Score: 1

Did Hotmail used to run on BSD?
Re:OpenBSD Firewalls by MSFanBoi2 · 2006-12-08 07:26 · Score: 1

nevermind the fact they have been all Windows and Exchange for almost 8 years now (finished the migration in 1999)...
Re:OpenBSD Firewalls by multipartmixed · 2006-12-08 07:30 · Score: 1

Yes, before Microsoft bought it. They actually made it unusuable for several months in 1999 or so trying to make it run under NT.

--

Do daemons dream of electric sleep()?

Good thing they're so secure. Otherwise... by E++99 · 2006-12-08 05:57 · Score: 1

...someone might steal the Windows code and come out with a competing operating system. :P

Re:Good thing they're so secure. Otherwise... by CronicBurn · 2006-12-08 06:06 · Score: 1

God forbid someone from the open source community gets ahold of it. It might actually work.

--
if I were able to see further, it was because I stood on the shoulders of Giants -Newton

Microsoft Linux by drewzhrodague · 2006-12-08 06:09 · Score: 1

Do you think Microsoft has their own version of Linux now? That would be the only answer, I would think.

Either that, or my buddy Josh (and many others) is doing his job properly!

--
Zhrodague.net - I do projects and stuff too.

And we forward all of our Spam to Earthlink... by olyar · 2006-12-08 06:12 · Score: 1

...that's a black hole it'll never come back from!

--
Custom, hands-free Linux installs. Instalinux

Great idea by Tarlus · 2006-12-08 06:25 · Score: 1

"...and also know something, in this case a password."

That's a novel idea.

--
/* No Comment */

They use bees by Overly+Critical+Guy · 2006-12-08 06:26 · Score: 4, Funny

Microsoft sends care packages of bees to hackers. Leaked internal memos suggest turmoil amongst executives who can't decide if they should send more bees or just pull out entirely. A study group has determined that Microsoft should begin talks with various hacker groups as a diplomatic means of ending the bloodshed, but few believe that it will stop the attacks or the need for more bees. Many mourn for the loss of the bees, who die upon losing their stingers, while others point out that these are volunteer bees and that it's to be expected.

--
"Sufferin' succotash."

Re:They use bees by DittoBox · 2006-12-08 06:45 · Score: 1

Only honey bees lose their stingers (and subsequently their life) when stinging a "victim," this is because the stinger is barbed and once lodged into flesh it sticks along with it's venom sac. Most other bee species don't have these barbs, so they can sting multiple times and live.

I suggest Hornets, Yellow Jackets or other wasp species as they can sting multiple times and do so with more potent venom. They are also far more aggressive.

--
Good. Cheap. Fast. Pick Two.
Re:They use bees by kkwst2 · 2006-12-08 08:16 · Score: 5, Funny

African or European?

Remote Assistance Hole by Anonymous Coward · 2006-12-08 06:27 · Score: 1, Interesting

Having worked with M$ for a few months, I called tech support a few times and they all asked me to set the "Automatically accept requests" for remote desktop support, and all support people were from outside vendors outside of the country. Each time I refused to check it, but imagine all the people that did leave it checked for others to easily remotely control their machines.

end to end protection by kalpol · 2006-12-08 06:54 · Score: 1

"Steve, send the phone spiders."

--
12:50 - press return.

100k seems low by xPsi · 2006-12-08 06:54 · Score: 2, Interesting

100k attacks per month for Microsoft seems low to me. That is about 1 attack every 30 seconds. I'm not saying that this is a low number on an absolute scale, but it seems low for MS. I might have just assumed they were continuously under multiple attacks.

--
i\hbar\dot{\psi}=\hat{H}\psi

Then by ppc_digger · 2006-12-08 06:57 · Score: 0

I, for one, welcome our new ping-responding overlords.

--
Of all major operating systems, UNIX is the only one originally meant for gaming.

its obvious... by Anonymous Coward · 2006-12-08 07:16 · Score: 0

They all use Macs.

TRON.... by rubberbando · 2006-12-08 07:31 · Score: 2, Funny

And all this time, I thought they just used that laser from Tron attached to a satellite that they would aim at unsuspecting hackers to digitize them into the gaming grid where they must dodge flying chairs thrown by a virtual Steve Balmer (Donkey Kong Style).

--
DEAD DEAD DEAD DELETE ME

ha ha ha! by Anonymous Coward · 2006-12-08 08:05 · Score: 0

Oh man, if you've got any Shockwave skills, you *have* to write that game and post a link. I would play it!

Comment removed by account_deleted · 2006-12-08 08:45 · Score: 1

Comment removed based on user account deletion

re - sig by ak3ldama · 2006-12-08 08:54 · Score: 1

you know, i never really thought of it, but unix was originally meant for gaming. holy carp. it is too bad it didn't evolve well with it, but I suppose the thing to blame is the unix wars. the potential speed for gaming even on linux is pretty intense. some of the schedulers may need some tuning but even so the times used in system calls is pretty low, and the other stuff like transferring data to the video card is probably the only hurdle. there was a writeup by the nvidia folks about what freebsd would need to do to get up to linux's speed levels that is quite interesting. in some ways, the linux kernel's desire to only allow open drivers and the unix wars of old produce slightly similar results. (not that I am going to argue for closed drivers -- no elf'in way) oh how i pity the fate of beos.

--
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786

Re:re - sig by toadlife · 2006-12-08 12:14 · Score: 1

"there was a writeup by the nvidia folks about what freebsd would need to do to get up to linux's speed levels"

I thought their writeup was what they needed to do to get their drivers working in X64 version of FreeBSD.

I've never noticed any huge speed difference when it comes to graphics between FreeBSD and Linux, as I benchmarked the linux version America's Army awhile back on FreeBSD 5 and 6 and it was only 8-10% slower (~5 FPS) than on Linux.

The more interesting part the benchmark was that FreeBSD actually ran two of the maps faster than Windows.

Sorry, I don't have the benchmark results..I accidentally deleted em'.

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.

I Want Two-Factor Authentication on my PC (Ubuntu) by JackRazz · 2006-12-08 09:12 · Score: 1

What I'd like is two-factor authentification using a USB stick. The best I've seen is pam_usb (http://www.linuxjournal.com/article/8338) , but haven't tried it yet. Anyone tried this or anything like it?

My experience by GWBasic · 2006-12-08 09:39 · Score: 1

My company forces me to use a similar VPN system. While I don't have a smartcard, my computer is scanned every time I connect. (Actually, I can only connect company-controlled computers through the VPN.)

It's such a pain to use the VPN due to all of the security measures. I'd rather have typical remote access software restricted to a VNC-like program that I can run on any computer.

--
No, I will not work for your startup

Re:My experience by Joe+The+Dragon · 2006-12-08 10:55 · Score: 1

Tell them to get citrix
Re:My experience by Anonymous Coward · 2006-12-08 13:14 · Score: 0

Oh God why would anyone inflict the abortion that is Citrix on anyone :-(

Re:You mean more security makes things more secure by Anonymous Coward · 2006-12-08 10:31 · Score: 0

Jesus, this is mindblowing.

You don't have to tell me, I'm omniscient.

- Jesus

Fantastic by Anonymous Coward · 2006-12-08 10:59 · Score: 0

I'll finally be able to store all of my p0rn on only eight CDs!

Re:Fantastic by McGiraf · 2006-12-09 03:15 · Score: 1

Wrong Article ....

Write the password on the card! by Anonymous Coward · 2006-12-08 12:43 · Score: 0

Write the password on the card!

One minute is a long time by LauraW · 2006-12-08 17:12 · Score: 1

TFA says:

The network servers remember what has been scanned at each log-in, and grant a grace period before requiring a rescan. Frequent users of the VPN can often log into the network in under a minute.

Wow. I can log into our VPN in about 15 seconds, and that includes the time it takes me to enter my password into the smart card. I'd keep the VPN open all the time too if it took that long to log in.

Thanks for this. by SanityInAnarchy · 2006-12-08 19:51 · Score: 1

This is actually some details and things I'd like to know, and wouldn't have thought of.

TFA fails the non-obvious test. Great: They VPN in to a sandbox, which is something I thought about a long time ago, only for another reason than remote attestation. It's also nice that they've figured out how to use SSL instead of a VPN 100% of the time, and to let people set up LANs. Two-factor authentication -- wow, revolutionary. NOT.

But it's nice to hear about things like you actually eating your own dogfood -- something that I'm guessing is recent, considering what I remember of Windows 98 and 2k, as well as early XP.

I would be happy to argue with you all day about whether Microsoft should be using Linux, but of course they're not. I imagine any departments doing so would have to fear The Chair and his "Linux infringes on our IP" claims.

--
Don't thank God, thank a doctor!

I ping google, so... by cralewyth · 2006-12-08 21:39 · Score: 1

Perhaps it's something to do with the search engine they usually use?

--
"Women are just like ninjas; They lie even when it is more convenient to tell the truth." ~ Unknown

Slashdot Mirror

How Microsoft Fights Off 100,000 Attacks A Month

169 comments