Slashdot Mirror
What Spooks Microsoft's Chief Security Advisor
alphadogg writes "Microsoft's U.S. general manager/chief security advisor for its National Security Team, Bret Arsenault, thinks like a true security professional. In every bit of good news, he wonders what bad news could be coming. Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."
half of computer attacks seen by Microsoft come from the .edu domain
:) we all did it at one stage ;)
nothing to worry just students testing their scripts against big bad microsoft
over half of computer attacks seen by Microsoft come from the .edu domain
Actually, does this really surprise anyone? I think if you took away the botnets that might attack Microsoft, you might have
something more like 80%. Not that it was an attack, but I used to always use billy@microsoft.com as a return address when I was testing
e-mail or showing someone something.
Without all of the ads. Won't someone please think of my eyes?
over half of computer attacks seen by Microsoft come from the .edu domain
IT Teachers have too much free time on their hands...
But I bet the other half comes from .cn domain.
To: All Microsoft
From: Steve Ballmer
Microsoft is announcing that it is making the task of developing and deploying powerful Internet applications even easier starting today...
That's quite the straw man... and it seems to be singing something...
*listens in*
"If I only had a brain..."
Hell you can kill someone and not even get that much time. If your rich or a politician you can get off completely.
I agree with punishment fitting the crime but I think you put too much value on the damage the cause. The simple fact is that too few of people take the required steps to protect themselves. People have locks on their homes and cars, they don't normally allow complete strangers inside, and most people won't give out personal information to complete strangers they meet. Yet when it comes to the net it seems as if all bets are off, you never know what they will do - other than it being stupid.
I am all for punishment, but damn, people put more value on things and animals than human life.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
i presume same things that spooks every other network admin
:(
*rooted linux boxes, yes these are dangerous in wrong hands
*Russian business network
*chineese spammers
*prolonged multi gbit DDOS
The reason why the security flaws are dropping is because the 2 largest groups of crackers are operating under foreign govs. The russians were out to make money, But now operate with the russian gov. In addition, the chinese crackers have also switched up. Why? Because they can do all this legally in their country and not worry about a bullet to the brain. The simple fact is, that 5 years ago, these folks were cracking systems for money. Now, they are cracking targeted systems (i.e. DOD) and using subtle openings. Almost certainly the big openings are being saved for future use.
Question: What do you think about Microsoft's U.S. general manager/chief security advisor?
Answer: I think it would be a good idea.
8 of 13 people found this answer helpful. Did you?
What Spooks Microsoft's Chief Security Advisor?
Flying chairs?
---"What did I say that sounded like 'Tell me about your day?'"---
"Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."
As a user of said computers/servers i much prefer a scripthappy student whimsing around my systems alerting me about security issues. What do worries me are govt founded hackers stealing sensitive information, research and other secrets leaving no n00b traces for me to discover. Its not the actual breakin that worries me but what the perpetrator do thats an issue. If someone breaks in but does no harm i can live with that. My feelings may get hurt but the company is ok atleast.
An application/OS vendor ofcourse prefer the stealth hacker since the student hacker brings into attention all the various security issues with their products and makes people look for other options. Many vendors prefer a company being hacked to pieces before letting an exploit being known publicly. Microsofts own exploit policy is a very telling sign of this. As long as an exploit isnt used extensively its not going to get patched regardless of how many systems are exploitable. That worries me at night...
HTTP/1.1 400
is that you end up making short cuts to bring products to market as quickly as the public demands with software.
It also doesn't help that software rarely has a chance to mature into a known quantity before it is tossed out for something new.
I've been tasked to junk systems that weren't perfect, but that worked well enough to get the job done because the customer was pissy about them. Rather than tell their people to get over it, they wanted something new.
And lo and behold, you might say "meet the new system, same as the old system" because they traded one not perfect system for another not perfect system that had its own new issues.
Mind you, I wouldn't have expected anything less from Microsoft's Chief Security Advisor.
I hear a lot of people make the analogy that computer breaches are like breaking and entering, and while some of the actions are, some are clearly not.
Mischief is the motivation of youth. Vandalism is a form of expression. We've all participated in it in some form, so everyone get off their high horse, and rather than "get tough on crime," its time to figure out the difference between kids having fun and serious criminals. It is also time to make computer systems in "the digital world" as resilient to mischief and vandalism as real physical buildings are in the real world.
We've all carved our names in a tree in a park. We've all stolen a pack of gum or something from a store. We've all done petty crimes when we were young. The difference in the digital world is that everything is so brittle and poorly built and the mischief that is expected from youth ends up costing companies [B|M]illions of dollars. In the classic movie, "War Games," a kid practically starts world war III, the analogy fits if you excuse the hyperbole.
From a societal point of view, we need to separate the smarts kids being mischievous from the criminals committing real harm, just like we do in the real world.
The crime is most often hurt feelings and public shame. I do not see a virus, a trojan or such things as that bad of a deal. All they do is point with a very large sign towards some faulty software and says "fix this its insecure as hell".
The error lies in the exploitable system that should be more secure. Hightening the sentences only takes away the bulk but really malicious people will still use them to get access to trade, state and research secrets. The faulty systems will continue to be computerized swizz cheese.
HTTP/1.1 400
The MS chief security advisor drives a 1992 Toyota? Really? Two things come to mind here: Either Microsoft doesn't take security seriously enough to even give this guy a decent salary, or the urge to keep supporting outdated legacy crap is so ingrained at the company that even the guys at the top can't drop old tech for something better.
Of course it also makes me wonder, why can this guy take supporting a '92 car seriously, and yet the company he works for can't even make sure that the printer you bought last year will be supported in the latest OS?
Come now, give credit: Mahatma Gandhi...
Reporter: "Mr. Gandhi, What do you think of western civilization?"
Gandhi: "I think it would be a good idea!"
It may seem strange, but if you're a security professional and relish a severe challenge (or just want the money), then the Redmond campus may be just the place you want to be! However, after a while I can only imagine that the experience must feel more like beating your head against a wall.
Perhaps it is your horse that you should be dismounting from. Don't presume to speak on behalf of everyone else with regard to participation in unruly behaviors. Dipshit. We've all stolen a pack of gum or something from a store. ORLY??
Somebody owes me a free pack of gum, then. Apparently I missed "sticky finger day" when I was a kid. we need to separate the smarts kids being mischievous from the criminals committing real harm Your arrogance astounds me. You actually think that "mischievous" behavior and socially irresponsible law breaking is somehow correlated to "being smart". Wow.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."
There's a simple solution: stop maintaining the fiction that one company and one operating system can do it all. If you want to be a vendor of high-uptime, high-reliability systems, concentrate on that market segment and stop marketing your systems to the mass market. On the other hand, if you want to be a vendor of flaky commodity operating systems, stop worrying about your systems not being secure and stop marketing them as such (oh, and run your own corporate operations on something that actually is secure).
With Vista and other new products, Microsoft ships the hardening guide along with the product
Dell, Toshiba, HP, et el do not send that documentation along with a new machine when Vista is pre-installed. Could they be held accountable for people getting pwnd? Could this be an opening to get the M$ tax back when someone is forced to buy a machine with Vista on it?
Having to work for a living is the root of all evil.
It's been about three now since the last Windows system at home was converted to Linux. And we sleep just fine, thank you.
CUR ALLOC 20195.....5804M
AdBlock Plus?
:)
but seriously, thanks for the link.
I guess I'm just a "goody two shoes." When I was growing up, I never stole a pack of gum (or anything else) from a store. I never carved my name in a tree or participated in vandalizing something at all (much less as a "form of expression"). My motivations in my youth had nothing to do with mischief. I did experiment with computers, but they were my own computers or they were the school's and I was acting within the limits of my classroom activities. For example, when asked to program a slot machine program on an old Apple IIe, I finished *way* before everyone else. So I started adding in more features. I added in betting, and still people weren't done. So then I added in a mobster that you could borrow money from if you were broke. (I coded it so that you either paid him back in a certain number of turns or he broke an arm and a leg of yours, took all of your money, and the game ended.) I was exploring the limits of what my coding could do, but it was without causing harm/damage to someone else's property.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The fact that he has to use M$ products?
Professional Politicians are not the solution, they ARE the problem.
And that his employer seems to more inclined to monetize security services than actually releasing software that has a security architecture?
10 years in a federal-pound-me-in-the-ass prison?
I mean seriously.... Bret Arsenault?
Did he legally change his name after he got hired? Other cool pseudo-names: Ima Baadash, Tod Newclierre, or John Wepunce.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Regards;
Yeah, let's start ruining young hackers' (and I mean that in the positive sense) lives for youthful indiscretion, that's the way to go. The punishment does need to fit the crime, it's just that the 'crime' of rooting some insecure corporate box and not doing anything particularly destructive or criminal (credit card fraud etc.) with it is just not what I'd consider a big deal. Slap on the wrist, sure. Jail? Hell no.
Nobody expects the British Columbia Human Rights Tribunal.
No, "we" all haven't done those things. Just because your maladjusted punk ass decided to do the wrong thing doesn't mean we all did. And yes, those are crimes, and you should have been held accountable. Somewhere, somehow there was an opportunity cost for your actions... at somebody else's expense.
Most of the smart kids where I live were studying or working at something quite a bit more constructive. For every juvenile delinquent genius there are hundreds who think they're smarter than they really are. You sound like one of them.
What Spooks Microsoft's Chief Security Advisor?
(in Jigsaw-like voice)......IE 8.....I bring it to you because I'm sick and tired of people who do not appreciate their blessings...
This is exactly what I'm talking about. Equating serious crime with mischief. Vandalism is by no means the violent act that rape is.
You've never broken the law? You've never exceeded the legally posted speed limit? You've never spit on the street? Tell me where you live and I bet I can find a few local ordinances you've broken.
Don't lose the point by being pedantic.
"Yeah, let's start ruining young hackers' (and I mean that in the positive sense) lives for youthful indiscretion, that's the way to go."
Aww diddums. Perhaps we shouldn't punish kids when they chuck bricks through someones window either since that'll be just youthful exuberance right?
"it's just that the 'crime' of rooting some insecure corporate box and not doing anything particularly destructive or criminal (credit card fraud etc.) with it is just not what I'd consider a big deal"
Rooting around someones private email is no different to rooting around through letters at home. Its not as bad as writing a virus or trojan but it still deserves more than a slap on the wrist.
This security guy cited userland applications as the next battleground in windows. This, to me, sounds like he is trying to drum up support for completely locking down user space and only allowing signed apps to run in future versions of windows. Vista already forbids non-signed kernel mode drivers from running and has the ability to differentiate between signed/unsigned user apps. Previously, in XP, signed kernel mode drivers were an option and it was _not_ forced upon you. Application development on windows in the future might resemble iPhone development were you have to pay MS or some cert. authority a fee for every app that you want to distribute. As with anything, these future features will be advertised as for improving security when it is really about control and money. These are troubling trends.
I drove a '92 Corolla as a hand-me-down from siblings and handed it down as well. It was a great car that hardly ever had any problems. It is one of the main reasons my (former die-hard GM) parents converted to Japanese cars after having nothing but problems with their old GM junkers. Heck, maybe the guy is driving my old car! I know it's still in use out there.
Again, you are being "absolutist" about this, and that is the problem. Your descriptions do not describe mere mischief, but harassment and intimidation. They *may be* acts described as vandalism, but they are more serious than what I'm talking about.
Putting a sticker on a street sign. Carving your name in a tree. Small mischievous things are far different than wholesale destruction.
This "zero tolerance" absolutist world we live in doesn't allow children to make mistakes or recover from bad judgment. One mistake and they want to bring the full force of law down on you.
Some transgressions should not be considered crime even though they share some similarity, and in some cases repercussions, as real crime. Kids have bad judgment, it is a fact and it is a flaw in human beings. We should seriously consider this during prosecution.
It's worse than that! The cells don't even have wifi.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
You know, that's actually not an entirely bad analogy, but the way I see it, it proves the opposite of your point. A person who walks into a house and explores it is certainly guilty of trespassing and probably more, but if he hasn't taken anything, then he isn't guilty of burglary and shouldn't be tried for it.
People exploring networks often do it for no reason other than to see what's there. They may use illegal means to do so, and they should be held responsible for that, but the fact is, a lot of grey hats are harmless- they just want to see what they can do.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
And when you were asked to run the mile, you finished *way* after everyone else? Just because you do one thing better than other people does not make you better than they are. It just means you're more skilled in one area.
Some of the rest of us actually did things that weren't in lock-step with the rules. We didn't accept rules simply because they existed, we pushed the limits and learned why they existed.
Thank you for making sense, even if you don't get modded up for it. It's sad to see so many self-selected "smart" people that just accept rules and laws simply because they exist, rather than because they are there for a just reason, and don't understand that because there's an infinite range of human behavior, there should also be an infinite range of reactions to it.
My blog. Good stuff (when I remember to update it). Read it.
I'm sorry but there are ample ways for "young hackers" to satisfy their curiosity without doing anything illegal or screwing up some sysadmins day. They can set up their own networks to break into or join a wargame if they want something a little less insular. There's really no excuse for compromising somebody else's network for any reason. Sure, giving them more time than you would a violent criminal is silly but they've broken a law that is actually there to protect others, made a whole lot of problems for their victims (who now have to ensure nothing really nasty was done, which takes time and money) and had no reason to do so.
Slap on the wrist? Hell no! Scare the crap out of the stupid little buggers? Yes please.
Unfortunately if a breech of network security is noticed, it becomes a great big headache for those who have to sort it out. Nobody knows if the attacker was being malicious or just having a little look and so every break in has to be treated as if the attacker meant to do harm. This means making sure nothing was tampered with, nothing nasty was left behind and that it can't happen again. This process takes both time and money to sort out, meaning that even the most 'innocent' of attacks can cost the network owners far more than the silly git who was taking a look probably thought it would.
There really aren't any harmless attackers. Those with a genuine curiosity will find other, legal means of figuring out what they can do.
Silly rabbit
I was mainly taking issue with mlwmohawk's insistence that "we've all" done these things. Not everyone has. And there are ways of pushing the limits while not treading on other people's property. Want to test how secure a server is? Set one up yourself and see if you can hack it. Or have a friend set one up that you two agree you can try to hack into. There are entire contests built around this idea. I don't see why a community of "limits pushers" need to find out why rules exist by trashing other people's property and I don't accept any explanation of such vandalism as "youthful curiosity."
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
"everything"
I'm fully aware of that, trust me. I'm the Information Security Officer at a large hosting company, and I am that guy, who has to sort it out.
Though I wouldn't claim it is foolproof, it usually isn't hard to tell the difference in style of a malicious attacker and a harmless one- primarily because at one point or another, I have functioned in both capacities. If I hadn't done so, I wouldn't be qualified to do what I'm doing.
Yes, I do treat every breach like it was a serious one, and as my earlier post stated, I do think the "trespassing" on the site is reason enough to prosecute (particularly when sensitive information is compromised), but it definitely isn't as serious as tampering with a credit card processing script, for example.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
> The error lies in the exploitable system that should be more secure.
Technically, the only way to really secure a system against trojans is to remove the ability to install software that doesn't come with the system from the factory. In other words, throw out the general-purpose computer and buy all hardwired appliances instead.
The problem with that is, programmability is a very useful feature.
Cut that out, or I will ship you to Norilsk in a box.
Preface:
At this point in time I have a 16 year old son and a 2 year old daughter.
So where/how do draw the line between on one hand "mere mischief", and on the other hand "harassment and intimidation"?
That is the hard part, isn't it? The fact that it is not easy should not mean that we should abandon it.
I'm annoyed each time I get into the elevator in my house and see the increasing amount of stickers and scribble on the walls.
I agree will Bill Maher, if you are not annoyed every day, you are not living in a free society. Seriously, as a child the world had to deal with your crap, now as an adult, it is only fair that you deal with the crap of other kids.
Oh, come on, it's not like I'm suggesting the death penalty for throwing a piece of gum on the ground. But I also don't think children, or adults, should be given a free ride to destroy or tamper with the property of others.
Children and adults are different. Their brains are different, the area where judgment is made doesn't fully develop until late teens, and in some cases early 20s. This is a medical fact. This punishment society we live in wastes years of young people's lives needlessly.
And when kids do things that cause harm to others, we should punish them so they learn their behavior was wrong.
As a parent, I can say 100% that this sort of thinking is counter productive to raising a good child. Children know what is right and wrong already, and if they don't, explaining it clearly is usually enough. A child gets more out of encouragement than they do out of punishment. "Punishment" often does little good for those being punished, but gives those doing the punishing a sick dose of self satisfaction.
I feel certain that I would have stopped a lot earlier with those activities if I had been discovered and punished for them.
That may very well be true, but what if you we convicted of a crime that had real jail time and a permanent record? Would your life be what it is today?
Let me guess, you were well-to-do right?
See, kids who grow up poor get to see the injustice of the world first hand and, unlike adults, they feel the need to do something about it. Problem is, they're kids, so they can't.
How we know is more important than what we know.
Vandalism and petty theft are examples of kids attempting to rectify injustice in the world? Please explain.
I see we're at that point in the orbit where the moderators totally lack a sense of humour again.
It was a joke, people. Get it? A joke.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
They're ineffectual attempts to rectify injustice, yes. Taking from the "haves" is exactly why social justice is so distasteful. Forced redistribution of wealth is just as unsavory as the concentration of wealth.
Thankfully, we now live in an era where redistribution of wealth by force is not necessary to achieve social justice, unfortunately some people still see it as the only solution.
How we know is more important than what we know.
I wasn't poor growing up, but I wasn't "well-to-do" either. My family was comfortably middle class. My father worked hard to earn a living just like I do today.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I agree with most of what you say except for the idea that kids are justifying their actions with some deeper philosophy. I doubt they're saying "this guy has, and I don't, so I'm leveling the field", but probably something more along the lines of "I want some chewing gum and I'd rather spend my quarters at the arcade than the Kwik-e Mart". Selfishness isn't necessarily an indication of a deeper yearning to correct a perceived injustice.
I don't know where you live, but around here vandals get arrested too. If you think breaking into a system and 'vandalizing' it harmless fine, but don't whine if you get busted for it. Or you don't mind if I spray paint your dorm room pink and leave 'Hanna Montana' posters plastered all over it do you? It's just harmless fun, not a real crime so don't call the campus police. They have better things to do... The real world is going to kick your ass once you get out of your coddled, sheltered existence with that attitude.