What Spooks Microsoft's Chief Security Advisor

alphadogg writes "Microsoft's U.S. general manager/chief security advisor for its National Security Team, Bret Arsenault, thinks like a true security professional. In every bit of good news, he wonders what bad news could be coming. Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."

Big surprise?

[suso]

over half of computer attacks seen by Microsoft come from the .edu domain

Actually, does this really surprise anyone? I think if you took away the botnets that might attack Microsoft, you might have
something more like 80%. Not that it was an attack, but I used to always use billy@microsoft.com as a return address when I was testing
e-mail or showing someone something.

Re:students sharpening their pens

[an.echte.trilingue]

True. Students usually have time on their hands, knowledge at their disposal and being young they still have an underdeveloped sense for the potential consequences of their actions. Oh, and T1 connections directly into the dorms. Just talk to somebody who administers a university network: trying to keep students from "playing" with the school infrastructure is a nightmare.

Re:students sharpening their pens

[morgan_greywolf]

Fatter pipes are bigger targets to would-be evildoers, as it gives them more bandwidth with which to carry out their nefarious deeds. That makes a rooted .edu box almost as important a component of Dr. Evil In Trainings' arsenal as a hollowed out volcano island. At one time that was true. Not anymore. Haven't you heard? Fat pipes are cheap and increasingly common these days.

What do you prefer?

[miffo.swe]

"Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."

As a user of said computers/servers i much prefer a scripthappy student whimsing around my systems alerting me about security issues. What do worries me are govt founded hackers stealing sensitive information, research and other secrets leaving no n00b traces for me to discover. Its not the actual breakin that worries me but what the perpetrator do thats an issue. If someone breaks in but does no harm i can live with that. My feelings may get hurt but the company is ok atleast.

An application/OS vendor ofcourse prefer the stealth hacker since the student hacker brings into attention all the various security issues with their products and makes people look for other options. Many vendors prefer a company being hacked to pieces before letting an exploit being known publicly. Microsofts own exploit policy is a very telling sign of this. As long as an exploit isnt used extensively its not going to get patched regardless of how many systems are exploitable. That worries me at night...

Re:What do you prefer?

[Bert64]

I doubt it's students in control of those .edu systems...
They are probably being used as jump boxes by hackers operating elsewhere, including those government sponsored ones.

Computer Security what is a crime and what isn't?

[mlwmohawk]

I hear a lot of people make the analogy that computer breaches are like breaking and entering, and while some of the actions are, some are clearly not.

Mischief is the motivation of youth. Vandalism is a form of expression. We've all participated in it in some form, so everyone get off their high horse, and rather than "get tough on crime," its time to figure out the difference between kids having fun and serious criminals. It is also time to make computer systems in "the digital world" as resilient to mischief and vandalism as real physical buildings are in the real world.

We've all carved our names in a tree in a park. We've all stolen a pack of gum or something from a store. We've all done petty crimes when we were young. The difference in the digital world is that everything is so brittle and poorly built and the mischief that is expected from youth ends up costing companies [B|M]illions of dollars. In the classic movie, "War Games," a kid practically starts world war III, the analogy fits if you excuse the hyperbole.

From a societal point of view, we need to separate the smarts kids being mischievous from the criminals committing real harm, just like we do in the real world.

Re:1992 Toyota?

[GauteL]

He could have a Toyota sports car from 1992 and be very enthusiastic about it you know. Plenty of people would rather spend loads of money on their old MR2 than buy a new car.

Personally that's not my cup of tea, but it is pretty ignorant to label him as some kind of cheap moron and it is pretty daft to think that a top level manager at Microsoft is somehow a poor man.

Re:Computer Security what is a crime and what isn'

Mischief is the motivation of youth. Vandalism is a form of expression. We've all participated in it in some form, so everyone get off their high horse Ahem.
Perhaps it is your horse that you should be dismounting from. Don't presume to speak on behalf of everyone else with regard to participation in unruly behaviors. Dipshit.

We've all stolen a pack of gum or something from a store. ORLY??
Somebody owes me a free pack of gum, then. Apparently I missed "sticky finger day" when I was a kid.

we need to separate the smarts kids being mischievous from the criminals committing real harm Your arrogance astounds me. You actually think that "mischievous" behavior and socially irresponsible law breaking is somehow correlated to "being smart". Wow.

Re:students sharpening their pens

[jav1231]

I smell a big Microsoft initiative for securing colleges and universities coming. Government contracts, proprietary model continues, and it's all for our children.

What spooks me

[MrVictor]

This security guy cited userland applications as the next battleground in windows. This, to me, sounds like he is trying to drum up support for completely locking down user space and only allowing signed apps to run in future versions of windows. Vista already forbids non-signed kernel mode drivers from running and has the ability to differentiate between signed/unsigned user apps. Previously, in XP, signed kernel mode drivers were an option and it was _not_ forced upon you. Application development on windows in the future might resemble iPhone development were you have to pay MS or some cert. authority a fee for every app that you want to distribute. As with anything, these future features will be advertised as for improving security when it is really about control and money. These are troubling trends.

Re:What spooks me

[mlts]

Actually, those times are upon us, and its not a bad thing. Any professional software developer will sign their install code, .MSI files, .CAB files, and executables before it ships. Its not uncommon for a company to have a domain policy of refusing to execute any executables on a production network that are not Authenticode signed.

Why is this not a bad thing? Simple due diligence/CYA. If I install a signed executable from a company and it causes a malware breach, then the damage done can be explained away as not my fault, but the publisher, and should I be in a publically traded company, the shareholders would go and sue that company for losses and not the place I work. With signed executables, I can point fingers, which is quite important in a corporate environment where what matters is who is at fault, not fixing what went wrong.

Code signatures are not 100% security. To use an analogy, a signature is just like the seal on a bottle of aspirin -- it doesn't ensure that the aspirin is of a quality level, but it does show that the stuff hasn't been tampered with.