Slashdot Mirror
What Spooks Microsoft's Chief Security Advisor
alphadogg writes "Microsoft's U.S. general manager/chief security advisor for its National Security Team, Bret Arsenault, thinks like a true security professional. In every bit of good news, he wonders what bad news could be coming. Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."
Fatter pipes are bigger targets to would-be evildoers, as it gives them more bandwidth with which to carry out their nefarious deeds. That makes a rooted .edu box almost as important a component of Dr. Evil In Trainings' arsenal as a hollowed out volcano island.
Caesar si viveret, ad remum dareris.
No T1 directly into my dorm.. unless you're at MIT chances are you're starved for bandwidth and have to sleep during the day and game all night to get any decent pings.
Hell you can kill someone and not even get that much time. If your rich or a politician you can get off completely.
I agree with punishment fitting the crime but I think you put too much value on the damage the cause. The simple fact is that too few of people take the required steps to protect themselves. People have locks on their homes and cars, they don't normally allow complete strangers inside, and most people won't give out personal information to complete strangers they meet. Yet when it comes to the net it seems as if all bets are off, you never know what they will do - other than it being stupid.
I am all for punishment, but damn, people put more value on things and animals than human life.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
The reason why the security flaws are dropping is because the 2 largest groups of crackers are operating under foreign govs. The russians were out to make money, But now operate with the russian gov. In addition, the chinese crackers have also switched up. Why? Because they can do all this legally in their country and not worry about a bullet to the brain. The simple fact is, that 5 years ago, these folks were cracking systems for money. Now, they are cracking targeted systems (i.e. DOD) and using subtle openings. Almost certainly the big openings are being saved for future use.
When I got pissed off enough by spam around 1994/95 at university, I would launch DoS attacks (syn flooding) against the offending websites :)
I'm sure there are plenty of students young and stupid like I was at the time.
is that you end up making short cuts to bring products to market as quickly as the public demands with software.
It also doesn't help that software rarely has a chance to mature into a known quantity before it is tossed out for something new.
I've been tasked to junk systems that weren't perfect, but that worked well enough to get the job done because the customer was pissy about them. Rather than tell their people to get over it, they wanted something new.
And lo and behold, you might say "meet the new system, same as the old system" because they traded one not perfect system for another not perfect system that had its own new issues.
Mind you, I wouldn't have expected anything less from Microsoft's Chief Security Advisor.
Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."
There's a simple solution: stop maintaining the fiction that one company and one operating system can do it all. If you want to be a vendor of high-uptime, high-reliability systems, concentrate on that market segment and stop marketing your systems to the mass market. On the other hand, if you want to be a vendor of flaky commodity operating systems, stop worrying about your systems not being secure and stop marketing them as such (oh, and run your own corporate operations on something that actually is secure).
With Vista and other new products, Microsoft ships the hardening guide along with the product
Dell, Toshiba, HP, et el do not send that documentation along with a new machine when Vista is pre-installed. Could they be held accountable for people getting pwnd? Could this be an opening to get the M$ tax back when someone is forced to buy a machine with Vista on it?
Having to work for a living is the root of all evil.
I guess I'm just a "goody two shoes." When I was growing up, I never stole a pack of gum (or anything else) from a store. I never carved my name in a tree or participated in vandalizing something at all (much less as a "form of expression"). My motivations in my youth had nothing to do with mischief. I did experiment with computers, but they were my own computers or they were the school's and I was acting within the limits of my classroom activities. For example, when asked to program a slot machine program on an old Apple IIe, I finished *way* before everyone else. So I started adding in more features. I added in betting, and still people weren't done. So then I added in a mobster that you could borrow money from if you were broke. (I coded it so that you either paid him back in a certain number of turns or he broke an arm and a leg of yours, took all of your money, and the game ended.) I was exploring the limits of what my coding could do, but it was without causing harm/damage to someone else's property.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
He's also a pretty cool guy. His group sponsors big, security awareness events twice a year for MS customers - and these are real sessions, not PR fluff. Bret is friendly and accessible.
If he's at RSA this year, drop by the MS booth and say hi to him.
"Flyin' in just a sweet place,
Never been known to fail..."