| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Windows dominance no threat: Microsoft | |
|
||
| Time: 10:21 EST/15:21 GMT | News Source: CNET | Posted By: Robert Stein | ||
|
A senior executive with U.S.-based software giant Microsoft has dismissed a report published last week that Windows dominance poses a security threat. The firm's chief technology officer Craig Mundie said that the controversial report--which led to its author being fired by his firm--could be the work of anti-Microsoft groups, reported news daily The Times of India. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 318 Last | Next |
The time now is
10:33:11 AM
ET.
Any comment problems? E-mail us |
| #1 By 16302 (64.201.211.161) at 10/1/2003 10:46:31 AM |
|
If you read this guy's report - it's no wonder he was fired!
It's not that the report was controversial, it's that it is way off base and obviously obsessive on one point without being balanced. For example, he blames everything on the dominance of the Microsoft platform, but using his own logic, the Internet is based completely of TCP/IP with an even higher percentage; perhaps we should diversify and have multiple internet protocols? I think not! The author goes way too far into stating his views of the Microsoft monopoly (all been hashed through the courts - nothing new) and in this extend he strays from the topic. I would doubt any conspiracy theory that Microsoft had him fired or that the report was the work of anti-Microsoft groups. The report is obviously the opinion of a few individuals and is nothing more than their opinion. It bears very little relevance to the real world. The premise of the report is sound though - if all computers on the internet are using the exact same platform, yes, there is a higher probability that an attack could be made. That said, there are many better ways to reduce this risk than for the government to meddle in the economy and mandate the use of alternative OSes. For example, ISPs should filter with firewalls and implement IDS systems; people should upgrade their computers with recent security hotfixes; everyone should run virus scanners; people who click on executable attachments in their email should have their computer and internet privileges revoked; corporations should use firewalls with active updates of stateful inspection rules, and so on. It's too bad the author has such a narrow point of view. |
| #2 By 3 (62.253.128.7) at 10/1/2003 11:02:15 AM |
| "checks job paper" |
| #3 By 135 (209.180.28.6) at 10/1/2003 1:57:10 PM |
|
JWM - "TCP/IP is open. Nobody makes money from their TCP/IP monopoly. "
Interesting response, and it confirms that the justification for this report was anti-competitive rather than having because they really believed it was the right thing to do. |
| #4 By 16302 (64.201.211.161) at 10/1/2003 2:35:20 PM |
| JWM (#6) - I think you miss my point. My point is that his conclusions are that Windows is everywhere therefore it is a significant security risk and the government should enforce diversification on the grounds that a single product is a security risk. Apply the same logic to transports, and it would imply that the author would have to conclude that TCP/IP is a security risk because it is used on all hosts on the internet.... The jump to the age-old Microsoft is abusing it's monopoly status is a completely different topic and does not belong in his paper. |
| #5 By 135 (209.180.28.6) at 10/1/2003 5:36:52 PM |
|
It's interesting. I received an email alert today from SANS talking about the Geer dismissal. Northcutt made a point about how monoculture was necessary because there weren't any alternatives. Then Schneir made some comment about how Geer's reasoning was sound.
So I responded and said I thought Northcutt's point was understated and this business about monoculture was overstating a ridiculous comparison between software and genetics. Yes, having only one breed of bannana is a bad thing, but you know why? It's because you can't change the basic structure of a bannana, whereas you can with software. The monoculture argument also doesn't address the basic "why do we even have computers" argument. Anyway one of the people at SANS responded to my email and said they pretty much agreed over there, and this debate had generated some pretty heated opinions. |
| #6 By 2231 (164.86.99.3) at 10/2/2003 9:09:56 AM |
|
http://www.csoonline.com/alarmed/index.html
|
| #7 By 135 (209.180.28.6) at 10/2/2003 10:43:08 AM |
|
schwit - "These days, it's hard to find any security expert who doesn't think that platform diversity is a no-brainer, accepted security strategy."
Argument by Absurdness... There are many security experts out there who do not think this is a no-brainer. As I mentioned before, Stephen Northcut at SANS appears to believe the issue is far more complicated than these people make it out to be. Furthermore, Geer contacted many other security experts and was unable to get their endorsement on his paper. So sorry... The article is wrong, terribly wrong, and does nothing to help us. |
| #8 By 1845 (12.209.152.69) at 10/2/2003 12:56:38 PM |
|
For the uninformed among us, I'd like someone to answer a little question for me.
The white paper derides the monoculture of Windows everywhere. The idea is a bug which affects one Windows machine will cascade to all Windows machines, thus killing the entire network. The paper also says that complexity is the enemy of security. This sounds contradictory to me. The more variety added to a system, the more complexity increases. If complexity is the enemy of security, then doesn't it stand to reason that a monoculture is more desirable than extreme diversity (e.g. complexity) in the system? |
| #9 By 3339 (66.219.95.6) at 10/2/2003 2:07:18 PM |
|
Bob you are bleeding together where the monoculture and complexity arise. The complexity arises from MS's desire to maintain their monopoly by introducing features which function across their products (Exchange, IIS, Outlook, Office, Windows, WMP, etc). Microsoft's product then become more complex and susceptible to attacks that can exploit 1 piece of the puzzle but affect the whole. This is far, far less true of other systems if at all because they take a simpler approach and do not have a monopoly to maintain. Complexity of this kind is problematic because it is exploitable and the cascades may not be considered beforehand.
However, placing non-MS systems at the perimeter of a network or having a redundant mail system doesn't increase this type of complexity because the software code doesn't interact in a complex way. It simply provides redundancy or an alternative. The netwrok infrastructure is a monoculture. The code interaction between MS software products is complex. Introducing systems which do not interact with MS code does not increase the complexity of the code. I've seen several people make this simplification, but I think it's perfectly clear what the monoculture is and where the complexity lies. For example, a room with two human twins in it is not a diverse genetic pool, but the humans are complex systems. Add a single cell bacteria to the room and the diversity has increased. But the humans are just as complex and the bacteria is still just as simple. This post was edited by sodajerk on Thursday, October 02, 2003 at 14:10. |
| #10 By 135 (209.180.28.6) at 10/2/2003 2:15:14 PM |
|
BobSmith - Very good points, and you're right. Security is easier to maintain the less complex your environment is. Fewer points to audit, repair, shore up, etc. It's why castles have only one gate.
I still stand by my initial observation that these people publishing and promoting these articles are not at all interested in security, or in solutions for customers. They are interested in selling their competing product, and they use these side issues as excuses to try to convice people to go that way. For instance, I'll note that Schneir argues both this monoculture thing, but he also claims that software shouldn't have bugs to begin with. So which is it? Monoculture assumes that you are inevitably vulnerable and can do nothing to protect, prevent or fix that. I see lot's of whining, but I don't see solutions. |
| #11 By 3339 (66.219.95.6) at 10/2/2003 2:40:45 PM |
|
"Security is easier to maintain the less complex your environment is." Maintaining security is not the same as securing in the first place. You see, you are so used to MS that you think applying patches equates to the security process.
If you create redundant non-MS systems to back up file systems, DBs, email systems, you have made your network MORE secure. If it is used as an alternative, it will not be exposed to the wild. If the MS systems are attacked, the attack will not spread to the non-MS systems. Thus, your infrastructure is MORE secure even if there is MORE maintenance. Do you think high security buildings, facilities, organizations with good security records, do not have large numbers of redundancies that require vigileance and maintenance but are rather quite simple? If you can apply one type of patch, you can apply another type of patch. More involved maintenance doesn't diminish the fact that you have a more secure infrastructure. |
| #12 By 135 (209.180.28.6) at 10/2/2003 6:52:35 PM |
|
sodajerk - "The complexity arises from MS's desire to maintain their monopoly by introducing features which function across their products (Exchange, IIS, Outlook, Office, Windows, WMP, etc)." then "This is far, far less true of other systems if at all because they take a simpler approach and do not have a monopoly to maintain. "
It's not clear how other systems are less effected by this. You're confusing popularity of applications with complexity. All Windows 2003 servers come with IIS as a possible install, but it is not installed, similarly all Redhat 9.0 come with Apache but it is not necessarily installed. "The code interaction between MS software products is complex. Introducing systems which do not interact with MS code does not increase the complexity of the code. " It does not increase the complexity of the MS solution, but it increases the complexity of the overall environment. So again, it's not clear that you are gaining anything. It seems like you would do better to simply educate yourself on the MS systems so that they do not appear complex to you. "I've seen several people make this simplification, but I think it's perfectly clear what the monoculture is and where the complexity lies." No, you're just trying to confuse the argument to sell a competing product, and this absurd argument really adds no value to the discussion other than as a distraction from the real issues. |
| #13 By 135 (209.180.28.6) at 10/2/2003 6:58:18 PM |
|
sodajerk - "If you create redundant non-MS systems to back up file systems, DBs, email systems, you have made your network MORE secure."
Perhaps, but that is not what we are talking about here. "If it is used as an alternative, it will not be exposed to the wild." This statement is wrong. "If the MS systems are attacked, the attack will not spread to the non-MS systems." That's not true. The problem that we have had with all forms of network attacks is that they spawn off and start scanning the network. Systems which have been patched or otherwise not vulnerable are still impacted by these network scans as a DoS. Considering only one Linux machine taken over by a worm can potentially bring down an entire network segment, this is not a reliable assumption for your system security. The point being, the problem is broader. "Thus, your infrastructure is MORE secure even if there is MORE maintenance." The conclusion does not follow from the statements given. "Do you think high security buildings, facilities, organizations with good security records, do not have large numbers of redundancies that require vigileance and maintenance but are rather quite simple?" The Pentagon has a couple of front doors with guards. Do you think they also put in a side door, unlocked and unguarded and say to themselves "Well nobody knows about this door, so it's safe."? "If you can apply one type of patch, you can apply another type of patch. More involved maintenance doesn't diminish the fact that you have a more secure infrastructure." But you haven't created a more secure infrastructure. You've simply created a more complex one that results in higher maintenance costs. Either that or you've created a solution with a false sense of security, such as your backdoor in the building that you think nobody knows about. |
| #14 By 3339 (66.219.95.6) at 10/2/2003 7:36:58 PM |
|
"It's not clear how other systems are less effected by this." It certainly is clear. No other system has an email application that executes code without even opening the email by default.
"You're confusing popularity of applications with complexity." No, I am specifically referring to VB, ActiveX, and other technologies that can affect a variety of applications and systems of MS from a single entry point. This is not true on other systems whether or not they are popular. "All Windows 2003 servers come with IIS as a possible install, but it is not installed, similarly all Redhat 9.0 come with Apache but it is not necessarily installed." And? That's one example. There are many others. Most other systems do have EVERYTHING off by default. And Apache does not have issues like an ActiveX control embedded in a WM file affecting IE and IIS. The chain of complexity is ridiculous despite the desirability of the features. MS accomplished this when it was desirable, but patching the holes is quite complex. "It does not increase the complexity of the MS solution, but it increases the complexity of the overall environment." You're confusing quantity with complexity. The introduction of another system doesn't increase the porosity of the windows systems. And the windows systems do not affect the security of the other systems. Thus, they can be used to back each other up. But you do not have the situation where you are creating a new entry point to an existing system by introducing a new system. "So again, it's not clear that you are gaining anything." Sure you are, security. "It seems like you would do better to simply educate yourself on the MS systems so that they do not appear complex to you." Again, you are acting as if applying patches is security. It's not. Complexity isn't a matter of a patch process. It is a matter of the way MS develops its code. No level of understanding is going to overcome the ability of hackers to exploit this interdependence of applications. "No, you're just trying to confuse the argument to sell a competing product, and this absurd argument really adds no value to the discussion other than as a distraction from the real issues." I'm selling something? Crackhead. I'm answering Bob's question. Complexity is definitely being used specifically to refer to the interrelationship of shared MS code across apps and systems. You are overgeneralizing by equating quantity with complexity. If you introduce a new entity but the new entity doesn't interact with the existing system, the architecture is not inherently more complex. This post was edited by sodajerk on Thursday, October 02, 2003 at 20:00. |
| #15 By 3339 (66.219.95.6) at 10/2/2003 7:37:19 PM |
|
"Perhaps, but that is not what we are talking about here. " It definitely is. If you misunderstand and intend to distort this paper that's not my problem. But my point is certainly exactly at the heart of this paper.
"Systems which have been patched or otherwise not vulnerable are still impacted by these network scans as a DoS." And? I simplified, but the point is it is more secure. And is much easier to detect. Your hypothetical doesn't exist now. You create the need for hackers to devise a virus that not only attacks MS, but then scans for Linux, and then attacks Linux. If a patch exists for either system, you are protected. There are now two points of required failure rather than one. "Considering only one Linux machine taken over by a worm can potentially bring down an entire network segment, this is not a reliable assumption for your system security." This is really pathetic. Now your hypothetical is dependent on an architecture where the entire network is dependent on one box? The same can be said of Windows. You can certainly build a network dependent on one box and one worm can definitely take it down. (So are you saying that MS is a poor choice for security? I don't get what is any different on this matter.) I said build systems that would require penetrating and bringing down both to have any success. For some reason, you are claiming that the need to penetrate two separate and disparate systems is less secure than penetrating one. How the fck can you claim so? "The Pentagon has a couple of front doors with guards." They have one main entrance and many entrances to inner buildings and more secure areas... square miles of perimeters around multiple buildings with many courtyards. With heat sensors, motion sensors, video cameras. Armed patrols. Dogs. Aerial recon. Satellite recon. Overlapping patrols, multiple checkpoints outside (before you reach the building, as you enter the perimeter, coming up, at the door) and within the building with different ID checks (visual, magnetic, fingerprint, etc) and multiple metal, bomb, X-ray detection units. Don't try to be retarded and claim there is one security checkpoint at the Pentagon. The point is: multiple independent security systems is different from complex systems which are interdepedent, hence creating the potential for cascading failures. Layering of discrete security systems is MORE secure than relying on one provider who builds all of its applications/systems with interdependent code. "Do you think they also put in a side door, unlocked and unguarded and say to themselves "Well nobody knows about this door, so it's safe."?" And, again, you have to act retarded and claim that I'm flinging open the door in order to rebutt the point when I said to either layer the perimeters or simply use alternate systems as redundant backups. But fool yourself with whatever idiocy you'd like. It's more like the side door is within the first door and the guards have a different supervisor and training than the first crew who are drunk and asleep. "But you haven't created a more secure infrastructure." Yes, you have. Show me the virus that is capable of penetrating multiple systems, and I'll show you another system that is not affected. If that system stood in the way of that virus, you are more secure. Even if such a multiplatform virus existed, you are still more secure because you are requiring more robust, more sophisticated viruses which are rarer. You are reducing the number of ways to attack and increasing the skill required to do so. All other viruses are easily stopped by a two layer system nevermind more than two. This post was edited by sodajerk on Thursday, October 02, 2003 at 19:57. |
| #16 By 3339 (66.219.95.6) at 10/2/2003 7:58:11 PM |
|
"You've simply created a more complex one that results in higher maintenance costs." Not necessarily. If you do so with staff that only know one thing, of course, you have a problem. But the same way web designers can design cross-platform sites as quickly and cost effectively as those that build for one platform, there are certainly IT professionals that are equally adept at multiple systems. The additional layers of protection means that breaches are detected before they become more costly, and maintenance becomes cheaper. Are you suggesting all of the Windows' virus and worm attacks have been CHEAP?
"Either that or you've created a solution with a false sense of security, such as your backdoor in the building that you think nobody knows about." Only if you build it like an idiot. |
| #17 By 1153703 (91.236.75.41) at 5/20/2013 1:19:58 PM |
|
Im up!! As i said this is my favoured ocupation. I am on all topics in "la red" if you visit some intriguing sites you transfer always find me posting. I affection it , this is my in seventh heaven
http://pi-ma.pl/shop/product.php?id_product=741 http://www.backlink.net.pl/dom,i,ogrod/ogrody,od,a,do,z,kopanie,studni,pod,fundamenty,s,3425/ http://rokote.com.pl/?p=6162 http://www.nasc.com.pl/strony,blogi,fora/ogrody,od,a,do,z,kopanie,studni,pod,fundamenty,s,890/ |
|
Write Comment
Return to News |
Displaying 1 through 25 of 318 Last | Next |
The time now is
10:33:11 AM
ET.
Any comment problems? E-mail us |
