Re: Does Microsoft Need a New Source Code for the Future?
- From: Dan <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Jul 2008 04:48:01 -0700
*Below is the reply from Chris Quirke and myself to him via email*
"Kerry Brown" wrote:
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message-------------------------------------------new--------------------------------
news:394D204B-1869-46CB-AB1E-3E4B0F265A6B@xxxxxxxxxxxxxxxx
Much of what is spoken of as "security" (even in these security circles)
isn't so much about securing X for Y but against Z, but is about safety,
i.e. making sure that unwanted situation S should never arise.
When I first dropped into security newsgroups and elists, I expected to
see 95% networking and domain-centric user admin, and little that was
relevant to my interests. Instead, I found much discussion of the same
malware attacks and safety failures - the problems I see in my terrain.
To me, that means "malware" is far from being a "solved problem",
despite the resources that professionally-managed IT can throw at it.
As someone with one foot in both camps - support corporate networks, support
home users and very small networks. Let me add my perspective.
A lot of IT pros are only concerned with the health of the network not
individual computers. When something goes wrong with a computer it is
removed from the network and fixed. Their security is designed to protect
the network not only from outside attack but from malicious (or even just
dumb) users as well. They aren't concerned with saving data on individual
computers so it's usually easier and much more cost effective just to nuke a
computer that has any problems. This can lead to problems where the IT Pro
really has no idea how dangerous malware is or how to really protect users
from it.
Supporting individual users or very small p2p networks requires a totally
different mindset. In these situations data is scattered anywhere and very
rarely is all the data backed up. To lose one computer could be
catastrophic. At the same time these users expect to be able to do whatever
they want with their computer. To support these users you need to intimately
understand how malware works and how to defend against it.
Of course there is a lot of overlap between the two security paradigms. I
generalised with a very broad brush. I do think there are two very different
mindsets when it comes to computer security and this often leads to one
mindset disregarding the other as not relevant. This is a mistake. The
reality is understanding both mindsets, analysing what the current situation
requires, and applying whatever works from each mindset in this situation is
the best security.
Malware will never be a solved problem. There is too much money in it. As
OS's become hardened social engineering attacks will get better. Attacks
against other pieces of the infrastructure will become more common. The
current DNS problems illustrate this. You can have an invulnerable system
but if you are redirected to hacker.com instead of bank.com and enter your
credentials what good did all that security do you?
Security means different things in different situations and is always a
moving target.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
At 06:45 30/7/2008, you wrote:
Kerry Brown has responded and his reply seems to make sense.
Yes, he usually does - and I see he's also trying to get back OT.
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
Much of what is spoken of as "security" (even in these security circles)
isn't so much about securing X for Y but against Z, but is about safety,
i.e. making sure that unwanted situation S should never arise.
When I first dropped into security newsgroups and elists, I expected to
see 95% networking and domain-centric user admin, and little that was
relevant to my interests. Instead, I found much discussion of the same
malware attacks and safety failures - the problems I see in my terrain.
To me, that means "malware" is far from being a "solved problem",
despite the resources that professionally-managed IT can throw at it.
Kerry Brown says:
As someone with one foot in both camps - networks, home users ...
A lot of IT pros are only concerned with the health of the network not
individual computers. When something goes wrong with a computer it is
removed from the network and fixed. Their security is designed to protect
the network not only from outside attack but from malicious (or even just
dumb) users as well. They aren't concerned with saving data on individual
computers so it's usually easier and much more cost effective just to nuke a
computer that has any problems.
Supporting individual users or very small p2p networks requires a totally
different mindset. In these situations data is scattered anywhere and very
rarely is all the data backed up. To lose one computer could be catastrophic.
In essence, you have all the same things that a network has, but on the
same PC (or across a few undifferentiated PCs). The network approach
relies on significant material being concentrated of a few well-protected
PCs, so that the bulk of other PCs can be cheaper and more disposable.
That approach just does not scale down to peer LANs and standalones,
unless you scope *within* the same PC the way that sysadmins scope
between servers and workstations.
We're a long way from that goal. Though some may wave reduced user
rights as a solution, this does not protect user data from what can go
wrong within that user's session; at best, it can protect multiple user
accounts from each other, which isn't useful on single-user PCs.
At the same time these users expect to be able to do whatever
they want with their computer.
This is a political thing, and has already been decided in real life, with
the general approach being that a person's "home" is sacrosanct from
arbitrary search, seizure and so on. In other words, unless your time
and rights have been bought while you use a PC owned by someone
else, you expect to be the top of the control pyramid for "your" system.
That's why it's counter-intuitive to tell free users that they should limit
their rights on their own PCs - especially on an OS that is designed to
allow remote access to trump those rights, content providers to subvert
those rights via DRM, and so forth. It's all too easy for those hidden and
powerful mechanisms to be hijacked by malware.
To support these users you need to intimately understand
how malware works and how to defend against it.
And how to manage the ?infected state.
Any PC can be infected, and as a fully successful infection may show
no abnormal signs, you're more or less obliged to consider every PC as
infected until proven otherwise. That's why you need unspoofable tools
to detect infected states, manage common integration points, etc.
Of course there is a lot of overlap between the two security paradigms. I
generalised with a very broad brush. I do think there are two very different
mindsets when it comes to computer security and this often leads to one
mindset disregarding the other as not relevant. This is a mistake.
Yep. The scene is dominated by the concerns of large managed networks,
not only because they are MS's largest and best-spending customers, but
because tech communication is easier within the group-think that follows
when everyone has been through the same training paths.
Such folks may callously disregard the interests of the "small" user, or apply
lower standard of acceptability. Lose all data and wipe the PC? If
it's only an
end user or workstation, then sure; why not. PC's down for a few days? Just
wheel in another workstation from stores to use in the meantime. It's an end
user with everything on one PC? Well, they won't be doing anything important,
so it doesn't matter if they're down for a while.
From their own interests, the mistake in doing so is that when large numbers
of consumers get infected, the malware industry grows on the revenue, and
can use all of those systems as a hammer against large networks.
The reality is understanding both mindsets, analysing what the current
situation requires, and applying whatever works from each mindset in
this situation is the best security.
The ultimate point of conflict between the two approaches is: When you have
an "admin" acting remotely, versus a user at the keyboard, who should win?
Malware will never be a solved problem. There is too much money in it.
The industry has grown out of Pandora's Box, and that can't be undone.
Most of the opportunities for such growth have come from poor safety
judgements built into our systems , which boil down to a few basic things:
- not indicating risk when presenting material (e.g. files)
- not limiting actions to the risks presented
- automatically taking risks beyond user intent (e.g. macros in "docs")
Today, we may have fewer by-design opportunities to attack systems, e.g.
you prolly can't simply stick an auto-running script in an email "message
text" and have that automate Outbreak to spread your malware to all the
addresses that are in the system's address book.
Instead, you'd more likely have to exploit some code defect within some
exposed surface, and that takes far larger tech resources. Unfortunately,
there's now sufficient malware finance available to fund those resources,
and plenty of malware coders who grew up in the easy "virus hobby" era.
As OS's become hardened social engineering attacks will get better.
Yep - and those ride on the back of software safety failures, which dumb
things down to the point that the user lacks concepts of data safety vs.
code risk. It doesn't take much computer savvy to know that running a
code file is higher risk than viewing a data file, yet even that simple and
crucial difference is lost by an UI that hides types and calls both "open".
Attacks against other pieces of the infrastructure will become
more common. The current DNS problems illustrate this.
Yup. The resources to match the large system design vendors are
there, and are being used. Just as we move further into "the network
is the computer" and accept dumb reliance on av and patching, so we
may see malware breaking into the unique addressing between network
entities, exploiting surfaces within av, and hijacking update delivery.
You can have an invulnerable system
....so you need the ability to formally manage the infected state...
but if you are redirected to hacker.com instead of bank.com
and enter your credentials what good did all that security do?
Another way to look at this, is:
- we can never "clean the Internet"
- so we break off and clean bits of it, i.e. LANs and systems
If seamlessly merged into the Internet, you can't avoid the first and
can't apply the second. Remember that, when "designing the future".
Security means different things in different situations and is
always a moving target.
What you (as a user or customer) wants to avoid, is an arms race.
But an arms race may suit your vendors just fine.
.
- Follow-Ups:
- Re: Does Microsoft Need a New Source Code for the Future?
- From: Kerry Brown
- Re: Does Microsoft Need a New Source Code for the Future?
- From: Shenan Stanley
- Re: Does Microsoft Need a New Source Code for the Future?
- References:
- Re: Does Microsoft Need a New Source Code for the Future?
- From: Dan
- Re: Does Microsoft Need a New Source Code for the Future?
- From: Kerry Brown
- Re: Does Microsoft Need a New Source Code for the Future?
- Prev by Date: Re: Zuten Trojan and Minidump File.
- Next by Date: Re: W97M/Marker.T Virus found by Forefront on file server
- Previous by thread: Re: Does Microsoft Need a New Source Code for the Future?
- Next by thread: Re: Does Microsoft Need a New Source Code for the Future?
- Index(es):
Relevant Pages
|
