Microsoft teaches security
- Thread starter kamper
- Start date
if you have used any new microsoft software from the past year you would probably not make such comments...
the biggest reason there is so many problems is because no one reads the manual...
the biggest reason there is so many problems is because no one reads the manual...
- Mar 18, 2003
- 5,513
- 0
- 0
Hah! And microsoft's biggest argument against linux is lower total cost of ownership because MS software is easier to use. Force people to start reading manuals and that argument loses most of its momentum. I think admin's should understand the products they use, but if you're going to put that effort in then why are you using Microsoft products anyways? Reading the manual is not a sufficient substitute for code that is free from buffer overrun holes and other such cracker treats.
And they're two different things. An end user probably shouldn't need to read a manual, while an admin should have read a billion already.
Linux has its share of exploits also. I guess the elitist Microsoft bashing will never end no matter what strides Microsoft makes to improve their software.
Well you know the old saying(or cliche, depending on your point of view),
"Those that can't do, teach."
common sense-based disclosure:
(yes MS has shown vast improvements in the past couple years, it's just that historically windows has the worst track record of pretty much any OS anywere. So don't get uptight with me, It's just a joke.)
"Those that can't do, teach."
common sense-based disclosure:
(yes MS has shown vast improvements in the past couple years, it's just that historically windows has the worst track record of pretty much any OS anywere. So don't get uptight with me, It's just a joke.)
"A chisel is only as useful a tool as the sculptor who wields it." -- in my mind, that applies universally.
To laugh at Microsoft educating administrators about patching boxes is just plain wrong IMO. Microsoft had a very valid point when they said recently that they believed that full disclosure was hurting them in terms of security. It is a basically provable fact that a large number of the hardest-hitting worms over the last two years have resulted from full-disclosure of vulnerabilities. It does not apply universally, and during that time there have been some effectively 0-day worms running amok. I say "effectively 0 day" because it usually takes a few days/weeks for Microsoft to get a patch out. Sure, they haven't had the best track record even with patches -- there was a string of vulnerabilities they patched that subsequently undid other patches -- but that is far from being relevant to user and admin education. I suspect you will also see some major revisions to the MSCE in the coming months that will even push the security and updating regularly issue more than it already has been.
To laugh at Microsoft educating administrators about patching boxes is just plain wrong IMO. Microsoft had a very valid point when they said recently that they believed that full disclosure was hurting them in terms of security. It is a basically provable fact that a large number of the hardest-hitting worms over the last two years have resulted from full-disclosure of vulnerabilities. It does not apply universally, and during that time there have been some effectively 0-day worms running amok. I say "effectively 0 day" because it usually takes a few days/weeks for Microsoft to get a patch out. Sure, they haven't had the best track record even with patches -- there was a string of vulnerabilities they patched that subsequently undid other patches -- but that is far from being relevant to user and admin education. I suspect you will also see some major revisions to the MSCE in the coming months that will even push the security and updating regularly issue more than it already has been.
I'm not a car mechanic, or a professional driver, but I had to read a manual or two.
And no, RTFMing is not a substitute for better software, but it helps. A lot of Windows problems would have been solved by a little RTFMing.
It goes both ways: there are just as many people willing to ignore truth and logic and defend microsoft just because of some silly loyalty. Bigots, zealots, and fanboys exist for nearly everything.
I prefer to declare everything sucky and play devil's advocate, pissing everyone off at times while making few enemies.
Full disclosure is what makes OS's more safer then they were just a few years ago. MS saying full disclosure is hurting them is marketing BS and an attempt to point the finger at other people.
Security professionals for the most part are professionals. They rely on there reputation for business and releasing vunerabilities before patches are avaible hurts them as much as everybody else. The idea that they do it for sensationalism is mostly false, except for the fact that they at least want credit for their work.
You see for a long time these people tried to point out and get patches for problems. Most large software vendors were guilty of ignoring problems, MS was just a big fish that was habituatlly bad behaving. Other companies like Sun had some of the longest running un-fixed vunerabilities.
So once they told these companies these problems existed, they just waited for patches that never came.
So exasperated they simply started publishing details.
Then they had to contend with threatening lawsuites and accuasations from big companies (who don't want to admit to publishing faulty software and then not fixing it for months, even years, after it had a known problem), so in self defense and to remain creditable they had to start publishing "proofs of concept" code that system adminstrators could use to test out their servers to see if they were vunerable.
Personally I have used theses things in to break out of a chroot jail, I even did it once to fix a issue that I was having with a computer's OS that I was installing remotely over the internet.
Tools like Nessus use these tools to help administrators do detailed audits of their networks and systems to improve security.
You see once people started publishing this data, thats when companies like MS started responding to security issues. Before that there attitude was "If nobody knows it's a security issue, then it's not a security issue."
If you want to look up worms and stuff you'd notice that in 95% of the cases, and especially big worms, that MS was notified months in advance that people were going to publish details of the vunerabilities, MS and whatever security group negotiated a resonable time frame for a patch and then after MS released the patch for a while, then these people reported their findings.
If MS seemed like they were dragging their feet, then they would release details anyways.
Mostly it's lazy or unedicated administrators and users that are the cause of most viral and worm outbreaks.
Full disclosure is a nessicary evil, and has a proven track record of getting people fixes and resolving issues before they become real issues.
Remember that worms just immitate (badly) basic steps a human goes thru to exploit a vunerability, anybody that gets nailed with a worm would probably just as easily get nailed by a cracker.
The difference is that a cracker can cover his tracks, while most worms don't.
(oh and MS DEFINATLY isn't the only one guilty of dragging their feet or ignoring issues. Sun, Apple, IBM and most any other major software manufacturer was guilty of it, most times they were guilty several times. For instance Sun was famous for not releasing patchs for some issues that were known for years in a couple cases)
just going to restate that from a technical perspective, and speaking with microsoft employees, their software day forward is going to much more secure, in fact i wouldn't doubt that on average it will have superior security to most *nix machines.
should they have made this shift earlier? most definitly... but one has to remember that when windows was developed features were the big push, and the internet wasn't really a factor,
you also must remember that there are have been very few exploits that SHOULD have effected any machines, this is partially due to negligence of the end user, as well as microsoft.
solving the issue of security is not just about microsoft, now matter how secure they make it out of the box, they will need to make some features available... without it there is no product. with features comes configurability, with configurability comes the possibility of making a computer unsecure... as long as they are making software that is configurable they should be teaching people how to use it properly and securely, that is why this is a good idea... (consequently, microsoft has been teaching security for many years)
should they have made this shift earlier? most definitly... but one has to remember that when windows was developed features were the big push, and the internet wasn't really a factor,
you also must remember that there are have been very few exploits that SHOULD have effected any machines, this is partially due to negligence of the end user, as well as microsoft.
solving the issue of security is not just about microsoft, now matter how secure they make it out of the box, they will need to make some features available... without it there is no product. with features comes configurability, with configurability comes the possibility of making a computer unsecure... as long as they are making software that is configurable they should be teaching people how to use it properly and securely, that is why this is a good idea... (consequently, microsoft has been teaching security for many years)
no offense, but grow up. this is more the rubbish a silly script kiddie who wears a pengin tee-shirt 'cause it makes him *look* 733t would say. it's not something you'd ever catch from the mouth of a seasoned administrator.
what's this supposed to mean? any OS worthy of an enterprise environment needs to be hardened. you think linux, off the bat is any more secure than win2k3 server? a poorly configured machine, even if it's an OpenBSD machine is a big security risk.
the entire point of security is to be proactive about it. this means doing anything from locking down your boxes to generating and applying a solid security policy that covers everything from from the physical to the theoretical (well maybe not so much theoretical... but you know what i mean.)
personally, i think it's a great idea that MSFT is offering these free hands-on training seminars to those who want to know how to secure their MSFT systems.
IMO Microsoft's biggest security issue isn't with their code, at least not these days.
It's the fact that their general "way of thinking" encourages bad admin habits.
Wizards preconfiguring everything, cure manuals explaining things is far too simple terms, etc, the result is the vast number of incometent Windows admins out there.
In the case of servers, forcing people to RTFM is a Good Thing.
It's the fact that their general "way of thinking" encourages bad admin habits.
Wizards preconfiguring everything, cure manuals explaining things is far too simple terms, etc, the result is the vast number of incometent Windows admins out there.
In the case of servers, forcing people to RTFM is a Good Thing.
I agree with that statement, but keep in mind, full disclosure's biggest con has got to be the ease with which a virus/worm developer and/or cracker can develop new malware to expoit it. The proof is in the pudding, or in this case, in the history of virus releases.
By and large I agree with the rest of your post, however the one caveat is that there are lazy sysadmins. Full disclosure of the vulnerability after MS has issued patches still didn't stop Code Red, or Nimda, as an example. Not every sysadmin routinely applies patches to their servers.
- Mar 18, 2003
- 5,513
- 0
- 0
I should apologize to those who have been offended by this thread (my posts in particular). I should let it be known that I go to school who's cs department is strongly anti-microsoft and it definitely rubs off. Picking on ms is kinda fun and, you'd have to admit, fairly easy pickings. If it makes you feel better you can truthfully pass me off as a linux-geek wannabe who is just defensive because of microsoft's growing success in enterprise markets.
My comment about buggy code was not meant to imply that any operating system (or any code) is bug free. I am a software developper and I know that. It just seems like everytime I read about a new vulnerability in windows it's because of some programmer that didn't do a basic security check and that microsoft is passing the majority of the work in fixing the problem off to admins. But the admission that patching is not a sufficient security measure is a step in the right direction, props to ms on that. My initial reaction to the linked article was that this was a large step straight back in the other direction, that's why I laughed.
So no more of this "elitist Microsoft bashing" for me, I've had my little rant.
My comment about buggy code was not meant to imply that any operating system (or any code) is bug free. I am a software developper and I know that. It just seems like everytime I read about a new vulnerability in windows it's because of some programmer that didn't do a basic security check and that microsoft is passing the majority of the work in fixing the problem off to admins. But the admission that patching is not a sufficient security measure is a step in the right direction, props to ms on that. My initial reaction to the linked article was that this was a large step straight back in the other direction, that's why I laughed.
So no more of this "elitist Microsoft bashing" for me, I've had my little rant.
Rants are good. I'm anti-microsoft for the most part myself. I think some of the steps they are taking (XP sp2's off by default stance, education, etc) is a good thing.
The OP wasn't too bad, and it sparked some conversation. And it was a little more interesting than the usual around here lately.
The OP wasn't too bad, and it sparked some conversation. And it was a little more interesting than the usual around here lately.
Don't forget Anti-Linux, and Anti-Solaris
P), and Anti-MacOS, and so on...Agreed. The thread subject isn't an outright flame either.The OP wasn't too bad, and it sparked some conversation. And it was a little more interesting than the usual around here lately.
Originally posted by: chsh1ca
Don't forget Anti-Linux, and Anti-Solaris
Linux I just don't get. Slowaris is kind of annoying, but I think my ultra 1e will have it installed. And I'm using Mac OS X right now (but Mac OS was horrid)
Agreed. The thread subject isn't an outright flame either.The OP wasn't too bad, and it sparked some conversation. And it was a little more interesting than the usual around here lately.
Yeah it was. But I think it was one of those flames that even Microsofties could chuckle about at a bar.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
Facebook
Twitter