MS Invites Security Questions 259
daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"
What I asked (Score:5, Insightful)
I'm contstatly struggling with rights on workstations. I know that MS
gives admin right to all of it's own users. (I live in seattle I've seen
it.) But I can think of no security hole larger then giving out rights
to users who *SHOULD* not need them.
There is a laundry list of applications written *by* Microsoft that do
not work properly without additional rights.
This has been true sense NT 3.51. How did this happen? Upgrading to
longhorn it not a soulution. If I worked for Microsoft this would be
my first priority. Take away rights, fix existing applications.
Re:What I asked (Score:2)
Re:What I asked (Score:4, Interesting)
See Aaron Margosis' blog [msdn.com] on msdn.
A choice quote:
"My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y'all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They "su", do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as "User", and your customers need to see you doing it. If you run into issues, don't add yourself back to the admins group - file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, "You're not setting a very good example. I am disappointed.""
So when Longhorn is released we can see if they made good on this idea, but until then, they openly agree with you and are working towards making it the standard to not run as root.
-David
Re:What I asked (Score:3, Interesting)
If this was true ms would have their *regular users* not running as adminstrators. The receptionists run as administrator!
I just don't see Aaron Margosis comments anything but lip service. Microsoft don't even try!Re:What I asked (Score:3, Informative)
Please have your admin install the following, and then you may try to run them as a non-admin user:
* The Sims
* Mavis Beacon Teaches Typing 15
Re:What I asked (Score:2)
Corollary: (Score:3, Interesting)
Re:Corollary: (Score:5, Informative)
Re:Corollary: (Score:2)
What are "folders" in the registry, exactly? My understanding is that the registry has keys, and every key can contain other keys, an unnamed value, and multiple named values. i.e. The things that look like folders in Regedit *are* they keys, aren't they?
Re:What I asked (Score:2)
Here's the problem with that (and this is from real-world expierence).
Go to 2003SBE server. Add user in "Active Directory Users and Groups".
Go to computer. Join computer to domain. Tell user to log in with their username and password, making sure that the login screen says "Log on to: SomeDomain".
Then:
User calls. They can't install office. Log onto server via terminal services, push MSI office install to user's desktop, tell them to restart. OK.
Then:
User calls. They can't install weatherbug. E
Re:What I asked (Score:2)
Simple solution - give your users some details of a *local* admin account and introduce them to the "Run As" command.
Incidentally, you're better off setting up software distribution via AD such that users can install stuff from the "Add Remove Software" Control Panel rather than pushing software out to them. They can do this without admin privileges.
Re:What I asked (Score:2)
I know lots of people who thought that SP2 broke stuff on their computers because it had bugs. For the most part, breaking applications was the price of enhanced security.
I generally log in as root on my linux box a
I Just Asked them the Big Question (Score:3, Insightful)
Why don't you open up your source? I have an analogy to Open and Closed source:
With closed source, you are in a room full of razor blades everywhere and you are blindfolded. With Open Source, you are in a room full of razor blades everywhere and you are NOT blindfolded, so you can see where the exit is and perhaps avoid getting too cut up.
Which is really safer, closed or open source? Would you rather be blindfolded?
Re:I Just Asked them the Big Question (Score:2, Insightful)
With Open Source, you are in a room full of razor blades and you can see, but it's really too much of a strain on you to get yourself to the exit safely. You can't possibly do it, and you might actually try to take a razor and cut someone else.
With closed source (or really, just MS) you are blindfolded because you are far too stupid to avoid getting hurt, and we really can't trust you not to use those razors to attack someone else. So we are going to hold your hand and gently lead you
My Version of M$'s reply (Score:2)
MY version of Microsoft's reply (Score:2)
Re:I Just Asked them the Big Question (Score:1, Insightful)
With closed source, you never enter the room, something breaks and is visible from the outside and you say "Microsoft, thou shalt fix this or I will take my maintenance contract elsewhere!", and then Microsoft sends its devs into the room of razor blades with their own lights to fix the problem. (Now you might debate their effectiveness, but thats another issue.)
With open source, stuff breaks, no one is there to help you and you have to visit hundreds of howto sites in or
Re:I Just Asked them the Big Question (Score:2)
Right, because RedHat, Mandrake, Mozilla and a host of other Open Source companies don't support their products at all. [/sarcasm]
Re:I Just Asked them the Big Question (Score:2, Interesting)
/. em (Score:1, Funny)
Re:/. em (Score:5, Interesting)
And it would be just as much a waste of effort. The current design of windows is so flawed when it comes to security if microsoft actually listened to their customers, would have to revamp their entire security model in the OS breaking just about everything in windows. Microsoft is in a very tight spot right now with their design of windows and anything more than lipservice on their part would mean making a very hard decision to change the OS so fundamentally that it is not compatible with its predecessors and is something they cannot afford to do. As it stands, the security or lack of security in windows will remain for quite some time. There are tricks they can use to minimize the damage once security has been breached. For example, Upgrade the active/x layer to allow a 'read-only' mode for a given process wherein the first thing the web browser does when it starts up is to neuter itself. Whether you run IE as administrator or not, it's a safe bet that more harm than good can be done letting it run silently. By having IE issue a call to a one-way demotion of privileges, along with a 'this application is trying to do this. Enter your administrator password to override for this one time occasion', would vastly improve but not solve the security problems. With this simple trick, spyware infested web sites would have a much harder time installing their wares without you knowing about it. Again, it wouldn't solve that security problem, but it would greatly improve it.
Then again, maybe, yeah. We SHOULD ask them how to secure our linux boxes better. At least I'd get a kick out of the reaction from the microsoft soldiers.
Re:/. em (Score:2, Interesting)
I've yet to see a secure os and it's not from lack of effort. I've been looking for an os that doesn't suck for years.
Re:/. em (Score:2)
Re:/. em (Score:2)
The Windows security model is better than that in most unixes. What on Earth makes you think they need to redesign it from scratch ?
Re:/. em (Score:2, Funny)
Re:/. em (Score:2)
Besides, get some perspective here - Win16 was deprecated 10 - 12 years ago. OS9 was only declared dead in 2002.
Let's see how much of a priority OS9 support is for Apple ca. 2012 - 2015 before trying to make any comparisons...
Is Microsoft Windows *OS* more secure than Linux? (Score:1, Insightful)
Re:Is Microsoft Windows *OS* more secure than Linu (Score:2)
and so before I get modded as troll, I'm sure most agree it's not so much the system but the person administrating it to keep it secure.
Could the key word be... (Score:2, Insightful)
Unbiased? (Score:5, Interesting)
Re:Unbiased? (Score:5, Insightful)
However other forces within the company are sometimes (some will argue always) taking over. If the suits decide that they prefer more features over less bugs, or if they set impossible deadlines, good peoples aren't enough.
Re:Unbiased? (Score:2)
Re:Unbiased? (Score:2)
Re:Unbiased? (Score:2)
The suits control Microsoft
Psst. Don't tell anyone. But I heard it from a reliable source that the suits control all the big companies. That's why I'm wearing jeans.Re:Unbiased? (Score:2, Troll)
Re:Unbiased? (Score:2)
Isn't the WWW full of them...? (Score:2, Insightful)
Re:Isn't the WWW full of them...? (Score:1, Interesting)
In other news... (Score:5, Funny)
Re:In other news... (Score:5, Insightful)
what doesn't get answered (Score:5, Insightful)
Maybe someoen would make a lost of all the questions and group all the simular ones together in order to create somethign like this. I guess microsoft is feeling the heat from other vendors stating that microsoft isn't as secure as thier products.
Re:One for the list (Score:2)
Question: (Score:5, Funny)
I'm assuming you've got some excellent blackmail material on someone in HR but I'd like to know for sure.
We all know what will happen. (Score:5, Insightful)
Nothing to see here, move along.
Re:We all know what will happen. (Score:2)
Answer: Keep the monitor, keyboard and mouse. Connect them to a Mac mini and you will have a secure computer. If the PC is good enough, get another monitor, keyboard and mouse and use it to play games. Make sure this PC is NEVER connected to the Internet or any other network and it will be very safe from worms and other malware.
a slection eh ? (Score:2, Insightful)
Re:a slection eh ? (Score:1)
What's considered a security bug? (Score:5, Interesting)
For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?
If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?
Simple enough, really.
Re:What's considered a security bug? (Score:2)
The answer to this is clearly no, if you consider running as a local administrator an insecure operation; there are some things only a privledged user can do. Otherwise there would be no point in having a local administrator account.
Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a host
Re:What's considered a security bug? (Score:2)
How do you propose the OS detect the difference between a regular executable and a "hostile" one ?
Besides, isn't one of the major complaints about Windows the way it tries to guess what you really mean instead of what you just did ?
Beating around the bush (Score:2, Insightful)
Comment removed (Score:4, Interesting)
Re:Make the trusted sites list easier to manage? (Score:2)
Also, it might be nice to have a "trust once" button, to temporarily trust a site for a single visit.
This is rife for abuse. Remember that once you trust a site, its ActiveX can change all the entire rules for trust.
Sure, you run without ActiveX on, even for trusted sites. But J. Random Luser who sees the "Trust Once" option doesn't. And he doesn't realize that by trusting a site once, he's giving them the ability to take control his computer forever.
Re:Make the trusted sites list easier to manage? (Score:2)
In a corp environment, we don't want users to be able to touch those things, and we (at least I) use vbscript/WMI to change things like that. (MicrosoftIE_Security under \root\cimv2\Applications\MicrosoftIE is where it's at). Other stuff can be accessed in the registry. Making scripts to manipulate those lists isn't hard.
Haven't used IE in so long I've almost forgot wha
I have a question... (Score:2, Insightful)
2) Word association: Microsoft -> buffer overflow.
3) Do you understand the concept of "Deny All Except" or has it ever been mentioned to you?
4) Do the 1 million monkeys Douglas Adams referred to work in Redmond?
5) Why is Bill Gates such an ass?
6) Who will protect us from Microsoft?
Ok. So it was more than one question. But one wasn'
Re:I have a question... (Score:3, Funny)
Don't do it, it's a trick (Score:5, Insightful)
Time 2 Market vs Security & Fiduciary duties (Score:5, Insightful)
How can you be betraying your feduciary responsibilities to shareholders by delaying products in the name of security, which history has proven that your corporate customers don't give a damn about anyway.
To avoid shareholder lawsuits of you not acting in what has historically been shown to be the best for your shareholders, why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held?
Re:Time 2 Market vs Security & Fiduciary dutie (Score:2)
My take on the answer: competition (linux) and changing conditions (internet) have simply changed the "sweet spot" between security and time to market.
A harsher world means getting better or dying.
Re:Time 2 Market vs Security & Fiduciary dutie (Score:2)
don't worry, be happy. (Score:3, Funny)
You ask us "How can you be betraying your fiduciary [konqueror spell check used, thank you] responsibilities to shareholders by delaying products in the name of security ... why don't you return to your security-be-damned buggy strategy and return your stock to the glorious heights it once held."
Don't worry, our future products (TM) will always be buggy. The only problem is that we are out of start-ups to screw out of mature programs because all the developers and startu
I asked (Score:5, Interesting)
The second part we can almost say that about: it would at least give them the chance to boast.
I predict we won't see an answer to either part.
Re:I asked (Score:2, Insightful)
Re:I asked (Score:2)
There's nothing lacking in the design of NT - from the start - with regards to security. It's multiuser, with a very fine grained permissions model.
It's amazing how much people go on about how important XP's SP2 was, when all it really did was twiddle a few default settings and recompile many of the core libraries to protect against
Re:I asked (Score:3, Interesting)
Re:I asked (Score:2)
Both companies have cleaned up their act, but MS still has to deal with a massive W2K installed base, and RedHat does not.
Re:I asked (Score:2)
UNIX was designed with nearly no network security. Ironically, that helped it become a much more secure OS because most of the services are so dangerous that they are now disabled. OTOH, if you do need Unix RPC, i
What the hell. (Score:3, Insightful)
Where are the real journalists asking the tough questions to the executives of MS and other tech firms. Instead they invite questions from the public there the "experts" will pick the softballs and spew on an on about how safe, secure and super-duper-keen-nifty windows is compared to that communist linux.
Re:What the hell. (Score:2)
Answering template (Score:5, Funny)
42
Re:Answering template (Score:2)
Benefits of Firefox and competition (Score:3, Interesting)
If you've ever been to a retirement home using Internet Explorer on a shared computer, you would laugh at how much junk computers would be loaded with.
Along came Firefox, and with it the freedom from training folks to click a million times no to a million ActiveX dialogs. Pop-ups and other forms of nastyness reduced.
All of a sudden a fire seems to have been lit under Microsoft around security and its browser.
Aside from the above listed changes, what other positive changes do you think Microsoft will introduce as a result of some competition, particularly in the browser space, but also elsewhere.
ZDNet are running a Giant MS ad on the page top! (Score:1, Offtopic)
Sheesh.
Re:ZDNet are running a Giant MS ad on the page top (Score:2)
They have it backwards (Score:5, Funny)
What I posed (Score:3, Interesting)
Quick background on Mako: http://www.microsoft-watch.com/article2/0,1995,176 4087,00.asp [microsoft-watch.com]
Having previously been a contractor at Microsoft and being intimately familiar with the security setup of their online properties (Hotmail, passport, messenger, etc.) the dynamic systems protection area was one that would get the most play (and benefit) on the server side. Automagically monitoring system state and port management would be extremely useful if it was a part of the server OS.
My question... (Score:5, Interesting)
Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
Re:My question... (Score:2)
The shared-cache-between-threads channel can be fixed in silion. Whether it will be fixed is quite a different question, and which I can't answer. For some strange reason, a certain multi-billion dollar corporation doesn't want to talk to me about
My question.. (Score:2)
Slashdot Interview Questions (Score:2, Interesting)
Microsoft jokes (Score:1)
Where are the tools? (Score:3, Insightful)
By the way - HOME users need those tools, too. They would (could) go a long way to preventing zombification.
Re:Where are the tools? (Score:2)
It is possible to set user and file permissions very nicely in Win2K and XP. The problem is that many programs want to write data in places that are off limits to non-admin users. These programs then die outright or misbehave in other ungraceful manners. Most users become unhappy when their programs don't run any longer after they installed a newer version of and OS or bought a new computer. Even installing some updates causes programs to cease working
Re:Where are the tools? (Score:2)
mvps.org has a lot of the registry hacks needed to make security policy changes. So does windows registry guide [winguides.com], labmice [techtarget.com], elder geek [theeldergeek.com], and technet.
Good books to get are the XP Registry Guide [microsoft.com] and xp hacks [oreilly.com]. But the easiest thing to do is to run a copy of XP Pro [nextag.com].
XP Pro needs a paired down version of Windows 2003 Server "Security Con [slashdot.org]
Invitations? (Score:2)
Microsoft: the plan is simple and reliable -- build a new OS entirely and then write a 'legacy' VM on top of it to run the current and old stuff. You can be secure and overcome the old crap. Why aren't you doing that?
Re:Invitations? (Score:2)
Trust and Security (Score:2)
So you know as we all do that every morning Microsoft engineers are waking up, and KNOWING that these tests are totally bogus and blatently rigged, go out and lie like crazy to their customers about what the results prove.
Even if the product is faster, at least avoid creating such crap tests. I remember the garbage J2EE benchmarking as well, and wonder wha
Strange error message: (Score:2, Funny)
How about simple best practices? (Score:2)
How can users submit bug reports? (Score:2, Interesting)
Last time I found a security bug in IE, I ended up e-mailing it to Scobleizer [weblogs.com] who thankfully picked up on it quickly. This doesn't seem like a very effective system though!
-dgr
Re:How can users submit bug reports? (Score:2, Informative)
Tattooine (Score:2)
Look at me, I go and see Star Wars, and I'm already a Trekkie!
Why such a limited audience? (Score:2)
Is security really the problem with Microsoft? (Score:2)
To me, it seems almost like discussing the problems of intellectual property in communism. There are so many other, much more important, issues about communism -- it's founded on an absurd philophical model and a historical perspective that's outright wrong. It's pointless to be
"Microsoft security gurus" (Score:2)
What's next, a
(sigh)
make it backwards (Score:2)
given microsoft's excellent track record in security (based on documents published by microsoft,) what does the open source community need to emulate the good practices of microsoft?
given that microsoft does not disclose security flaws in its product to protect the users from malicious attacks reaching them before patches are made, how will the oss community improve on its disclosure rules and prevention of possible news regarding security flaws?
you get my point. just make t
Re:does this apply to online (hotmail?) (Score:5, Funny)
And really, who the hell would want an email address with "ShinyFeet" in it?
Re:does this apply to online (hotmail?) (Score:1)
I guess millions? dunno, but I remember everyone saying that about yahoo and others thinking hotmail was perverted sounding.
Re:I question the "guru" title (Score:2, Funny)
The same reason Linus and hundreds of other people still do patches to Linux. No software is truly finished and secure. Not even Hello World. There's a really nasty buffer overflow in that one. I don't even know why people still use it.
Re:When will a secure version of IE for the Mac ex (Score:2)