Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft IT Technology

New Developments From Microsoft Research 206

prostoalex writes "Information Week magazine runs a brief report from Microsoft Research, showcasing some of the new technologies the company's research division is working on. Among them — a rootkit that eliminates other rootkits, a firewall that blocks the traffic exploiting published vulnerabilities, a system for catching lost e-mail, a honeypot targeted at discovering zero-day exploits, and some anti-phishing applications."
This discussion has been archived. No new comments can be posted.

New Developments From Microsoft Research

Comments Filter:
  • rootkit wars (Score:5, Insightful)

    by Toby The Economist ( 811138 ) on Monday December 11, 2006 @03:32AM (#17191878)
    > a rootkit that eliminates other rootkits

    Well, there goes kernel stability.

    I'm really not sure I want a future Norton RootKit Protector installing itself, bugs and all, into my kernel.

    • by HillBilly ( 120575 ) on Monday December 11, 2006 @03:35AM (#17191894)
      Aww, how could you not trust norton? It slows the fast changing internet world down to much better pace! ;)
      • Re: (Score:3, Funny)

        Aww, how could you not trust norton? It slows the fast changing internet world down to much better pace! ;)

        It not only creates a seniorweb(tm) as you stated, it's also a security strategy to slow down your PC and use all available memory so you are physically unable to install malware.

        Due to Moores law, Norton is required to double the memory and processor use in the same rate processors evolve, by adding *more features*.

        I think they've taken the most logical course to build in this security strategy right

    • by QuantumG ( 50515 ) * <qg@biodome.org> on Monday December 11, 2006 @03:36AM (#17191902) Homepage Journal
      no, no, no, it's much worse than you think. These rootkits are based on virtualization, they install themselves below the kernel. The kernel runs on these rootkits.
      • Re:rootkit wars (Score:5, Insightful)

        by Bjarke Roune ( 107212 ) on Monday December 11, 2006 @05:02AM (#17192318) Homepage
        Why is this modded funny? One of the hardest kind of rootkits to detect is ones based on virtualization, and they indeed do run under the kernel, tricking the kernel to believe that the kernel is running on actual hardware when in fact it is running on virtual hardware generated by the rootkit. I do not know if there are any actual, malicious rootkits out there doing this, but they could do it, and it would be very hard to get rid of such a rootkit if it was done properly.
        • Re: (Score:3, Interesting)

          by EvilGrin666 ( 457869 )
          Well there is Blue Pill [wikipedia.org]. However there is some doubt within certain circles as to it's existence. Plus, even if it does exist and work as the author claims it to, it's only a proof of concept piece of malware.
    • Daffy Duck: Don't worry, I've got jutht the tholution! Acme Practical Joke Kit #98052, 'The Root-Kit Rooting Root Kit'. Guaranteed to work!

  • It is good to see (Score:4, Interesting)

    by Sinryc ( 834433 ) on Monday December 11, 2006 @03:32AM (#17191882)
    It really is good to see that Microsoft is trying to do some good things. I mean they ARE the huge company that they are, so it really is good to see that they are trying to do things better. However, a rootkit to change a rootkit does not sound like a good idea... But a firewall like they are talking about does seem pretty interesting. I hope to see good stuff come out. As a Windows user, this is good news for me.
    • Microsoft is re-inventing "intrusion detection" and "packet analysis". Save yourself some stress and deploy Snort today.
      http://www.snort.org/ [snort.org]
      • by leuk_he ( 194174 )
        snort is exploit specific. Vulnaribilty specific is just a bit different. Actually this is promosing as it would solve the probelm of updaing 1001 desktop and just apply a patch to the firewall to get filtering.

        On the other hand there is "SureMail" --> since it is some extension to reader verification will will require end to end (ALL MS i bet) support. So it will only work between 2 exchange servers. Spammers will have a field days since it verifies the email addresses that are actually read.
        • by richlv ( 778496 )
          "Actually this is promosing as it would solve the probelm of updaing 1001 desktop and just apply a patch to the firewall to get filtering." ...because never ever can anything bad get through or around a firewall. never. really.
          oh, well. actually this would be kinda funny to see single laptop or some weirdly encoded exploit take down whole network using half a year old exploit ;)

          btw, how would exploit vs vulnerability ids approaches differ ?
          you can have all kinds of signatures for snort (and most other ids s
  • by Anonymous Coward
    a rootkit that eliminates other rootkits

    Yes, but what about rootkits that eliminate rootkits that eliminate other rootkits? Muhahaha
  • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday December 11, 2006 @03:35AM (#17191896)
    SureMail Microsoft researchers Sharad Agarwal and Venkat Padmanabhan determined that about 1% of all e-mails get lost in e-mail systems. SureMail is a proposed system in which the e-mail client detects when an e-mail has been sent to a recipient's account and alerts that recipient when an e-mail fails to make it to his or her in-box. SureMail would indicate the e-mail's sender but not disclose the missing message's contents.

    How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

    Why not, instead, spend the time and money finding the real problem in your email system and fixing that? I handle about 1,500 in-bound messages a day. By their calculations, I should be losing 15 or so, every day. Yet that does not seem to be happening.
    • Why not do both?
      • Why not do both?

        If you fix the problem of "lost" emails, then why run a system to find alert people to email that is not lost any more?

        If your system is unreliable, adding complexity usually does not make it more reliable. You need to fix the problem at the lowest level possible.

        Since this is Microsoft, they're probably referring to Exchange/Outlook. Exchange is mostly database driven now. If you're losing messages in your database, having someone re-send them is NOT the approach you want to take.

        You have w

        • I was more speaking from a layman point of view: figuring that if you could have 2 systems to stop e-mails being lost which don't interfere with each other then you double your fun, so to speak.

          If what you say is true and it might make the problem worse, then I can see where you're coming from :)
    • by dattaway ( 3088 ) on Monday December 11, 2006 @03:43AM (#17191958) Homepage Journal
      How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

      You don't understand. Microsoft's email servers are more personal than BSD or Linux. Each email is hand scanned and routed. Each packet is individually inspected and if something is wrong, its routed to the appropriate supervisor. There's lots of checks and procedures. This is why Microsoft's mail servers have a more friendly user interface. You get what you pay for.
      • Re: (Score:3, Funny)

        by Hurricane78 ( 562437 )

        Yes sir! [orangecow.org] We use only the finest baby libraries, softely coded and flown from Iraq, cleansed in finest quality norton scanners, lightly killed, and then sealed in a succulent DRM quintuple secure treble virtualized rootkit envelope and lovingly compiled with visual basic.

        Steve Milton Ballmer
        CEO, Microsoft-Whizzo Corp.

    • by hachete ( 473378 )

      How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.
       
      You've never used Notesmail ...

    • by tero ( 39203 )
      Quite right.

      People like claiming "I never got that e-mail" or "It must have gotten lost somewhere in the system" becase it's a easy way to get them off the hook. It's a bit like "I was writing a document yesterday and now it's gone!" (it's saved in their My Documents, they just never bothered to look). Or "My dog ate my homework".

      They just probably managed to delete it without noticing or happened to filter it into some strange folder where they never check or something similarly idiotic. Problem between ch
      • by dbIII ( 701233 )

        People like claiming "I never got that e-mail" or "It must have gotten lost somewhere in the system" becase it's a easy way to get them off the hook.

        I waste a couple of hours a month humoring impatient people by checking if a reply has somehow got lost in spam filters or elsewhere. It really doesn't take very long for each server but it is easier to walk up and hassle the network guy than it is to pick up the phone and get an answer out of people that do not reply rapidly to emails - so I get this a lot.

        • by richlv ( 778496 )
          "...and quite a lot of that is people wondering why there is no reply to a joke or chain letter."

          hey, this time you did not tell me to fsck off ! and you did not threaten to kick me in the nuts if i ever send you another chainletter ! are you allright ?
          there really are people who expect to get an answer to every dumb, 10 years old joke or worse - chainletter (i man a response that is not offensive) ?
      • Quite right.

        People like claiming "I never got that e-mail" or "It must have gotten lost somewhere in the system" becase it's a easy way to get them off the hook. It's a bit like "I was writing a document yesterday and now it's gone!" (it's saved in their My Documents, they just never bothered to look). Or "My dog ate my homework".


        Well, not really. Were you in on this conversation [slashdot.org]? I think that counts as a lot of lost mail.
    • Presumably, this loss of email problem is specific to Exchange servers and clients. There are well known longstanding bugs in Microsoft's mail systems which can cause message event notifications to be lost when the servers are overtaxed, so 1% doesn't seem outlandish.

      For example, the design of Exchange has a ridiculously low limit on the total number of simultaneous RPC calls, but the whole system is built on COM and makes RPC calls like crazy, so when you have lots of threads and open messages and client

    • Re: (Score:3, Funny)

      by Dunbal ( 464142 )
      How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

            Don't worry. I'm sure that if you ask nicely, the NSA/Homeland Security will give you a copy of your email.
    • How the fuck does email get "lost"?

      I don't know the reasons, but it does happen [slashdot.org].

      I handle about 1,500 in-bound messages a day. By their calculations, I should be losing 15 or so, every day.

      If the errors were evenly distributed, then yes you should. Therefore they aren't evenly distributed. That is unsurprising, such things seldom are.
      e.g. Car crashes happen more often at intersections.
  • And I thought the kernel was the thing which eliminated all the rootkits.

  • Hacks (Score:5, Funny)

    by Simon80 ( 874052 ) on Monday December 11, 2006 @03:37AM (#17191910)

    a rootkit that eliminates other rootkits
    This just in: Microsoft team A resorts to rooting Windows in order to fix the problems introduced by some 21 man team B somewhere else in the company that they can't get in touch with.
    • Re: (Score:3, Insightful)

      by rucs_hack ( 784150 )
      excellent, this will amount to a microsoft tutorial for hackers on how to deploy their stuff whilst simultaniously removing those from competing groups....
  • Install your OS, drivers, patches and apps all at once. Back it up via dd in Linux, or use Norton Ghost.

    IMO that trumps the "rootkit" solution.
    • Re: (Score:2, Insightful)

      by Zwaxy ( 447665 )
      OK, so you've got a clean image saved somewhere. Now what?

      How do you detect whether you've been infected, when all you have is an image of an NTFS filesystem?

      And once you are infected, how do you clean up without losing all your user files?
      • Re: (Score:2, Interesting)

        by WWWWolf ( 2428 )

        How do you detect whether you've been infected, when all you have is an image of an NTFS filesystem?

        You make an image of filesystem that consists of out-of-the-box software that is known to be clean. If that's not clean, repeat from the start and keep both eyes open.

        If you still want to check it, you can always mount the image as a local filesystem and use whatever tools you want to check it: mount -t ntfs /data/user-hd-image.img /mnt/loop -o loop,ro and bigassvirusandrootkittest --verbose /mnt/loop =

  • by sentientbrendan ( 316150 ) on Monday December 11, 2006 @03:40AM (#17191938)
    They've put out quite a few interesting experimental languages for the .NET platform.

    In particular f# (ocaml with .NETified classes) looks pretty cool.

    Can anyone in the know comment on how doing research for a company like microsoft compares to doing CS research at a university? I'd imagine the pay would be somewhat better, but are there other tradeoffs like reduced freedom?
    • Re: (Score:3, Interesting)

      Working for MS means more money, more variety in the work you do, better offices, better facilities, better training, better career prospects.

      Don't think doing CS research at uni is like a cross between having a job and being a student, because unless you are very lucky, it isn't, it fucking sucks. Its the worst of both worlds, the shittiness of it all has sucked the life and enthusiasm out of at least three of my friends.
    • are there other tradeoffs

      Yes, you have to align yourself with a company which is actively trying to destroy Free Software. Think about that.

  • > a rootkit that eliminates other rootkits

    So being evil installing rootkits is not enough?

    One rootkit to rule them all! :P
  • You can't solve the problem of malicious rootkits by fighting it with other rootkits. There is always going to be someone smarter out there that will defeat it. The solution will involve finding the root cause of people creating rootkits. Why do people release these types of malware in the first place?
    • Re: (Score:3, Funny)

      by Duds ( 100634 ) *
      Then they'll just come back with a bigger rootkit and eventually a rootkit so big it'll destroy us all.
      • by Dunbal ( 464142 )
        eventually a rootkit so big it'll destroy us all.

              Yes. We will all be crushed under the giant, chair-throwing rootkit.
    • Malware that exploits insecure systems exists because the level of security the median consumer is prepared to pay for is lower than the level of security the top black hats can easily penetrate.
  • I hope (not really) this research goes better then the trilion dollars they invested in MSN Search only to loose even more market share...
  • From what I know of the Microsoft research, is that it is patent fishing net so that in the future they can sell/control techologies. Basically covering future turf, so that they can control cash flows and maybe make some money on top of it selling the patents. Control in such way if fooling company developing their product would have some nice feature that will partly infringe on the patent. Then microsoft can hurt the company and tell it what to do. And tech is developed far enough to have an idea for pat
  • by Anonymous Coward on Monday December 11, 2006 @04:25AM (#17192148)
    a rootkit that eliminates other rootkits

    There appears to be no legitimate purpose to such research.

    1. A rootkit that eliminates other rootkits can probably also be eliminated, so this research does not really solve a problem.
    2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.
    3. If you can write a rootkit, eliminating other rootkits does not appear to be that large of a challenge in the first place.
    4. If you want to eliminate a rootkit, reinstalling the OS seems like a better idea.
    5. There are countless illicit uses of such software.

    Are they developing this rootkit in an effort to develop new security for their OS? I don't get it.

    • by EvanED ( 569694 ) <evaned.gmail@com> on Monday December 11, 2006 @04:56AM (#17192284)
      The article is misleading if not outright wrong; GhostBuster isn't a rootkit itself, it's just a rootkit detection thing very similar to RootkitRevealer. (GhostBuster came first and is more complete.)

      It's closer to anti-virus than it is to a rootkit itself, though the similarities there don't go very far either. (AVs almost universally work by signature matching; GB works by comparing registry entries and files against each other by multiple means of acquiring that information in order to find the symptoms of having a rootkit -- missing information. This assumes that the rootkit is imperfect in hiding. For instance, this will do a scan of the registry through the standard API calls. But then it will parse the registry hives that are on disk. The assumption is that the rootkit is going to hook the API calls. Hooking the I/O calls is rather more difficult, and it's impossible if you can do a clean boot. (One of the options is to do a diff of a hot scan vs. a known good scan done from a Windows PE boot.) There are still things that rootkit authors can do though, specifically NOT hide from GB itself. IN the case of RootkitRevealer, this has actually turned into a mini-arms race of itself. Rootkits started not hiding from rreveal.exe or whatever it's called (so that it wouldn't detect diffs), so RootkitRevealer started randomly renaming itself each time it runs. The state of the art on the black hat side is to carry a signature of RootkitRevealer-like programs and do pattern matching in very much the same way that AV does pattern matching to find viruses.)

      2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.

      If you can run drivers in kernel mode, you can run a rootkit. (Unless you can statically prove everything you let run in kernel space is safe... this may or may not be possible. For what it's worth, my current research is related to model checking drivers.)
  • Invisible processes battling each other for CPU, RAM, disk space and Internet bandwidth resources. And all I want to do is send some resumes, check the news and email and browse some sites. Ubuntu just got a much larger partition. Screw this crap, seriously.
  • by YeeHaW_Jelte ( 451855 ) on Monday December 11, 2006 @04:31AM (#17192184) Homepage
    If this is microsoft innovation, it's not very innovative. All these 'technologies' are basically extra layers of software to fix the bugs in the first layers ... be it security (phishing stuff, adaptive firewalls, etc etc) or losing emails ... which should not happen anyway and we already have basically the same technique they're developing in the mail protocol, namely confirming a received email.
    • Ghostbuster, a rootkit detecting rootkit.
      great... now we need the bad-guys to do a rootkit-detecting-rootkit-detecting rootkit,

      Shield, a protective technology that is "is vulnerability-specific, not exploit-specific,"
      'cos that's _SO_ much easier than fixing the vulnerability in the first place....

      Suremail, helping notify when the expected 1% of mail is lost
      ROTFL!!!

      Vegelante, see Shield. Fix the problem, not the symptom!

      XFIm Wow, that sounds just like a Java Sandpit!

      I am _so_ impressed!
    • If all these technologies are all MS is working on, it would be a very bad idea. However, if they are working on this stuff in addition to fixing existing technologies, this is very good. What they are doing is called defense in depth [wikipedia.org], and it can be a very good thing:

      Defence in depth may mean an engineering solution which emphasizes redundancy - a system that keeps working even when a single component fails - over attempts to design components that will not fail in the first place. For example, an aircraft

  • by Opportunist ( 166417 ) on Monday December 11, 2006 @04:42AM (#17192228)
    Lemme get this straight. A company is working on a rootkit for their own OS. Now, it could be me, but if I didn't sleep through OS programming, as the maker of the OS I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?

    Not to mention that Vista was trumped to be the most secure, un-hackable system ever. How do you install a rootkit on it? I thought it is impossible (spare your corrections, I know it is possible no matter what. I just want to get an answer from the guys that keep telling me it is impossible to rootkit Vista).

    So we're now at the "who gets deeper into the system" war. Because one thing is a given, 3 days after the MS rootkit to destroy other rootkits, the rootkit to destroy the MS rootkit is rolling out. Then it's a month 'til patchday and... you know the drill, we already live it.

    There is no technical solution to social problems. As long as people are dumb enough to click everything offered to them while they're running on admin or root privileges, those things will exist and they will work. Now, with Vista finally trying to run on low privileges, the social engineering part will become bigger to get the user to grant more privileges when necessary for the bug to survive, but since pretty much EVERY program will need those for installation, people will hand out those privileges like freebies, because it's customary that a new program needs them.
    • Re: (Score:2, Informative)

      by EvanED ( 569694 )
      I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?

      You don't. It's poor reporting. GhostBuster isn't a rootkit; it's just a rootkit detection program. (Or set of programs.)
      • And quite an elegant one which eschews signatures in favor of detecting something that every rootkit simply has to do.

        It also got publicized quite some time ago, so I wonder why we're hearing about it now as though it were something new.

        Basically you run some deliberately naive system scan , easily fooled by a rootkit, and compare the results to the same scan run from a live CD. If a rootkit is hiding something then the two are different.

        I can imagine ways a rootkit could avoid this but none are easy:
        o Dete
  • Sounds like good old fashioned down and dirty engineering/development to me.

    I know they're also doing research work at Microsoft research, but this sure ain't it.
  • by C0deJunkie ( 309293 ) on Monday December 11, 2006 @05:16AM (#17192370) Homepage Journal
    Microsoft Research is developing technology for finding rootkits by using their own deceptive behavior against them. Known as GhostBuster, it relies on analyzing and comparing system information at both a high level--from a Win32 API, for example--and a low level--such as the raw disk information. Any difference in the two views--for example, the low-level view indicating a file not present in the high-level view--makes a compelling case that a rootkit is trying to hide.

    Simply not true!
    I mean, since it is the Exact description of how RootkitRevealer works, I suppose (I'm sure) that it is the same product. For those who do not know,Microsoft acquired sysinternals (maker of RootkitRevealer) a few months ago.
    • Ghostbuster was described, tested, and PUBLISHED first. After Ghostbuster got /.ed the first time, Sysinternals came out with Rootkit Revealer in less then a week (the Sysinternals guys are GOOD, and Microsoft wasn't releasing Ghostbuster due to internal political issues.) THe big difference: Ghostbuster does a high/low scan with low being a "reboot to trusted media". Rootkit Revealer just uses two different APIs to do the high/low scan, as the SysInternals guys are part of the very few people who truely
      • by rs232 ( 849320 )
        I hadn't realised that Rootkit Revealer was copied from Ghostbuster and written in only a week to boot. Makes you wonder why MS went to the bother of buying Sysinternals. But didn't similar functionality exist previously in Tripwire [tripwire.com].
        • by nweaver ( 113078 )
          They bought Sysinternals as a way of buying the services of the two founders, who in many ways know more than Microsoft does on how Windows works on the inside, especially the registry. The guys are so good that when they saw the simple idea ("High/Low scan, look for differences"), they were abel to code it up very quickly because they already had the tools for very low level access to the registry. Hiring the sysinternals guys by buying the company is probably one of the smartest things Microsoft has d
  • ...a honeypot targeted at discovering zero-day exploits...

    So, would this Microsoft research project violate some Super DMCA laws? For example, in Illinois, we have Public Act 92-728 [ilga.gov], which is the Illinois Super DMCA. This act was responsible for "killing" the LaBrea Tarpit software package.

    Since IANAL, I will quote the writeup from the LaBrea website [hackbusters.net]:

    This section of the Illinois Criminal Code was added on January 1, 2003 by Public Act 92-728 and defines an "unlawful communication device" as "any communica

  • by Opportunist ( 166417 ) on Monday December 11, 2006 @05:19AM (#17192380)
    The "classic" honeypot is pretty much dead. Nobody uses a 0day against a random machine anymore. At the very least, one tries to avoid certain IPs and IP Ranges that are known to host pots. Whether MS wants to believe it or not, those lists exist. One of my pots has been discovered a while ago and on that machine, I've never had any detections since, except a few scriptkids that don't count.

    Even "detecting" pots that simulate a user's behaviour and look actively for forged sites and such are getting out of usefulness, since a lot of distributors already start hardening their attacks against aggressive farming. Or they require you to go through very detailed steps that a bot cannot reproduce. I've recently had my first captcha-protected exploit (was a porn site, and what user wouldn't solve a captcha to get his pic when he surfed there just for that in the first place?).

    Forget honeypots. Unless you put a human behind that VM it's running on. Automated pots are becoming less and less useful with attackers becoming more and more aware of them. Especially you can dump any kind of "honeypot kit", they are known and their quirks are tested painstakingly before an attack takes place.
    • Re: (Score:3, Interesting)

      avoid certain IPs and IP Ranges that are known to host pots ... those lists exist.

      Cool. How can I get my machine on those lists?

      Seriously, this means that an IP range can be "poisoned" by hosting honeypots amid the the real machines in it. And if not, you don't lose either - you have a working honeypot.
      • It's not that easy. It's also not "poisoned" in the way that they steer clear of those ranges altogether. They're just more wary and careful when they touch those waters. I don't want to go into detail, but it doesn't help at all to "poison" an IP range that is known to belong to a large ISP with a big consumer customer base. The chance to catch a machine that's wide open is pretty good, the chance to hit a (professional) pot is rather slim. So if you want to put up a pot, put it in an IP range that is used
  • I'm waiting for Microsoft Research to come up with an elegant component architecture that encourages code reuse, reliability and portability with a simple interface that allows even novice users to write simple programs, and where the focus is on data in human readable format with simple input and output formats, and where everything is considered a tool, and there's lots and lots of them.

    Oh, wait [wikipedia.org] ...

    Seriously, can someone point to something tangible and put into use that's come out of Microsoft Researc

  • Simple automatically generate new rootkits to download on every windows machine, every 24/hours, using an exploit generator to generate the different rootkits, or just pay hackers to create the rootkit while selling the subscription for the anti-rootkit rootkit.

    I can see where this is going.
  • Can we boot to the rootkit and eliminate the layers of bloatware like IE and Outlook? Something like the old DDT shell in ITS - the debugger was the shell, eliminating the overhead of a shell. If we could boot to the rootkit, and just run the applications we needed, a lot of the overhead of Windows could probably be eliminated. All those things in the task list you have no idea what they are, like NMSSvc.exe, and the registry...
  • by krelian ( 525362 )
    This is the most interesting project IMO, but will probably never see the light of day. From the Wikipedia article [wikipedia.org]

    Singularity is a Microsoft Research project started in 2003 to build a highly-dependable operating system in which the kernel, device driver, and applications are all written in managed code. The lowest-level x86 interrupt dispatch code is written in assembly language and C. Once this code has done its job, it calls the kernel, whose runtime and garbage collector are written in C# and run in

  • - that cracked me up : one rootkit to bring delete them all, and in the darknes bind them
  • this is microsoft innovation in action... coming up with tech to fix the symptoms instead of actually fixing the problem...
  • "a rootkit that eliminates other rootkits"

    Make OS that can't be rootkited.

    "a firewall that blocks the traffic exploiting published vulnerabilities"

    Sounds like an application level firewall.

    "a system for catching lost e-mail"

    Make an email system that don't lose emails.

    "a honeypot targeted at discovering zero-day exploits"

    Make an OS that fails safe in the presence of zero-day exploits.

    "some anti-phishing applications"

    Make an online identity system that can't be phished.
  • One rootkit (Score:2, Funny)

    by BarFly143 ( 725933 )
    One rootkit to rule them all, one rootkit to find them. One rootkit to bring them all and in the kernel bind them.
  • It's interesting that Microsoft seems to be mostly focused on reactive security measures rather than proactive ones. It's true that they are adding some proactive security to Vista, like making some services run with lower privileges than they had in the past but, still, most of the stuff they are talking about has to do with identifying a threat and then blocking it.
  • >a user's Web browser would identify passwords and other sensitive information when keyed into HTML forms on Web pages. When those passwords are in- put into a new site, that incident would be reported to a server. If the server detects an unusual number of logons to the new site, it could send out a signal that the site should be investigated for a phishing scam.

    Why compromise people's surfing privacy to get a delayed warning that you should start an investigation of a phishing site that will be gone in

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...