Published by Kerry Brown on 21st October 2009
Filed Under
Rain, Security
A while back I wrote a blog post comparing computer security to walking in the rain. This morning it was raining pretty hard during my morning walk. It wasn’t raining quite as hard as when I wrote the previous post but west coasters know what “raining pretty hard” means. For the rest of you, it was raining as hard as you’ll probably ever experience unless you live in a rain forest. For some reason I decided not to use the same gear as in the blog post. I had the Halti jacket and Tilley hat on. I didn’t take an umbrella, wear gloves, or wear rain pants. I ignored my own advice from this blog post about security being a marathon where we can never relax. In half a block my pants were soaked through. A few minutes later my hands were cold. I had to cut my usual walk in half because I was getting cold and wet. Computer security is similar. Use the appropriate tools. Don’t take shortcuts. Never relax or get complacent.
Published by Kerry Brown on 8th July 2009
Windows 7 is about to hit the RTM milestone any day now. I’ve been playing with it since the public beta release last fall. I like it. As soon as it hits RTM I plan to install it in on both my laptop and desktop. I’ll only run Vista in virtual machines for testing. That said I can’t believe all the hyperbole about Windows 7. Yes, it has some nice new features but come on people it’s really not that different from Vista. The vast echo chamber of the blogosphere which dissed Vista is praising Windows 7 like it’s the second coming. I’ve been trying to analyse why.
Resistance to change and resistance to admitting you may be wrong is my best guess. Vista was a huge change from XP. I was in on the beta testing of Vista quite early. It was still called Longhorn. I knew immediately there was going to be a lot of resistance. It was actually reasonably secure and forced users and programmers into a better security model. Anyone remotely interested in security knows that increased security always means increased inconvenience. How often did we hear new Vista users saying things like “I’m the administrator dammit. I can look after my security myself.” Well you know what? 99.9% of us can’t. If you’re running XP it’s probably impossible. Amongst other things I enjoy figuring out how malware works. I don’t make much money at it but I remove malware for customers when I have time. I do this so I can see real world infections and figure out how the malware works. I see malware all the time on the computers of network administrators and highly sophisticated users. You want to know why this is? It’s because they run an insecure OS as administrator all the time. The programs they use expect to have administrator rights. The services and drivers running in the background have carte blanche to do whatever they want. XP is a security nightmare people became used to. There was no way to fix it thus Vista came into being. Vista while mitigating a lot of the problems forced everyone to change their habits in a way that wasn’t convenient. More importantly it took a while to figure out these changes. It took even longer for a moderately competent geek to figure out new ways to bend the OS to their will. Couple this with the fact that Vista required significantly more hardware than XP and it was a recipe for disaster. This caused much angst and bad press in the blogosphere. This angst was endlessly echoed until it was the “truth” that Vista was flawed. Once this “truth” was out there it was impossible for any blogger to argue against it. There is still no better way to get click throughs than by writing a blog that disses Vista and links to other blogs as proof. Many of the bloggers and experts over time learned that this “truth” wasn’t really true. They were afraid to say anything for fear of admitting they’d been wrong. Along comes Windows 7. It has a few cool new features. The UI has been tweaked a bit. It’s been highly optimized to appear faster to the user. Most people now have hardware capable of running Vista. Windows 7 runs great on this hardware. More importantly all the bloggers and moderately competent geeks can get up to speed very quickly as they already climbed the learning curve with Vista and it’s not Vista. They don’t have to admit they were wrong in order to say they like it. It’s a recipe for good press in the blogosphere.
Don’t get me wrong. I really like Windows 7. Some of the new features are really cool. The new taskbar is a huge improvement. Aero peek has become indispensible. The UI really is more intuitive most of the time. There are a few things I don’t like. The libraries feature is a great idea that isn’t fully implemented. It has tremendous potential but as it is implemented in Windows 7 it doesn’t work for me. The Homegroup networking feature is a security problem. It makes it very hard to share one folder in your profile. If you share a folder in your profile the whole \USERS tree is automatically shared. I had a good discussion about this with someone from Microsoft and in the end we agreed to disagree. He said the default ACLs and Access Based Enumeration locked down the folders well enough for home use. I felt they didn’t, especially for a very small business many of which run the Home version of Windows.
So what’s my conclusion? I’m somewhat grumpy about the fact that Vista will go down in history as Windows Me the second. The blogosphere is praising Windows 7 which will cause a lot of people to finally move away from XP. That’s a very good thing. The Internet will be a better place.
Published by Kerry Brown on 3rd March 2009
I’m at the 2009 Microsoft MVP Summit. Around 2000 MVP’s descend on Microsoft’s Redmond Campus for four days of sessions with various product teams. The sessions include a lot of two way feedback, which can be brutal from both sides. It’s a lot of fun. Today I went to several security sessions. I got to hear Steve Riley talk and then answer questions from an audience that included Jesper Johansson. It was amazing. At one session Ziv Mador and Steve Adegbite were talking about the Conficker worm and Microsoft’s response to the vulnerability the worm initially used to spread itself. It was fascinating to hear the process they went through to identify the vulnerability and patch it then have to wait and see the exploits developed when the bad guys reverse engineer the patch. During the session Steve Adegbite said something that really resonated with me. He said “Security is like a never ending marathon.” I think that is one of the best statements I’ve heard regarding security. Security is hard work. You have to give it 100% all the time. There are no shortcuts. You will never be finished. To some that sounds depressing. Steve Adegbite said it was a challenge he and his team relished. I got the sense that almost everyone in the room agreed. I realised I was sitting in room full of the cream of the crop in the Windows security world. It was fun hobnobbing with the cream of the crop. Thank you Microsoft.
