April 4, 2007 - Volume 2, #56
Good Morning:
Why doesn't Microsoft have fanboys? Or Cisco? Or Oracle? Or SAP? You know, those folks that follow everything that Apple does. Or RIMM. Folks that set up websites, like they are cheering for Britney Spears or something. "Ooooh, what did Steve wear at that keynote." "He changed his glasses. Aaaaah." You seriously have folks that talk about this stuff. Not sure if you folks watch American Idol here in the States, but do you remember that little girl from a few weeks ago that was just sobbing in the presence of Sanjaya (that joke)? They kept putting this girl on camera and it was kind of funny, but in a sad kind of way.
That's what fanboys are like. They can't contain their enthusiasm and if they ever got to be in the presence of someone like Steve Jobs, my bet is that they sob like that little girl on Idol.
But that's not what I want to rant about today. Microsoft (or any of the other huge technology shops) doesn't have fanboys because they elicit no passion in their user community. Their software is utilitarian, useful (most of the time), and doesn't really change anyone's perception of how things should work. Love them or hate them, Apple does that all the time. RIMM does it too. That's the secret folks. It's all about passion. If you can't elicit passion from your customer base, then you better hope you either have a monopoly position in something or you buy every company that could potentially compete with you.
It was George Ou's post (here [1]) on Microsoft's issues patching the ANI (friggin' cursor) hole that originated this line of thinking. But what occurred to me is that Microsoft is truly in a no-win situation. Even if you look at Microsoft's account of the process to fix ANI (here [2]), it'll never be good enough. Not only does Microsoft have no fanboys to defend them against this chatter, the industry has totally unrealistic expectations relative to how quickly they can get things done, without breaking everything.
What's even worse is that they have decided to go with a level of transparency that you will likely never see from the likes of Apple, Oracle, Cisco or anyone else, relative to how their security process actually works. While everyone wants to beat down Microsoft (Seltzer adds his two Passover cents here [3]), I'm going to be a bit contrarian on this one.
I'm all in with Rob Graham of Errata (here [4]), who provides a bit of an explanation regarding why it took Microsoft over 3 months to fix this problem. Great post Rob. He paints a realistic pro and con of this situation and actually has some suggestions for how to make it better.
And at the risk of raising the ire of fanboys everywhere, let me send an atta-boy over to Microsoft. Maybe not on the ANI issue, but you can't hit a home run in every at-bat. Kudos for fixing your process in general. For seeing a real danger and accelerating the patching process to keep customers safe. You've set the bar to a place that other vendors with your resources and attack surface probably won't get to. Ever. It'll never be good enough for the Redmond-haters out there, but given where things were 5 years ago - even getting this done in 3 months is great progress. It's too bad everyone has such short memories.
Have a great day and if you happen to be in the Milwaukee area, I'll be there next week. Come visit. Details here [4].
Technorati: Information Security [5], CSO [6]
 [7] | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Top Security News
here [9]). My position is that first you need to figure out if the private data should even be on that laptop. Think data first. If there is a legitimate business reason, then it doesn't much matter to me how the data is protected. Something with a central management capability is interesting in that you add the ability to enforce central policies and audit on whether they are in use. But as long as the data is protected, it's all good.
Link to this [9]
here [10]) kind of made me laugh. Yes, rootkits are still a problem. Yes, more and more machines are being compromised with rootkits daily. Yes, they are still very hard to detect and even harder to clean. The problem is perception. Rootkits tend to be just part of the package. It's not exciting anymore, but the risk continues to be real. Rootkits are also at the heart of the zombie issue, since that is the technology that is usually deployed to hide the malicious bot activity from the machines defenses. Kevin Beaver goes through how to detect bots in this piece (here [11]). A lot of these functions are include in the "assurance" part (Step 10) of the Pragmatic CSO methodology. And if you find something wrong, save yourself some time and just re-image the machine. You are keeping data on a separate partition, right? You've got a standard build image, right?
Link to this [11]
here [12]). This one, sponsored by the folks at Tumbleweed, states what we already know. Most companies are spending money to keep spam, phishing and other inbound attacks at bay and not really focusing on outbound email data leakage. Firstly, this is a very email centric view. Doing leak prevention (and subsequent message encryption) on just email is not enough. The auditors aren't interested in stopping a portion of the data leaks. You also have a standard, early market where leadership is being established, technology is maturing, and there haven't been enough public train wrecks based on leaky data to create a buying catalyst. It'll happen and I suspect a majority of the customers out there will opt for a broader solution rather than just a bolt-on to their email gateway.
Link to this [12]
The Laundry List
Stats #1 - Fortinet talks about the top threats in March. I don't see stupidity on that list, so it can't really be complete. - here [13]
Stats #2 - FaceTime tries to justify their existence by saying IM/P2P attacks grew 6% last quarter. Sorry guys, you are a feature on a good day. - here [14]
The G-men speak. Virtualization is dangerous. OHMYGOD! Tell that to the thousands of customers that are spending billions of dollars on virtualization software this year. - here [15]
TippingPoint gets the Carnac award. They caught the ANI issue two years ago. It's better to be lucky than good. - here [16] (Rob Graham points out that TippingPoint is only unique in their ability to crank out press releases here [17])
Top Blog Postings
http://rationalsecurity.typepad.com/blog/2007/04/its_a_snacdown_.html [18]
Link to this [18]
http://www.computerworld.com/blogs/node/5294 [19]
Link to this [19]
http://mcwresearch.com/archives/451
[20]Link to this [20]