Re: SBS 2008 Protection - Microsoft or Trend?

I disagree, whilst the analogy with the house is largely correct.
There's conflict of interests or however you call that.

But to make it simple...

Buy a house from me, I'll built it *purposely* with some flaws which my
subdivision of security can earn on again then. Taking your money twice
is no issue for me :) In fact, I'll be counting on it after this story... :D

It would actually pay for MS to hide flaws in their OS then, which will
make it easy for them to make the best security products for Windows
then as they have information other don't have.

And take this how you want it, but MS isn't the most friendly, ethical,
political entity around (as are most big companies...).

Cliff Galiher wrote:
It isn't strange at all, nor do I see it as a particularly ethical (or
unethical) issue. Let me try to use a few examples from other
industries. Of course the analogies won't translate over perfectly, but
if they did then there would be no need for an analogy... ;)

Home security. When you build a new house, do you call a security
company separately just to avoid the contractor who's building your
house? After all, if he were a good contractor, he would've built the
house with bullet-proof glass, re-inforced steel siding, and durable
doorframes that could never be kicked on and locks that could never be
picked.

...but of course in the real world, we know better. Windows (the glass,
not the product) can be broken. Locks have inherent flaws in the
technology that allow them to be picked. We could even take the analogy
to a deep level of detail. Would you avoid an alarm system that was
manufactured by the same company that manufactured door locks because
their door locks should've been "good enough?"

--

The truth is an OS is much like a house. You *could* live in a
cardboard box, but you choose a house so you can customize it and make
it comfortable and fit your needs. Some people need a large kitchen.
Others desire a large entertainment room. Security in and around the
house varies from threats both external (burglars) and internal (caps on
outlets for small children) based on the occupants. People with kids
probably make sure their medicine and cleaning supplies cabinet is more
secure. Houses have flaws. Maybe the back door has as a sprung hinge
which is a "security" issue. Or maybe there is some mold in the attic
which is a "security risk" to your health. Maybe you live in an area
that is notable for potential argon poisoning so you get your basement
tested regularly. The point is you actually don't *expect* your house
to have perfect security. You *expect* the possibility that it can
catch fire, leak gas, or throw electrical sparks and so we, as a
society, take precautions. We invent smoke detectors, fire
extinguishers, etc etc.

Your OS is where you work. Maybe it isn't on the net at all (unlikely
in this day and age, but still possible) or maybe it is just a gaming
machine. Maybe you keep your personal finances on it, or maybe you do
credit card processing for a large business and need uber-security to
best ensure that data is safe. But the primary job of the OS is to give
you "livable space" to do the work you want. It handles interfacing
with the hardware and keeping the underpinnings out of your way. And
like a house, it is *expected* to have flaws and holes and security
issues. Would it be nice if MS could make a flaw-free product? Of
course it would. But I don't think that is a reasonable expectation.
The OS does what it is supposed to. You could build a house with no
locks at all, in theory. Windows continues to improve its out-of-box
security, but it needs help, just like you need help securing your house
with the products I listed above. I think it'd be unfortunate to write
off an entire line of otherwise good products, and actually get good
protection, because there is some idea that it is unethical to sell
security separate from the OS.

But I've been known to be wrong. :)

-Cliff



"Freaky" <wontsay@xxxxxxxxxx> wrote in message
news:#D2FhbGrJHA.4980@xxxxxxxxxxxxxxxxxxxxxxx
Whilst your arguments are largely true it remains a real strange ethical
thing to pay the company that provided you windows (with some unchecked
boundaries which enable the stack overflow in the first place to give an
example) again to secure the same thing they should have secured
already :).

Also, if this team researches the stuff the entire time, why not patch
it right away.

Unfortunately it's much more complicated as not all viri use stack
overflows. Many use social engineering or other things and the
discussion takes a whole other road then. It doesn't take away the
ethical issue on the first though :).

Cliff Galiher wrote:
Inline:

-Cliff


"Leythos" <spam999free@xxxxxxxxxx> wrote in message
news:MPG.24302feff3609314989a45@xxxxxxxxxxxxxxxxxxxxxxx
It's never a good idea to use a vendor, for protection, that creates
the
need for the protection in the first place.

Bah, this is an old wives tale. :)

MS didn't "create the need" for security. Hackers did. And MS is a big
enough company that separate teams rarely interact, often operate
completely independently, and in many cases, have different goals in
mind. Saying "don't by security from Microsoft because windows isn't
secure" would be like saying "don't buy Bioshock for Windws (a Games
Windows branded game) because Xbox 360s fail a lot. MS can't do games.
Games for Windows and the XBox team are very different.

Or "Don't buy OCS Server 2007 because Response point sucks"
(ResponsePoint doesn't suck BTW, but it was a handy example I could
think of) "so MS can't do voice." Again, very different products,
different teams, different goals. The Exchange team is focused on
making a messaging server. Although they do security testing, sometimes
buffer overruns or unintended uses of the protocol slip through. The
sharepoint team is focused on making a collaberation product. The
windows team is focusing on making the next OS.

The forefront team is focused on security. They are intentionally
trying to break the OS, Exchange, Sharepoint, and they are getting paid
to put extra time into these tasks. They are doing things that the
sharepoint time doesn't have time to do, or is getting paid to do, and
so realistically, I say treat each MS product *as its own business.*
Don't think of Microsoft as one big company, but a bunch of little
ones. Just like Newscorp owns Myspace, fox, and DirecTV (or did that
sale finally go through), the MS teams really do operate as such. I'm
not saying that Forefront should inherently be trusted...but let its
security record stand on its own. Don't dismiss it just because it is
an MS product. Forefront for Exchange, for example, (or Antigen) I
like. Forefront Client Security....still needs some work. Forefront
for Sharepoint...haven't tried it yet.

I would suggest that you use Symantec End Point Protection over
Trend or
any other solution.

Hmm. The last time I tried SEPP on SBS 2k8, it broke. Runs fine on
SBS2k3 and on Win2k8, but SBS 2k8...not so much. Haven't tried in over
a month though. Can you confirm you've used this exact setup? Just
curious.

Personally I've been using the Onecare trials for now, until more SBS
2k8 surfaces. I loathe Trend that much.

I would also suggest that you place your network behind a REAL firewall
and have the firewall also filter HTTP, FTP, POP3, SMTP sessions for
removal of content and spam.

Unchallenged. :)

.

Relevant Pages

  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... You do not know who may think that they can use your function for somehting it really wasn't intended to do, thus producing completely unexpected results that could represent a security flaw when the stars align just so. ... To continue with our house analogy - the house is nearing completion, and as appliances are being installed it is discovered that the upgraded 60" commercial gas range won't fit through a turn to get in to the kitchen. ... crew, a foundation crew, a concrete slab crew, electricians, plumbers, ... collects thatch for the room, grows cotton for oiled linen windows, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... When you build a new house, do you call a security company separately just to avoid the contractor who's building your house? ... Windows continues to improve its out-of-box security, but it needs help, just like you need help securing your house with the products I listed above. ... The forefront team is focused on security. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... You build a house. ... crew, a foundation crew, a concrete slab crew, electricians, plumbers, ... collects thatch for the room, grows cotton for oiled linen windows, ... subdivision of security can earn on again then. ...
    (microsoft.public.windows.server.sbs)
  • Re: My Latest Cool DIY Automation FACT
    ... crappy cellphone coverage inside the house [all the plaster/lathe kills ... To load this page via the DotNetViewer over Cingular/EDGE via my dynamic DNS ... To load this page with no images took just under 3 seconds. ... via the PDA [monitor motion sensors, check security system, adjust HVAC ...
    (comp.home.automation)
  • no logon
    ... I hate having to logon to windows! ... There is no one else in my house. ... I don't care about ... security. ...
    (microsoft.public.windowsxp.security_admin)