Re: SBS 2008 Protection - Microsoft or Trend?

Agreed.

And anyone who had done any considerable coding and application support can appreciate how difficult it is to trap and validate every possible scenario, especially when you can't control the input values. It is amazingly difficult to anticipate every possible scenario that could relate to bad data. Take an example where you have a function that accepts someone age in years as input. You're obviously expecting a number, but you have to allow for all sorts of conditions that could result in bad data in your function. What if your function received a negative number? Zero? What about a null value (no input)? What about a non-integer (13.372)? What about an insanely-huge number (in the quadrillions) that is larger than your variable type can hold? Now take every calculation you are performing on that input, and saving to additional variables. Now look at every calculation that are using those previously calculated variables. Does each of those second level calculations provide proper error trapping to avoid things like trying divide by a variable with a value of zero? This is just an example of one function. Now spread that out multiple generations - you don't know who or what is going to be calling this function of yours. And you don't know who or what may be calling the functions that are calling your function. You do not know who may think that they can use your function for somehting it really wasn't intended to do, thus producing completely unexpected results that could represent a security flaw when the stars align just so . . .

To continue with our house analogy - the house is nearing completion, and as appliances are being installed it is discovered that the upgraded 60" commercial gas range won't fit through a turn to get in to the kitchen. The interior designer decided to upgrade to the larger range after initial framing, etc. was completed. The kitchen cabinet guys adjusted their stuff to allow for the bigger range, but no one thought to look at the path the range would have to travel to get to the kitchen. The custom cabinets & granite countertops are already done, leaving a hole for a 60" range - so taking it back for a smaller unit really isn't an option. So drywall is cut back and a stud removed to allow the range to make the turn and get it in to the kitchen. Now the stud has to be replaced and the drywallers & painters have to come back.

Let's say this is done by a larger commercial home builder, where they have their own home plans, and their own framing, drywall, & paint crews. Is it unethical for the home owner to have to pay for the extra labor and materials to the builder that originally designed, framed, drywalled, painted, and now fixed the framing, drywall & paint because a 3rd party (the interior designer) threw something in to the mix that the original plans hadn't allowed for?

--

Chad A. Gross
http://www.msmvps.com/blogs/cgross

"Jim Behning SBS MVP" <jimbehning@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:up8ks4hh46nj4ta2g523lgtg7h92scmn42@xxxxxxxxxx
How about this. You build a house. On the job site you have a grading
crew, a foundation crew, a concrete slab crew, electricians, plumbers,
framers, trim carpenters, cabinet installers, siding and window crew,
brick masons, HVAC, architect, site foreman, home owner, roofer,
landscaper, pest control, drywall crew, painters, hardwood floor crew,
tile crew, carpet installers, cleanup crew. So you have 50 plus people
on site building your 2,500 foot house. Now you have to add in the few
hundred people making stuff off site like concrete, tile, trim,
windows, lumber, .... Rare is the person who goes out in the woods,
chops down trees with an axe, drags the trees to the house location
with horse or ox, notches and debarks the logs, builds the house,
collects thatch for the room, grows cotton for oiled linen windows,
digs a hole for the outhouse.

So it takes thousands of people to build a house. Plenty of
opportunity to have goof ups.

Build software for an open environment and you have chances for screw
ups.There are many people working to build any OS. They have to allow
outside vendors in. Hard to run an OS with no video or raid
controllers. Then they want software to work. Anyone who goes running
around spewing some Microsoft conspiracy theory may have never built
their own home. Even car manufacturers goof up with their engine
management computers and it is a closed system. It is a lot easier to
build a closed system OS then an open OS.

You might build a crummy house on purpose. If your goal is to build
more than one house creating a future revenue stream from selling
houses you should not purposefully be building crud as your reputation
helps you sell more stuff. I suppose that you purposefully install
crummy network switches and printers so you can keep coming back to
install new ones?

On Wed, 25 Mar 2009 11:02:08 +0100, Freaky <wontsay@xxxxxxxxxx> wrote:

I disagree, whilst the analogy with the house is largely correct.
There's conflict of interests or however you call that.

But to make it simple...

Buy a house from me, I'll built it *purposely* with some flaws which my
subdivision of security can earn on again then. Taking your money twice
is no issue for me :) In fact, I'll be counting on it after this story... :D

It would actually pay for MS to hide flaws in their OS then, which will
make it easy for them to make the best security products for Windows
then as they have information other don't have.

And take this how you want it, but MS isn't the most friendly, ethical,
political entity around (as are most big companies...).

Cliff Galiher wrote:
It isn't strange at all, nor do I see it as a particularly ethical (or
unethical) issue. Let me try to use a few examples from other
industries. Of course the analogies won't translate over perfectly, but
if they did then there would be no need for an analogy... ;)

Home security. When you build a new house, do you call a security
company separately just to avoid the contractor who's building your
house? After all, if he were a good contractor, he would've built the
house with bullet-proof glass, re-inforced steel siding, and durable
doorframes that could never be kicked on and locks that could never be
picked.

...but of course in the real world, we know better. Windows (the glass,
not the product) can be broken. Locks have inherent flaws in the
technology that allow them to be picked. We could even take the analogy
to a deep level of detail. Would you avoid an alarm system that was
manufactured by the same company that manufactured door locks because
their door locks should've been "good enough?"

--

The truth is an OS is much like a house. You *could* live in a
cardboard box, but you choose a house so you can customize it and make
it comfortable and fit your needs. Some people need a large kitchen.
Others desire a large entertainment room. Security in and around the
house varies from threats both external (burglars) and internal (caps on
outlets for small children) based on the occupants. People with kids
probably make sure their medicine and cleaning supplies cabinet is more
secure. Houses have flaws. Maybe the back door has as a sprung hinge
which is a "security" issue. Or maybe there is some mold in the attic
which is a "security risk" to your health. Maybe you live in an area
that is notable for potential argon poisoning so you get your basement
tested regularly. The point is you actually don't *expect* your house
to have perfect security. You *expect* the possibility that it can
catch fire, leak gas, or throw electrical sparks and so we, as a
society, take precautions. We invent smoke detectors, fire
extinguishers, etc etc.

Your OS is where you work. Maybe it isn't on the net at all (unlikely
in this day and age, but still possible) or maybe it is just a gaming
machine. Maybe you keep your personal finances on it, or maybe you do
credit card processing for a large business and need uber-security to
best ensure that data is safe. But the primary job of the OS is to give
you "livable space" to do the work you want. It handles interfacing
with the hardware and keeping the underpinnings out of your way. And
like a house, it is *expected* to have flaws and holes and security
issues. Would it be nice if MS could make a flaw-free product? Of
course it would. But I don't think that is a reasonable expectation.
The OS does what it is supposed to. You could build a house with no
locks at all, in theory. Windows continues to improve its out-of-box
security, but it needs help, just like you need help securing your house
with the products I listed above. I think it'd be unfortunate to write
off an entire line of otherwise good products, and actually get good
protection, because there is some idea that it is unethical to sell
security separate from the OS.

But I've been known to be wrong. :)

-Cliff



"Freaky" <wontsay@xxxxxxxxxx> wrote in message
news:#D2FhbGrJHA.4980@xxxxxxxxxxxxxxxxxxxxxxx
Whilst your arguments are largely true it remains a real strange ethical
thing to pay the company that provided you windows (with some unchecked
boundaries which enable the stack overflow in the first place to give an
example) again to secure the same thing they should have secured
already :).

Also, if this team researches the stuff the entire time, why not patch
it right away.

Unfortunately it's much more complicated as not all viri use stack
overflows. Many use social engineering or other things and the
discussion takes a whole other road then. It doesn't take away the
ethical issue on the first though :).

Cliff Galiher wrote:
Inline:

-Cliff


"Leythos" <spam999free@xxxxxxxxxx> wrote in message
news:MPG.24302feff3609314989a45@xxxxxxxxxxxxxxxxxxxxxxx
It's never a good idea to use a vendor, for protection, that creates
the
need for the protection in the first place.

Bah, this is an old wives tale. :)

MS didn't "create the need" for security. Hackers did. And MS is a big
enough company that separate teams rarely interact, often operate
completely independently, and in many cases, have different goals in
mind. Saying "don't by security from Microsoft because windows isn't
secure" would be like saying "don't buy Bioshock for Windws (a Games
Windows branded game) because Xbox 360s fail a lot. MS can't do games.
Games for Windows and the XBox team are very different.

Or "Don't buy OCS Server 2007 because Response point sucks"
(ResponsePoint doesn't suck BTW, but it was a handy example I could
think of) "so MS can't do voice." Again, very different products,
different teams, different goals. The Exchange team is focused on
making a messaging server. Although they do security testing, sometimes
buffer overruns or unintended uses of the protocol slip through. The
sharepoint team is focused on making a collaberation product. The
windows team is focusing on making the next OS.

The forefront team is focused on security. They are intentionally
trying to break the OS, Exchange, Sharepoint, and they are getting paid
to put extra time into these tasks. They are doing things that the
sharepoint time doesn't have time to do, or is getting paid to do, and
so realistically, I say treat each MS product *as its own business.*
Don't think of Microsoft as one big company, but a bunch of little
ones. Just like Newscorp owns Myspace, fox, and DirecTV (or did that
sale finally go through), the MS teams really do operate as such. I'm
not saying that Forefront should inherently be trusted...but let its
security record stand on its own. Don't dismiss it just because it is
an MS product. Forefront for Exchange, for example, (or Antigen) I
like. Forefront Client Security....still needs some work. Forefront
for Sharepoint...haven't tried it yet.

I would suggest that you use Symantec End Point Protection over
Trend or
any other solution.

Hmm. The last time I tried SEPP on SBS 2k8, it broke. Runs fine on
SBS2k3 and on Win2k8, but SBS 2k8...not so much. Haven't tried in over
a month though. Can you confirm you've used this exact setup? Just
curious.

Personally I've been using the Onecare trials for now, until more SBS
2k8 surfaces. I loathe Trend that much.

I would also suggest that you place your network behind a REAL firewall
and have the firewall also filter HTTP, FTP, POP3, SMTP sessions for
removal of content and spam.

Unchallenged. :)

See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx

.

Relevant Pages

  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... whilst the analogy with the house is largely correct. ... subdivision of security can earn on again then. ... make it easy for them to make the best security products for Windows ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... When you build a new house, do you call a security company separately just to avoid the contractor who's building your house? ... Windows continues to improve its out-of-box security, but it needs help, just like you need help securing your house with the products I listed above. ... The forefront team is focused on security. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Protection - Microsoft or Trend?
    ... You build a house. ... crew, a foundation crew, a concrete slab crew, electricians, plumbers, ... collects thatch for the room, grows cotton for oiled linen windows, ... subdivision of security can earn on again then. ...
    (microsoft.public.windows.server.sbs)
  • Re: My Latest Cool DIY Automation FACT
    ... crappy cellphone coverage inside the house [all the plaster/lathe kills ... To load this page via the DotNetViewer over Cingular/EDGE via my dynamic DNS ... To load this page with no images took just under 3 seconds. ... via the PDA [monitor motion sensors, check security system, adjust HVAC ...
    (comp.home.automation)
  • no logon
    ... I hate having to logon to windows! ... There is no one else in my house. ... I don't care about ... security. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast