(e)Mail Insecurity

Posts: 254
Comments: 120
Trackbacks: 120

June 2005 Entries

A while back, Microsoft acquired anti-virus vendor Sybari. Sybari had an interesting product line with support for Exchange, SharePoint, Live Communication Server, Lotus Domino, generic SMTP gateways, Windows, and UNIX/LINUX. Now that the acquisition is complete, guess what disappeared from the product lineup?

If you guessed "UNIX/Linux" support, you'd be right.

On the one hand, I'm not really surprised. Sybari may continue to run as a separate company for now (albeit with a little "A Microsoft Subsidiary" addition to their logo), but sooner or later, they are likely to get merged into the general body of Microsoft products and development, and you don't see too many other Microsoft products for UNIX platforms these days (the last one I can remember was Internet Explorer for Solaris, back in the day). They just don't have the corporate expertise to write UNIX apps.

On the other hand, presumably the Sybari acquisition brings with it an existing UNIX development infrastructure, as well as a pool of developers who know how to write for UNIX. It's a long way from anti-virus products to, say, Office, but it's a start. A lot of people are finding the Linux desktop story more compelling, but office software continues to be one of the sticking points of that story; Office file compatibility is a major de facto requirement in today's world and it would be hard to beat Office's compatibility with a UNIX version of itself (granted, Mac/Windows compatibility occasionally has a few warts). Add to that the new Office Communicator -- now there's a product that should have a UNIX version sooner rather than later -- and surely Entourage to at least provide some UNIX-based competition to Novell's Evolution (which they added to their product lineup with the acquisition of Ximian).

On the gripping hand (if you don't get this phrase, you obviously haven't read The Gripping Hand, the sequel to the classic Niven and Pournelle sf novel The Mote in God's Eye), The Register makes a very painful point, which is that the vast majority of viruses in the wild are targetted at the Windows platform. UNIX-based virus scanners aren't so much about protecting UNIX machines from viruses as they are a convenient platform from which to scrub data intended to be used on Windows workstations.

Microsoft has been doing a lot of good work on trying to show that they've gotten serious about security. Unfortunately, this move is going to become a rallying point for the people who want to show otherwise, and it's going to be very hard to disagree with them. Granted, I'm not in the big office up at the Microsoft campus, but from my view here I have a hard time seeing how nuking the existing Sybari UNIX anti-virus solution ties into the strategic goals of Trustworthy Computing -- or in fact how it is anything other than a decision made in a reflexive anti-UNIX reaction. A lot of companies used the Sybari engine in conjunction with a nice UNIX-based MTA like Postfix to provide a high-performance, highly secure message hygiene gateway between the Internet and their Exchange organization. Now they've got one less option -- and I can pretty well guarantee they're not going to sit on their hands idly waiting for Exchange 12 to come out so they can deploy an Exchange edge server to fill the gap.

I wish somebody at the high executive level would realize that sometimes it is better to have your finger in every pie rather than try to make sure you have the only pie.

posted @ Wednesday, June 22, 2005 9:27 AM | Feedback (1)

The Broadcast Flag Reloaded

Not much time -- less than 48 hours -- to fight the latest incursion of the Broadcast Flag.

What's the problem? (quoted from the EFF website)
The Broadcast Flag was Hollywood's plan to point its remote control at your digital TV.

The courts struck down the original FCC proposal. The lobbyists have turned to Congress. House Commerce Committee Chairman Joe Barton says he won't have a new flag spoiling his Digital Television Transition bill.

The bad news: some of the subcommittee members working on the bill disagree and have spoken in favor of including a Flag amendment into law.

What is the Broadcast Flag? (quoted from the Chicago Sun-Times)
The Broadcast Flag is a signal embedded in HDTV broadcasts that would have dictated what you could and couldn't do with that HD episode of "Two and a Half Men." The flag can tell your digital TV receiver not to allow you to record this show, or tell it to destroy the recording after a set amount of time or a certain number of viewings. If the show was recorded in the living room, don't allow the user to watch it in the bedroom. Don't let the show be burned onto a DVD so it can be viewed on a laptop ... and make sure the viewers won't have any alternatives when the time comes to sell this show into syndication or as a boxed set. Start a small house fire if you have to!

What do I do?
Go to the EFF online contact form and contact your representatives if they're on the committee.

posted @ Tuesday, June 21, 2005 12:40 PM | Feedback (1)

Mad as hell about Windows security myths

No, not me. My net.friend Alistair. He read this article and got a touch annoyed about some of the untruths and misconceptions present in the article, so he decided to respond. Not that I blame him; while this article raises some good points (which I'll get to in a minute), it also perpetuates some astonishingly wrong myths and legends. Read his response here. A quick summary of Alistair's points:

Ever heard of RunAs?
There are more than two types of users in a default modern Windows installation.
39+ separate privileges, discretionary file and registry ACLs, and guidelines/best practices on how to use them for security since the days of NT4.
ActiveX is only as insecure as the user behind the keyboard.
People who are spending too much time fighting spyware and viruses need to take a look at their behavior.
People who need to reinstall Windows on a regular schedule need to take a look at their behavior.

Let me chime in here on points 3, 5, and 6:

39+ separate privileges, discretionary file and registry ACLs, and guidelines/best practices on how to use them for security since the days of NT4: by all means, Microsoft has made their share of mistakes in the security market. NT4 and the Windows 9x codebase were not really ready to be on the Internet, but the lion's share of the blame has to be on developers (and users) who ignored all of the guidelines that Microsoft put out and did really stupid things. I've lost track of the number of programs I've seen that could be run with a non-admin account if the developers had ever bothered to document exactly which permissions you needed to a) install and b) run the thing. Alistair also makes a valid point when he points out that many people circumvent the default file ACLs by not using the My Documents folder or taking the time to properly move their home directory. Microsoft could bundle a Move Home Directory Wizard which did the right thing, but then people wouldn't use it. And let's face it -- lazy developers aren't just a Windows problem. How many bad CGI and PHP scripts are out there that effectively open up a web server to any attacker? Granted, the UNIX security model is simpler than the Windows model, but it by no means fixes all problems and the seeming simplicity invites even experienced users to shoot themselves in the foot from time to time.

People who are spending too much time fighting spyware and viruses need to take a look at their behavior: my wife might get upset with me for pointing this out, but the one computer in my household that needs the most TLC is hers. Why? Because she goes to a lot more strange and risky websites than I do, and we keep strict control over where our kids are allowed to point their browsers. She's got friends and family who send her those asinine online greeting cards, little Internet gamelets, and she has quite a few online games that she go plays. In order to do all of that effectively, she's got to accept a lower limit of security, and a lot of those sites want to install spyware. Once I got her to understand that I wasn't saying that she was the problem, but rather than she was putitng her system at a higher level of risk by her choices, she's gotten smarter about which sites she visits and her computer has been more stable.

People who need to reinstall Windows on a regular schedule need to take a look at their behavior: More of the above. I had an installation of Windows 2000 that lasted for four years without major issues, and that was after two motherboard upgrades and a switch from SCSI to IDE. Our home network runs on a strict principle of separation of privilege: my wife and I have admin access, but not on our regular accounts. The kids don't even have admin access, which means Steph or I need to approve all new software installs. Unlike many home users, I've got a domain set up, so we've even got a proper OU structure in place for easy Group Policy management. A little bit of forethought and user education save a lot of maintenance time down the road. I finally switched my home network over to Windows precisely because the combination of Active Directory and Group Policy allow to manage a lot of this stuff automatically, rather than having to either check it manually or spend a lot of additional time setting up custom scripts or installing additional software packages (and then tying them together with scripts) like I did on UNIX.

Don't get me wrong -- I'm not trying to turn this into Windows vs. UNIX, as I use and love both. But Windows is not the insecure codebase that people think it is, if you're using a modern version (yes, all you Windows 9x users -- I'm looking at you) and using it in accordance with best practices and common sense.

posted @ Tuesday, June 21, 2005 10:40 AM | Feedback (2)

Easily finding and reading IIS logs: Once again, Chrissy comes to the rescue with a nice bit of coding. Today's problem: easily finding the right logfile for your IIS virtual server. I've got a couple of different servers I'll be using this on, oh yes...; posted @ Sunday, June 19, 2005 8:40 PM | Feedback (0)

News: Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Article Categories

3Sharp

Archives

October, 2009 (2)

August, 2009 (3)

July, 2009 (3)

April, 2009 (3)

March, 2009 (3)

February, 2009 (2)

January, 2009 (1)

November, 2008 (1)

October, 2008 (3)

September, 2008 (1)

August, 2008 (2)

July, 2008 (3)

June, 2008 (13)

May, 2008 (5)

April, 2008 (4)

March, 2008 (4)

February, 2008 (12)

January, 2008 (1)

November, 2007 (4)

October, 2007 (2)

September, 2007 (7)

July, 2007 (3)

June, 2007 (1)

April, 2007 (4)

March, 2007 (4)

February, 2007 (10)

January, 2007 (17)

December, 2006 (22)

November, 2006 (9)

October, 2006 (11)

September, 2006 (3)

August, 2006 (14)

July, 2006 (7)

June, 2006 (1)

May, 2006 (1)

April, 2006 (5)

March, 2006 (9)

February, 2006 (4)

January, 2006 (2)

December, 2005 (9)

November, 2005 (5)

October, 2005 (7)

September, 2005 (1)

August, 2005 (2)

July, 2005 (1)

June, 2005 (4)

May, 2005 (5)

April, 2005 (5)

March, 2005 (5)

February, 2005 (2)

January, 2005 (1)

October, 2004 (1)

Post Categories

Exchange

DPM

DCAR

PowerShell

OCS

3Sharp

Data Protection

All Backed Up

Ctrl P - The Data Protection Manager Blog

DCAR

Archiving101.com

Regulatory Complance blog [MSFT]

Secguide blog [MSFT]

Exchange

Ben Winzenz's blog [MSFT]

Jim McBee's blog [MVP]

Josh Maher's blog

MS Exchange Blog

Paul Robichaux's blog [MVP]

You Had Me at EHLO

Other

3Sharp

3Sharp Blogs

The Master Blog

Security

Jesper Johansson's blog

Protect Your Windows Network

Steve Riley's blog [MSFT]

Unified Communications

Communified.net

OCS Team Blog

Windows

Devin has moved on to new adventures. This blog is preserved for historical purposes. Please follow his personal blog at: Devin on Earth

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth