Are security firms doing us a favor by letting us know about vulnerabilities? Or does the practice only give uninformed hackers another tool to attack us? Here's what some readers have to say:
I completely agree with you here. Rapid7 is acting in the best interests of the hackers by publicizing this before a fix is in place. Working in IT for the last 20 years has taught me that no matter how tight your security is, there is always a hole. I used to ask pupils at a school I worked at to actively try and hack the network (Novell Netware and Windows 95) in return for letting me know where the holes were. This earned such enterprising individuals extra credit and a nice, warm, fuzzy feeling inside. Not to mention my gratitude. If they had let all the other kids know before giving me chance to plug any gaping holes, there would have been chaos.
Rapid7 is an idiot, in my opinion
Well Barney, I must agree with you. TOTALLY irresponsible to broadcast specifics of a flaw to everyone on the face of the planet. It just enables the hackers that didn't already know about it to go about exploiting the vulnerability before the fix is available.
It would be like the news media reporting on how many U.S. troops are being deployed to which country and how many U.S. ships are being deployed to which body of water and...oh wait, that's being done too.
In a day and age when the media cares more about a 'hot' story than they do about national security why should we expect them to sit on IE flaws?
Geesh, what a wonderful world we live in, eh?
The reasons are quite simple why these are publically disclosed.
One, it gets your firms name out there. Two, it puts pressure on software designers to hurry and create a patch. And three, as a security firm it generates more income as new clients will want testing done to see if they are affected.
Who would pay top dollar for testing on an issue that already has a patch successfully deployed? Also who better to test for a flaw than the ones who reported it in the first place?
It's morally bad. But from a business mentality, what's bad for you is always good for the corporations. If you want a business to survive in times like these you MUST be ruthless and throw morals to the side. Your competition will not give you any slack. So why should you give them any?
All in all I don't blame them for doing it. I just don't agree with the ethics behind it.
Share your thoughts with the editors of this newsletter! Write to firstname.lastname@example.org. Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).
Posted by Doug Barney on 09/26/2012 at 1:19 PM1 comments
IE 8 is not exactly a legacy browser. It is what I used alongside Firefox until very recently. And if you are on XP, which is a supported OS until 2014, IE is the most modern Microsoft browser allowed.
So why is Google ditching support for the browser in November after IE 10 and Windows 8 ship? That is what Google is doing by refusing to support Google Apps for Business on IE 8 starting in two months. The fact that Google can pre-announce such a move tells me there is no technical reason not to support IE 8. The browser hasn't changed. It does pretty much what every other browser does.
This is all about maneuvering. To me it's a way to get XP users over to Chrome, or at the least off of IE and onto Firefox.
Looks like Google snuck a few peeks at the old Microsoft playbook.
What's your theory and reaction? Share at email@example.com.
Posted by Doug Barney on 09/26/2012 at 1:19 PM8 comments
Microsoft has a new app model for SharePoint 2013 and Office 2013 that's designed to minimize the problems of third-party apps. Much like browser add-ins can destabilize the browser, apps that run against Office and SharePoint can disrupt performance.
The new model addresses that with a sandbox kind of approach. It's not a sandbox, per se, but when installed on a server the apps run separately. They can also be separated on the cloud.
Despite the distance, they appear to be running closely together.
IT and end users also get more insight into app quality through the "Office Store." Here users rate what they use -- so if it stinks, you'll get a heads up. The Office Store also gives IT control. It's not really a store so much as a controlled warehouse where you can check out apps. This means IT, through Active Directory, can block off the Store so users can't download willy-nilly.
Posted by Doug Barney on 09/26/2012 at 1:19 PM0 comments
Microsoft recently tried to stoke the fires for Exchange 2013 by talking up some key new features and product strategy. If you are an old-school IT pro, you're probably most interested in the built-in malware protection. This is nice, but this is not the same as a dedicated security tool. My guess is we are talking real baseline protection without aggressive updates of virus signatures and such.
Classic IT thinkers may also appreciate support for 8-terabyte disks. Heck, with that kind of storage I could turn my spam filter off and just let it fly.
More modern items include better discovery for those that need to care about compliance, including the ability to reach out to Lync and SharePoint.
If you are a fan of server roles, there are only two you can invoke: mailbox and client access.
Much of what's new points to the future. The Outlook client is more touch-friendly with the addition of thumb controls. Outlook is also more social with deep Facebook and LinkedIn hooks, and can bring in newsfeeds and weather (you didn't want to concentrate when composing e-mails, did you?)
What do you want to see in the next rev of Exchange? Shoot me a line at firstname.lastname@example.org.
Posted by Doug Barney on 09/24/2012 at 1:19 PM0 comments
Months ago Google was roundly beaten for avoiding massive amounts of U.S. taxes. The trick, as I recall, is to claim your investment and expenses in America and book your profits overseas.
Under this approach Google pays something less than 2.5 percent, a fair bit less than the 35 percent U.S. corporate tax rate. It's all perfectly legal, and the short-term PR black eye is a small price to pay for savings billions every year. And some of that money goes back into the economy in the form of lobbyist fees and campaign donations!
Microsoft, as a shareholder-owned company, likewise does all it can to maximize profits. And this means the company parks 89 percent of its cash overseas.
However, unlike Google, Microsoft seems to pay its fair share, and last year paid a rate of 24 percent.
Tax thoughts welcome at email@example.com.
Posted by Doug Barney on 09/24/2012 at 1:19 PM8 comments
In April of last year I published a story about Microsoft Unified Communications.
This was soon after Lync came out. I was expecting hear good things, but not much more. Let's face it, UC has less sex appeal than Chris Christie and Harry Reid put together.
Boy was I wrong. Microsoft UC can be a game changer. Sure, you can save gobs of money through VoIP and downsizing legacy telecom infrastructure, but Lync lets you do new things and at the same time do old things in new ways. It's really about integration with common productivity apps and adding things like IM, presence, and Web and video conferencing.
I reckon it's time to give it a fresh look once again and I'm looking for your help. Are you using Microsoft UC or tools from another vendor? If so, shoot me an e-mail at firstname.lastname@example.org and I'll be in touch.
Posted by Doug Barney on 09/24/2012 at 1:19 PM2 comments
Microsoft has a small bit of egg on its face after an employee who mans the company Twitter stream posted a message critical of Ann Coulter, arguing that Robert Reich's granddaughter is smarter than the blonde Cornell grad. The two were to speak on a panel together, prompting this message (because it was written in Twitter speak I had to read it twice to understand it): "@RBReich your granddaughter's level of discourse and policy > those of Ann Coulter."
I guess this is the Internet equivalent of hitting "send all."
What is your most embarrassing computing moment? Come clean at email@example.com. We publish letters using first names only.
Posted by Doug Barney on 09/24/2012 at 1:19 PM0 comments
IT is wowed by things that would bore an ordinary user. Most folks wouldn't know what to do with a server set up with server roles, and the common heart surely wouldn't race at the mention of storage deduplication. But IT folks aren't ordinary folks. Instead of flashy this and fancy that, you tend to care about features that get things done. And here Windows 2012 delivers.
Now the Enterprise Strategy Group agrees, or at least its survey does. In it 90 percent say they will roll out the Windows Server 2012 within two years.
While there are a lot of PowerShell and other IT goodies, it is large categories of function that are driving upgrades. More than half are hopped up about virtualization, and almost half can't wait to get their hands on its news private cloud capabilities, the survey finds.
What is your view of Windows Server 2012? My inbox awaits at firstname.lastname@example.org.
Posted by Doug Barney on 09/21/2012 at 1:19 PM0 comments
Recently we talked about an IE elevation of privilege flaw that was publicized by a "security" company before the flaw was fixed. I put security in quote markets because I can't for the life of me see how security is enhanced when hackers are told how to attack our machines, and without giving the vendor a chance to glue up a patch.
Many of you agreed, as seen here.
Microsoft fortunately was able to fix this flaw fast and rushed out an out-of-band patch today. I guess this "security" firm can pat itself on the back for making Microsoft hop to, but this disclosure still left all IE users vulnerable for about a week. Your moms must be proud.
Trust me, this next observation has zero political content. I was looking at the "security" company's management roster to see if I knew anyone, then clicked on the Board of Directors. Two of the members are from Bain Capital. Just an observation. My guess is that Rapid7 investors might not be fans of publicizing open holes, especially given the reaction I see from IT pros (and more especially in an election year).
On another note with no political ax to grind, did you hear that Mitt Romney tried to hire Steve Ballmer when Steve was fresh out of Harvard? It's true.
What should real security companies do when they find a flaw? Wise and cogent answers welcome if you've got 'em at email@example.com.
Posted by Doug Barney on 09/21/2012 at 1:19 PM4 comments
Sophos users thought they were protected for another cycle after updating their antivirus cycle. So why, they wondered, were security warnings going off like in the end of a James Bond movie?
It seems that Sophos suddenly thought its own software was malware.
For one machine, this is a nuisance. When you are an admin and you are getting alerts from hundreds of presumably infected computers, that's a nightmare.
Sophos is bending over backwards to apologize and has already updated the update to stop the false alarms.
I put this in the honest mistake category. Am I in too good a mood, or does Sophos really deserve a pass on this one? You tell me at firstname.lastname@example.org.
Posted by Doug Barney on 09/21/2012 at 1:19 PM3 comments
A newly found IE zero-day flaw has been found, publicized and is now being exploited. And this is not the kind of story I like to report.
In walking through this news, I'm hoping you'll help me understand the logic and report back to me and the tens of thousands of Redmond Report readers by writing to email@example.com.
On Monday Rapid7, a security firm, wasted no time in telling the world that IE 9 and a number of earlier versions had a flaw that impacted XP, Vista and Win 7. The attacks trick a user into clicking on a malicious Web site, giving the attacker access to elevated privileges.
Of course now hackers are exploiting the flaw which Microsoft, given the short notice, hasn't had time to fix.
Why on earth do security firms publicize flaws before they are fixed? To me this is totally irresponsible.
Tell me where I'm wrong or more likely right at firstname.lastname@example.org. In the meantime, if I get hacked this way, I'll blame Rapid7.
Posted by Doug Barney on 09/19/2012 at 1:19 PM11 comments
The iPhone 5 is close to shipping, driving Apple stock to an all-time high -- and I think it's an unsustainable high (although the P/E ratio of around 16 isn't as out of line as I thought it would be).
With far less fanfare, Windows Phone 8 is also imminent, having gained release-to-manufacturing status. I guess it takes about six weeks for OEMs to turn these things around. The launch date is now expected to be Oct 29, with shipments soon after.
I still hear good things about the phone, but I think the real movement will come from enterprise customers who may see tight integration with corporate apps, and some aggressive moves by OEMs such as Nokia making us offers we can't refuse.
Do you see a Win 8 phone in your future, perhaps tying it into Lync? Mail me at email@example.com.
Posted by Doug Barney on 09/19/2012 at 1:19 PM1 comments