Getting good information

On December 31, 2005, in Security, by

…so we’re in the car driving to Los Angeles and the radio DJ talks about an upcoming story on radio

“A problem in Microsoft Windows?  Nahhhhhhhh” she says…….

The chatter on SBS listserves today is one of disappointment.  This security issue points out the problem we have down here in SBSland.  The “test” problem.  For large firms they have the resources to test, to have matching images on the desktops, to try to understand the risk for their firm.  Down here we rely on the guidance we get from official sources. 

So the gang is now stratching their heads as to how we went from “DEP” works to one where only “Hardware DEP” works.  They are seeing that antivirus and spyware bloggers first brought up the issue that software DEP wasn’t working [especially on real world boxes]. 

Getting good info is hard….and unfortunately this event just pointed out how hard.



2 Responses to Getting good information

  1. wim says:

    No local admins is also a good start

  2. Alun Jones says:

    This is going to be the eternal problem for vendors dealing with security vulnerabilities, I’m afraid – how much information do you give out? While it’s true that “the bad guys have already got information on this vulnerability” (I’m positing a hypothetical statement), that’s a bit like saying that “Microsoft doesn’t get security”. Neither group (“the bad guys” and “Microsoft”) is a monolithic entity with a hive mind.

    Truth is, a few of the bad guys know how to exploit it. Lots of them don’t (but they’re trying to find out) – if you give out lots of information that might allow administrators to test how well-protected their systems are, or to determine the degree of vulnerability, you also give the same information to bad guys who didn’t already have it. Those bad guys then use that information, and whatever they glean from other sources, to build an exploit that hits harder, faster, deeper.

    Should that mean that nobody should ever give out information on exploits? No, it just means that deciding what information to give out is difficult. Outsiders can give out whatever information they please – after all, they’re not pissing off their own customers, and they don’t have to be very accurate in what they say. The vendor, on the other hand, has to realise that the more they panic their own customers, the less those customers will want to trust them in future.

    As for the “Microsoft doesn’t get security”, I’ll expand on that in one of my own blog entries later on. Truth is, there’s a high number of people at Microsoft that do “get security”, and they’re in the right positions to make a lot of things happen – but they are faced with hundreds of developers, most of whom don’t have any great personal interest in security except when they’re given the choice of “do it right, or work elsewhere”.