Category: Microsoft

Robert X. Clueless

Mark Stephens, the PBS pundit who goes by the pseudonym Robert X. Cringely, is modestly famous for his bomb-throwing anti-Microsoft screeds. He’s also famous for being flat-out wrong, often, even when it comes to his own professional credentials. His latest column, A Whole New Ball Game, reaches new heights of misinformation. Here’s a snippet:

Last week, a Microsoft data security guru suggested at a conference that corporate and government users would be wise to come up with automated processes to wipe clean hard drives and reinstall operating systems and applications periodically as a way to deal with malware infestations. What Microsoft is talking about is a utility from SysInternals, a company that makes simply awesome tools.

This is pure horseshit. One surefire indicator that something is rotten in this particular pulpit is that Mark’s … oops, sorry … Bob’s column contains no links. In fact, his columns never link to any external sources of information. Isn’t it remarkable that someone who writes a weekly column for the Internet never links to anyone else? If you want to actually check the facts about something Mark/Bob has written, you have to go dig it out yourself.[*] In this case, the quote is from a presentation at the InfoSec World conference by Mike Danseglio, program manager in the Security Solutions group at Microsoft. The story was originally reported by Ryan Naraine of eWeek. (Read the whole thing here, and see some additional remarks of mine here.)

Did Danseglio really say that corporate and government users should “periodically” wipe and reimage systems? No, not at all. He said that’s the most effective way to deal with a system that has been compromised by a rootkit or an infestation of some advanced spyware programs. And he’s right. When you let someone else take over your operating system, it’s not your PC anymore. You could spend hours or days trying to find and remove all traces of the intruder, but you’d never know for sure whether you were successful.

So, wipe and reimage as a last resort. But the smart, safe strategy that Danseglio recommends is prevention. In fact, if you click to the second page of the eWeek story, you read this conclusion:

According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment.

“The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up,” he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections.

That’s good advice, and it’s consistent with the “defense in depth” strategy that the Microsoft Security Response Center has been advising for years. But you’d never know that if you read only Cringely, who preaches to an audience that’s eager to sop up anti-Microsoft propaganda, no matter how ill-founded or factually challenged.

And then there’s this:

The crying shame of this whole story is that Microsoft has given up on Windows security. They have no internal expertise to solve this problem among their 60,000-plus employees, and they apparently have no interest in looking outside for help. I know any number of experts who could give Microsoft some very good guidance on what is needed to fix and secure Windows. There are very good developers Microsoft could call upon to help them. But no, their answer is to rebuild your system every few days and start over. Will Vista be any better?

Given up on Windows security? Yeah, I guess Windows XP SP2, Windows Defender, Windows Live OneCare, Microsoft Client Protection, and the many security improvements built into Windows Vista don’t really exist. No internal expertise? That’s ludicrous, as anyone who’s spent even 10 minutes with the Windows team would know. No interest in looking outside for help? As Scoble points out, all you have to do is look at the attendee list of Microsoft’s BlueHat Security Briefings to know that conclusion is not supported by any facts.

Or you could just look at the by-line. If it says Cringely, you know it’s wrong.

Update: Dwight Silverman is skeptical about some unrelated parts of the same Cringely column.

[*] As some commenters point out, a separate page, unmentioned in the original column, includes a link to the eWeek article. I’m a little baffled at the idea that a columnist who writes a weekly column for the web hasn’t learned how to create hyperlinks. It is 2006, after all. But technically, he did provide a link to this article, if you know where to look.

SANS jumps the shark

This rant from Tom Liston at SANS is disgraceful to see on a serious security site. You got problems with Microsoft’s decision? Make your case. Give your readers some evidence. Get angry if you want. But juvenile satire that ignores the business realities of the situation is just stupid, and it’s double-plus-stupid when the rant is completely free of facts or analysis.

My collective opinion of SANS has dropped severely.

And one orange icon shall rule them all

The announcement at the Microsoft Team RSS Blog has a picture of the new RSS icon that will be standard in IE7.

RSS icon

Look familiar? If you use Firefox, you’ll recognize it instantly. In fact, those who want to see all-out war between IE and Firefox might be disappointed by this report:

I’m excited to announce that we’re adopting the icon used in Firefox. John [Lilly] and Chris [Beard] were very enthusiastic about allowing us (and anyone in the community) to use their icon. This isn’t the first time that we’ve worked with the Mozilla team to exchange ideas and encourage consistency between browsers, and we’re sure it won’t be the last.

We’ll be using the icon in the IE7 command bar whenever a page has a feed associated with it, and we’ll also use it in other places in the browser whenever we need a visual to represent RSS and feeds. Look for more details on the look and feel of IE7 when we post the public pre-release build next year.

A little more background here.

Q&A: Getting into a Microsoft beta program

In the comments to an earlier post, Carl asks a good question:

Microsoft’s Windows beta programs have always been a mystery to me. I’ve worked with Windows as a Sysadmin for 9 years, and I still don’t know how to get into the Windows Beta program. I’m aware that the Vista beta is available to Technet Plus and MSDN customers, but I don’t need MSDN and don’t see the value of Technet Plus at the price Microsoft charges. I’d really like to test Vista, but don’t know how to do so legally. Any insight?

The secret is to think way ahead and to nominate yourself. Microsoft sent out the original invitations for the Windows Vista beta program last July, and the list was probably put together months before that. The team that runs the beta test program tries to put together a diverse group that represents a broad cross-section of potential customers, so having enthusiasm and a willingness to participate is more important than technical chops.

How do you get considered for a future beta program? Watch news sites to see when beta nominations open. Typically, you visit a Web site and log in with a publicly available user name and password. You fill out a questionnaire, and then you wait.

Don’t limit your request to just Windows, either. If you can get yourself invited into a related program and then actively participate in it by filing quality bug reports, you’re more likely ot get invitied to a future beta program.

Windows Live gets bigger

Wow. A lot of really interesting stuff on the Windows Live Ideas page.

I’ve been using the Windows OneCare Live beta for a couple months. It’s been exceptionally stable and unobtrusive – enough so that I’ve completely dropped my previous favorite, Trend Micro PC-cillin.

If you’re looking for an antivirus/firewall/backup package, this is a good one to try. It’s free now but will be a paid service (no hints of ultimate cost) eventually.

I’m also planning to sign up for the Windows Live Mail beta today.

More on the Windows Defender name flap

Over the weekend, Dwight Silverman asked: “Does Microsoft know there’s already a Windows Defender out there?” I answered hypothetically:

Microsoft has an army of lawyers, and one would have to assume that no product naming decision gets publicly announced until there’s been a thorough trademark search.

Todd Bishop of the Seattle P-I says that assumption was right. He tracked down the developer of the original Windows Defender program, 22-year-old Adam Lyttle from Adelaide, Australia:

Lyttle wasn’t inclined to get into a legal tussle with the software giant and its army of lawyers. For one thing, he had stopped working on his Windows Defender program nearly a year before that point.

He was puzzled by one element of the agreement, which gives to Microsoft all rights to the Windows Defender name. However, after consulting with a friend in law school, he decided to just sign it and move on.

The story doesn’t make Microsoft look very good.

Thanks for following up, Todd!

Microsoft buys FolderShare

News out of Redmond:

Microsoft Corp. today announced it has acquired FolderShare, a leading service in the emerging space of file synchronization and remote access technology that helps customers access information across multiple devices. FolderShare customers will continue to be able to enjoy the service at http://www.foldershare.com. Financial details of the acquisition were not disclosed.

This has been on my to-do list for a while. Now I really have to look at it!