December 2009 - Posts

Logical thinking, a lost art?
31 December 09 07:47 PM | ronaldg

Well, if you’ve read the last couple of posts you are aware that I’ve cast some aspersions on many folks who comment on blog posts and articles.  It seems to me a huge majority of them are seriously un-, under-, or mis-informed about the topics and issues they nonetheless take the liberty to comment on.  Of course, everyone has an opinion about Microsoft (MS), and as an MS employee for the last 12+ years, I would say that one could consider it “logical” to conclude that I would know more about MS than the vast majority of the folks who offer their opinions on our products and business practices in online venues.  In fact, I’m betting that my tenure at MS, and the presumed credibility it entails, is perhaps a primary reason why you bother to read this blog.  Of course, I’m constantly piqued, or some would say “tweaked”, by the wildly inaccurate stuff I see posted, especially in comments.  You likely remember in my last post (same song, second verse…), that I called out one particular comment (on XP being more secure than Vista) that was an amazing example of the type of un- or misinformed commentary that seems all too prevalent today – especially around the topic of Microsoft.  And you might also recall, I called out his poor logic but chose not to address it in that post.  As another interesting coincidence, I ran across this post from Robert Strohmeyer, of PC World, around the sad state of “logic” as it is used (or rather, more commonly, abused) in the internet “echo chamber”.  As we close out 2009 and look forward to the new decade of 201x’s, I thought I would take this opportunity to do a post on a “generic” topic – I hope you find this interesting, if not informative.  I also hope that you’ve not found these logic fallacies to be characteristic of my posts and opinions.  I try to be objective (as I can be <grin>) and factual, and when I call out other opinions and posts that I disagree with I typically try to put out a well-supported and credible rationale as a counterpoint, not just flame the writer (for being so ignorant <smile>…just joking) as so many others do. 

So here’s the link to the post:  The Web's Most Illogical Arguments.  The title is self-explanatory, although he only points out 10 of the many logical fallacies that occur.  To that end, I’ve included some links below for you to get more comprehensive info around logic fallacies, if you choose.  I like his opening:

“The Internet is teeming with crazies, jerks, and blowhards; and in online forums, debaters are full of passionate intensity. Peruse the comments area on any popular blog, and you'll find more irrational rhetoric than you can shake an encyclopedia at.  What separates rational thought from bogus blather is logic. Unfortunately, sound logical thinking is a learned skill that's rarer than we might hope, and it's not the same as so-called common sense.”

[Assuming you just read the post'] Did you see any (or a lot of) logic fallacies that you recognize from recent readings?  I’d be really surprised if you didn’t.

In his paragraph on “What’s a Fallacy”, as he explains what fallacy is, he makes the following observation that I think is reasonably astute: “Using or falling for fallacious reasoning is by no means a sign of stupidity.[emphasis mine] Lots of smart people inadvertently use or get taken in by irrational arguments from time to time--through lack of attention, lack of understanding about how logic works, or the simple fact that human psychology is riddled with weird idiosyncrasies that make us susceptible to misunderstanding.”  Again, using TJ (from yesterday’s post) as an example, his erroneous conclusion isn’t based so much on the fact that he doesn’t know anything (stupidity) so much as he doesn’t know enough about the subject he’s commenting on which leads him into logic errors – which is what I find to be the most common problem out there.  Folks know a lot about one thing, and think they know a lot about other stuff as well, but I find, at least in the majority of external commentary on Microsoft, that this presumed knowledge is seldom founded on actual facts but rather perceptions (usually erroneous), or purely anecdotal evidence, or outdated information (based on unfortunate generalizations of past events).  And sadly, many, if not most, are content to spew their opinions based on this lack of, or faulty, information.  Case in point – TJ makes bases his conclusion that XP is more secure than Vista on the following premise: “outside security analyst have been scouring Windows XP for almost a decade, while Windows 7 has a lot of new code [which is not being scoured]”.  Well, one of the rules of logic is that if you start with a false premise you will end up with a false conclusion.  TJ makes two errors right out of the box: one is the (false) assumption that security analysts scouring a codebase for some extended length of time is somehow an objective measure of fundamental security of that codebase; and two, the also false assumption that the Vista codebase (although newer) was not scrutinized to the any great extent.  On this second point, he is woefully uninformed about the SDL as well as apparently any or all of the data out there that shows how much more secure Vista is than XP – I sure hope he read CW’s response.  On a related note, I saw another comment on another blog that basically tried to make the case the Firefox was more secure and stable the IE because that person hadn’t had a Firefox error in months (a hasty generalization or proof by example fallacy at best or possibly a confirmation bias – you make the call, or identify a fallacy that’s even more relevant).  Again, with that kind of anecdotal evidence and logic, I could have made the case that since I hadn’t a problem with IE in a year, that would logically make IE 2-3x more robust and secure than FF.  Of course we would both be wrong.  I just wish more folks would be more responsible in their commentary.

But the real point of this is “be careful out there”.  I would suggest not just a “grain of salt” but rather a healthy dose of skepticism when reading online content and comments.  Know your logic fallacies and remember, even what appears to be decent logic is completely negated when the premise, or basis, is false. 

And, btw, if I’ve piqued your interest with this post, here’s some more links to info on logic fallacies.

Logical Fallacies, List of fallacies (wikipedia), Critical Thinking mini-lesson 5 (Skeptic.com), Logical Fallacies (LEO: Literary Education Online), these are the ones I would recommend.  But it you’re in for a logic challenge, try this one (Bad Arguments) where you can test your logic skills (don’t want to brag, but I got all of the practice ones correct <grin>), hopefully you will too.   Cheers.  Hope you have a great 2010.

Same song, second verse…answering the question: “Does Microsoft Look for Vulnerabilities in Their Own Products?”
30 December 09 06:21 PM | ronaldg

Wow, just when I thought I had hit the security theme pretty well and could kick back for the rest of the holidays, I see this on the PC Magazine Security Watch blogs.

Does Microsoft Look For Vulnerabilities in Their Own Products?

Well, if you even entertained the initial thought that the answer could be no, I sentence you to go back and read every security-related blog post I’ve written <grin>.  This post came about because of a Twitter whine by researcher Alex Sotirov who complained that vendors weren't paying those (presumably like himself) who found the bugs in their products, and that this was somehow unjust.  I actually recommend you read this post by Larry Seltzer, although at the end he seems to reach the conclusion that he agrees with Sotirov.  I disagree with his conclusion on several bases but let me cover the post in general, and then address what I feel are the flaws in his conclusion later.

Right up front Seltzer points out that “Most of the bug-finding for major products comes from researchers paid by someone for their work.”  For sure, most vendors like Microsoft, leverage the findings of external researchers in this regard, but I would like to see some proof of the assertion that “most” of the bug-finding is done by these folks, but this is just another example of how easy it is make an unsubstantiated declarative comment that many folks accept at face value but with no real vetting or substantiation to back it up.  I can’t say that I still know this for a fact (full disclosure on my part), but back when I was a security-focused Technology Specialist for Microsoft, in the early days of SDL (and the associated SWI, Secure Windows Initiative), I know that we not only did our own internal code sweeps (reviews), but also contracted with several external agencies to supplement that effort.  Seltzer subsequently notes that some folks were “credited” for their bug-finds, but then notes that other vulnerabilities were not credited, acknowledging that some were “privately reported”.  So this brought Seltzer to pose the title question to a “famous researcher”, Dino Dai Zovi, who basically said (or rather implied) no, citing that Apple was “the only vendor he knew of that patches internally found vulnerabilities” – I guess I’ll take his word for it that Dino is famous and credible and knows all the vendors methodologies well enough to make his statement.  Of course, for Seltzer “this rang true” since he looked and found out that Microsoft had not credited any internal research sources in vulnerability disclosures in 2009 (which btw begs the question of whether or not crediting internal research is, or should be, the standard to go by, which I’ll be getting to in a moment).   So he asked Microsoft about it directly – nice work Larry (finally a little journalism by someone).   As you should know, Microsoft confirmed that YES, of course they look for and find vulnerabilities internally (after all that’s the whole point of SDL which is mentioned in Larry’s quote from an unnamed Microsoft person).  But curiously, although he acknowledges the fact that MS does internal vulnerability research, he finishes the sentence with “but not so much”, which I can only infer he says because Microsoft doesn’t report (or credit) it in the same way as other vendors (e.g. Apple) who, if you read my last post, may not be the vendor(s) I would be looking at as an example in this area.  One key piece of the vulnerability equation that seems to be ignored here is a discussion on whether or not all vulnerabilities need to be proactively patched, and then whether acknowledging internal vulnerability research is a “best practice” which seems to be at the heart of his “but not so much” comment as well as his ultimate conclusion.  As you should know, a vulnerability, in and of itself, is not really a problem -- it only becomes a problem when someone develops an “exploit” against it presumably with malicious intent.  So I would ask, if I know that my program has a certain vulnerability but you do not, is it really a best practice for me to proactively patch that vulnerability and thereby make a de facto announcement of it (when I release the patch) that could be used to develop an exploit against unpatched systems?  Well, apparently Larry and Alex and Apple think so, and if you have the small market share, and thus largely untargeted platform (the security by obscurity situation that I’ve blogged about before), that Apple has, you can do this; but to foist that paradigm on everyone is not my idea of a best practice.  Now Larry notes in his next to final paragraph that MS08-037 leveraged Microsoft’s “own work in finding the [bug]…”, but then states in his bottom line that “[they] don’t do proactive vulnerability research on their own shipping products”.  Which conclusion, btw, he arrives at by mentioning that “Microsoft spends a lot of time and money and effort on the security of their products, but they're almost entirely forward-looking about it.", which he then characterizes in a negative light as “neglect” of current products.  I don’t know about you, but this is pretty convoluted in my opinion to say the we “do” a lot of something, but then spin that as neglect because apparently we may not buy into the (proactive) patching paradigm he assumes as a standard.  I would also suggest that his conclusion which infers that we need to be paying outside folks more to find and report stuff that, btw, wouldn’t be a problem if they didn’t find it (with the intent of publishing it) is also suspect in my opinion, but you can make the call on that – at least you’ll have a counterpoint to consider now.

In my final thoughts, I would urge you to read the quote in the article from the (unidentified) Microsoft person.  The main reason, I would suggest, that most external vulnerability finds are “credited” is because those folks desire the recognition as it adds to their resume (or street cred).  Also, most of them intend to “publish” the vulnerability which means that Microsoft must proactively patch it.  On the other hand, internally found vulnerabilities are generally not going to be published (and become the basis for future exploits) and thus there’s no reason to spend cycles proactively patching them, at least that’s how I believe we look at it.  And, as the anonymous quote points out, these are all part of the ongoing SDL process.  Also, I’ll bet that most internal Microsoft security researchers are not “in it’ for the external recognition, so to spin that anonymity as evidence that supposedly only “other people are finding bugs in their products” and need to be paid more, well, I’m afraid I have a problem with that conclusion per above.  As Larry says at the end “something’s not right with this”, but I would say that what’s not right is less about how Microsoft approaches vulnerability research and reporting but more about how Larry reports on it.  As always, “you make the call”, but I hope this serves to point out how careful (and critical) you need to be when reading anything online these days (even me <grin again>).

Oh, btw, remember what I said in the past post about the usual uninformed comments – here’s the very first comment on Larry’s post: “Another reason why Windows XP is actually more secure than Windows 7 - outside security analyst have been scouring Windows XP for almost a decade, while Windows 7 has a lot of new code for-which Microsoft basically admits in this article that it's not researching. Now that's security you can trust...NOT![commented by TJ]”  Wow, this would be funny if it wasn’t just so wrong on several levels.  Unfortunately there’s probably more than one “TJ” out there who actually believes that XP is more secure than Win7, (and I won’t even comment on his flawed logic).  I couldn’t have come up with a better example of uninformed commentary if I had tried.  Moreover, I’m not sure which article he read to make the statement “Microsoft basically admits in this article that it's not researching…” but the incongruity doesn’t seem to phase TJ.  On the other hand, do read the follow-on comment by CW (in response to TJ) – among other things he points out this article which I would rate as a must read, Behind the Scenes at Microsoft`s Secure Windows Initiative, especially if you still have any doubts or interest as to how we deal with reported vulnerabilities.   OK, so now hopefully on with my holiday – see you next year.

Here’s some food for thought the next time someone complains about “buggy” Microsoft software, also please check out the recommended reads listed toward the end
28 December 09 12:45 PM | ronaldg

Most of you already know that in this age of the Secure Computing Initiative (aka Secure Development Lifecycle) at Microsoft that we actually have made tremendous strides in providing not only more secure software but more robust software as well.  Of course, whenever you make a platform change, as we did with Vista, you’re going to run into driver and application platform issues that give the OS the appearance of “bugginess”, but most of you are technical enough to appreciate that driver issues are not a sign of inherent OS problems but rather an indicator of OEM/ISV development weaknesses on one level or another (funny, you seldom hear about driver issues with OSS, but they’re not immune).  In fact, as I’ve toured the country doing live presentations to partners audiences for TS2 over the last 3 years (since Vista), I’ve routinely found that the vast majority of partners were happy with Vista – of course, some had customers with legacy hardware or software issues, but outside of those issues, there was was overwhelming support for Vista from a partner perspective.  The trade press, however, fostered a negative perception about Vista that’s all too well known at this point, usually relying on anecdotal and unsupported evidence, which of course has been the subject of many blogs on my part over the last few years.  But what’s really interesting to me is how little the trade press seems to focus on other software vendors who continue to put out vulnerable software that’s developed using the same old dev paradigms that they’ve used since the previous millenium -- no SDL for them, and the results are not at all surprising, other than, as I said, the lack of attention around this they seem to enjoy (especially our fruit-branded friends).  If you’ve read my posts for some time now you’ll know that the headline “Vista hacked” from a past PWN2OWN contest was actually the result of an Adobe software exploit.  And you also know that the Apple platform, and browser, only gives the appearance of security (by obscurity, or lack of value due to small market share), and is always the easiest to hack and first to fall in these hacking contests.  Yet, have you ever heard the trade press take Apple or Adobe (as major examples) to task for not doing something like Microsoft’s SDL to improve their dev practices?  So it’s interesting to me, and worthy of a post, when I come across an article like this one that at least highlights the situation.  I recommend this article on ZDNet,   10 Most Vulnerable Software Apps of 2009 [ZDNet].  Interestingly, this is one of the few times I actually found some of the comments worth a read as well.  (Usually the comments are a complete waste of time IMHO, since the vast majority of them seem to be done by uninformed, but highly opinionated, “fanboys” of one ilk or another – and this one has those, but it also includes some that are actually worthwhile.)  One comment (#30 “Where have you been lately?”), does a good summary of the promise of the SDL without naming it specifically.  Of course, the response to him (#31) was the typical uninformed fanboy type.  The main reason I’m recommending this is to highlight that the vendors I called out above are still leading the pack in producing software that’s not as robust as it could be – no, it’s not to point out that there’s no Microsoft app in the list <smile>, but I’m guessing you’ll notice that anyway.  Of course, no software will likely ever be bug-free, so my point here isn’t to cast aspersions on them because of a few vulnerabilities, but rather to point out that where Microsoft has changed their dev paradigm and is actually on an obvious course to more robust software out-of-the-box, the other vendors, for whatever their reasons, are not seeming to feel the need to modernize their dev efforts, thus, my point is, that I’ve made many times before, is that you should be talking to your customers about the strategic implications of this in helping them plan their IT strategies and deployments.  Actually I did some research on this article and discovered something called the X-Force Threat Reports that I wanted to point out in case you weren’t aware either.  One of the commenters referenced the X-Force 2008 Annual Trend and Risk report, which is a little dated now, but I may check back for their 2009 version in the near future.  And, in that vein, don’t forget that Microsoft publishes their Microsoft Security Intelligence Report semi-annually (the last one was published in Nov for the Jan-Jun 2009 time frame) – I highly recommend you download and read the Findings Summary (if you don’t want to wade thru the entire report).  For instance, it really shows how much less vulnerable Vista is than XP (this period was prior to Win7 launch), and that Trojans are now the primary threat in the US.  And you should also check out the Exploit Trends - Browser-Based Exploits section (pages 9-11) for a very interesting look at how moving to Vista significantly reduces browser vulnerability – check out this excerpt: “Microsoft software accounted for 6 of the top 10 browser-based vulnerabilities attacked on computers running Windows XP in 1H09, compared to only 1 on computers running Windows Vista. The vulnerabilities are referenced below by the relevant CVSS bulletin number or by Microsoft Security Bulletin number as appropriate.”  Armed with that knowledge, I’m hoping you can make a strong case for the security benefits of Vista/Win7 over XP in those customer IT conversations I referenced above.

Bottom line, which comes as no surprise to my readers, is that, thanks to SDL, the Microsoft platform (and software) while certainly not perfect is nonetheless on a trend toward safer and more robust computing than any of the other platform or major software vendor and this is a message I hope you’re already sharing with your customers.  As this becomes more well-known and obvious, I’m hoping that many of you will be able to help your customers overcome some of the legacy attitudes (don’t do “dot zero” or “always wait for SP1”) that are keeping them from adopting “modern” technology that will in fact work better and will produce ROI for their IT investment.  Not to mention, help you help them with more advanced remote and management capabilities and just plain more robust software.

Another “you make the call”, is Windows 7 really less secure than Vista?
26 December 09 03:06 PM | ronaldg

As you know, I “hate when they do this”.  Here’s another example of a headline designed to foster a negative perception – this time around Windows 7 interestingly enough (which has generally gotten great press for the most part).  At any rate the title of the post is “Out of the box, Win 7 less secure than Vista” (posted by Adrian Kingsley-Hughes, Dec 10th, on ZDNet blogs).  I’m not even going to link to it, because it’s not really even worth a read.  Essentially, AK-H makes this post on the strength of one quote from Trend Micro CEO Raimund Genes who has the following observation: “I’m not saying Windows 7 is insecure, but out of the box Vista is better…Windows 7 may be an improvement in terms of usability but in terms of security it’s a mistake, though one that isn’t that surprising. When Microsoft’s developers choose between usability and security, they will always choose usability.”

I guess what gets me the most is the final sentence of Genes’ comment above about MSFT “always” choosing usability over security.  Really??  Would you agree that Vista UAC was a “choice” for usability (over security)?  Wow, for the last 8+ years (the Secure Computing Initiative era) MSFT actually has been routinely choosing security over usability (here’s another example: when was the last time you had to confirm the download pictures or had to deal with other content that was blocked by default?).  Yet, AK-H basically throws Genes’ blanket statement out there for everyone to accept on its face value, which gives the statement an aura of credibility – and the fact that he makes this blanket statement in the aftermath of the overwhelming negative usability reaction to UAC in Vista, as I pointed out above, is almost ludicrous, or it would be if folks like AK-H didn’t give it the appearance of credibility by not only publishing it, but, in fact, basing a whole post on it, with the specious title I’ve already called out above.

Bottom line, UAC is still at work in Win7, it’s just the level of notification that’s been changed, so I would maintain that, notwithstanding any of the other improvements made to security in Windows 7, on the basis of just this, it’s not fair to cast the perception that Windows 7 “in terms of security, [is] a mistake”.  His underlying premise that more notification (which is what upping the UAC settings does) = better security is subjective at best and potentially erroneous.  But as is my normal point with these “you make the call” posts, the lack of factual basis, and the reliance on purely anecdotal evidence (in this case a single quote) that’s not adequately vetted, or substantiated is a real disservice to the general readership.  Yet it continues to happen, and when enough of it is out there in the “echo chamber” (as Ed Bott likes to call it), it leads to or adds to many of the negative perceptions that you have to overcome or that keep your customers from making the best technology choices based on objective factors.  OK, so that’s my post.

Windows 7 less secure than Vista?  You make the call.  But, as they say in the current vernacular, I don’t think so.

I’ll bet you’ve heard this, but did you know…
08 December 09 01:46 AM | ronaldg

By now I’m betting most of my readers have heard of the “black screen of death”, but did you know that there really is/was no such thing?  And yet, now, it’s likely indelibly etched in your mind thanks to some specious activity by a small and somewhat obscure security company compounded by the sensationalist, and in my opinion irresponsible (meaning no facts), journalistic tendencies of so many of our blogosphere participants, including, sadly, many who should know and do better.  So here we have an extraordinary case of more negative perception, not only undue, but in this case founded on error and untruth.  I think Ed sums it up nicely: “It’s a near-perfect case study in how Internet-driven tech journalism rewards sloppy reporting and how the echo chamber devalues getting the story right.”

So why did I say there was no such thing when you’re probably saying, of course there is, I’ve been hearing about it for over a week now; well stay with me, I’ll explain why I say that in the next paragraph.   As most of you should know, I’ve been doing counterpoint posts for some time now on articles and press (including blogs) that continually paint Microsoft in an unfair (IMHO) light, especially around security, and many times with no facts to provide even the most basic support for the quotes and assertions that are reported, and unfortunately, taken by many as factual purely because they show up under a presumably credible tagline or authorship.  Well, this current one, the supposed black screen of death really takes the cake and so I couldn’t let it go unchallenged.  Probably, the most definitive response that I’ve seen comes from Ed Bott, who you should also know I think is one of the best and most objective bloggers out there – I’ve referenced him many times in the past, and I suspect many of you probably have already seen his post on this.  If not, PLEASE, see his post, What the "Black screen of death" story says about tech journalism, for an excellent, and factual, account of how this story came about.  But my post isn’t just about piggy-backing (or piling) on Ed’s comments, I wanted to point out something that I want you consider beyond just the unfactual(?) coverage of this issue that Ed highlighted so well. 

Again, I’ll assume you’ve read Ed’s blog post, so I won’t be going into the same details he did.  But I did want to point out something that is central to the aspect of this that I find so unfortunate, if not downright dangerous from the perspective of readers who tend to put some level of trust in what they read in print.  Notice, as Ed points out, that the original headline was “Black Screen woes could affect millions…”, now notice that when the IDG news service  picks up on it and publishes their headline it becomes “Latest Microsoft patches cause black screen of death”.  Did you notice that the original headline only characterized the issue as a “black screen”, and in fact, that’s precisely what it turned out to be, just a black screen.  But now the IDG  person decides that it can characterize the black screen issue with the additional verbiage “… of death” which we all know connotes a system crash (hard stop).  And, of course, from there most everyone just went with this and the rest, as they say, is history.  Of course, it was not a registry corruption, as was originally proposed, and it turned out not be a system crash in any form, so there you have my tale of why I maintain there never was a true “black screen of death”, yet I’ll wager that you’ve never heard of this issue referred to as anything but the “KSoD” (k standing for black to differentiate from B for blue in BSoD).  And that, my friends is how perception can work – as Ed points out:  within a couple of days “More than 500 separate posts on mainstream tech sites and in blogs have amplified the original story, most of them simply repeating the accusations from the Prevx blog post with no original reporting or fact-checking. The story has now taken on a life of its own.”

I guess the good news is that this one got exposed big-time, and may well have reflected more poorly on its progenitors than on Microsoft but still I hope this can be used as example to why your customers should be wary of the stuff they might see online. 

…

WOW, as usual I wait a day (after I write a post) before I actually post anything that’s not time-sensitive, and in this case, it turned out to be fortuitous, or perhaps uncanny.  I just saw this follow-up from Ed Bott around the topic above, The 'black screen of death': fact, fiction, or FUD?  As you might expect, I highly recommend this post as an additional read.  Here’s his very first line: “Here’s what you need to know about the so-called Black Screen of Death: There’s no such thing.”  His thrust is more on the technical side of what constitutes a “BSoD”, whereas my point was more around the issue of how negative perception, but I was still pretty floored when I saw his opening.  One interesting tidbit that came out of his post is that “black screen of death” was likely coined almost 20 years ago and that the “The black screen of death has been present in all versions of OS/2” (from Wikipedia), and even Apple appears to have “black screen” issues as Ed points out.  But I’ll bet if you ask anyone today, they’ll most likely say it’s a uniquely Microsoft issue, and that’s my point about the unfortunate, and undeserved, perceptions that you and I deal with as we try to help folks understand the quality and value of Microsoft’s post-SDL technology.