All the stupid people. Where do they all come from?

Campaign to Re-Educate the Public

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Opinion Microsoft's best chance for regaining the revenue lost to security concerns isn't in eliminating bugs, writes SecurityFocus columnist Tim Mullen.

Two years ago I wrote about how security would become critical to the success of Microsoft, and how the challenge of combining "simplicity and security" would represent the highest costs in IT.

For what is apparently the first time in Microsoft's financial disclosure history, the company has reported that security issues, or more appropriately insecurity issues, have directly affected their balance sheet in a negative way. Though quarterly stock earnings were up from last year (and above industry projections), Microsoft has identified losses of approximately $700 million in unearned revenue from non-renewed contracts in product futures. This was primarily attributed to industry concern over recent product vulnerabilities and other security-related problems.

Microsoft bashers will be quick to say things like: "All of Microsoft's revenue is unearned!" But that's just because they don't know any better. The truth is that from a business perspective, Microsoft does an excellent job in their support of customers and partners.

Even so, revenue has been lost, and it is due to customer perception. It isn't a critical hit -- most companies do not get to enjoy unearned revenue; they're lucky if the earned revenue is enough to keep them in business. But this is significant because it marks a time when businesses are finally taking security into account when making their purchases. It shows that the industry is maturing -- that it's ready to hold someone accountable for bad security.

Now that they've grown up, all we have to do is educate the corporate masses to point their fingers at the right places: Not at Microsoft or other vendors, but at themselves.

That's right: education -- not some software Manhattan Project to eliminate buffer overflows -- is what's needed here. The reason most vulnerabilities become issues is because the products are used by people who don't know what they are doing.

Village Idiots

This may get the ire up on some anti-Microsoft zealots, but to be honest, I really don't care. After my last column about the CCIA report, I received many an email from Linux aficionados telling me how fatally flawed the architecture of Windows was. I was amazed at how totally ignorant some of these people are to what the Microsoft reality is -- it seems that many still think the Windows operating system is synonymous with Windows 95. News Flash: It's 2003, time to grow up and get a place of your own.

But Microsoft is not trying to win these people over. In fact, some of the company's worst enemies are the ones who are already their clients.

A case in point comes from a notice in the latest SANS NewsBites. It seems a buddy of Stephen Northcutt's works for a company who has a "C-Level executive" mandating that RPC and NetBIOS not be blocked at the border routers or firewalls. (The editor's note says "between organizations," but the full memo shows that this is the desired configuration over the Internet.) This is so Exchange servers at different sites can communicate over RPC and executives can easily use file sharing. SANS is soliciting solutions for this quandary.

Here's mine: Fire the dolt.

For one thing, you don't block ingress ports on firewalls -- they should all be blocked by default already. You allow them when you have to, and only when you have to.

But regardless of the default firewall policy, any executive who mandates that RPC and NetBIOS be opened at the gateway in order to make file sharing easy needs to find a village missing an idiot, and move there.

And this is probably the same guy who did not renew his contract with Microsoft because his company got hit with Blaster.

Microsoft isn't the problem. The problem is the executive who doesn't want to pay for security to be implemented properly, who mandates ridiculous policies, and who ultimately refuses to do anything that provides any real level of security. These are the people don't take the time or commit the resources to ensure that the products they use -- the ones they have become dependent upon -- are being administered by those with security training. Then they blame all their woes on the vendor, while making their staff suffer through the effects of their poor judgment.

This is why the next big step for Microsoft should be in the arena of security education -- right behind patch management. Look for this shift soon, as this time, right or wrong, security is hitting Microsoft's bottom line.

If this kick in the Microsoft wallet has the end result of increasing security, then it's ultimately a good thing. Even if we have to lose a clueless executive or two along the way.

SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.