Rick Kingslan - Will Hack 4 Food : General Commentary [Rant Alert!]

A General Lack of Focus.....

rickking — Thu, 07 Jul 2005 19:59:00 GMT

For anyone that has been on this particular blog in the last, well, really long time - I've not been too active with it. And, that generally could be taken as a gross understaement by even the least observant among us.

However, I suspect that I won't be posting to this blog for much longer, because it, too, will likely be lost when the rest of my MVP benefits are revoked.

Yes, all - it is true. I am losing my MVP status. It pains me to have to announce that I will probably not be able to attend Summit, and will only be able to carry on the face-to-face conversations that I've had with many folks over the years via e-mail.

And, make no mistake about it - it sucks to lose MVP status. I have valued it and have carried it with a great deal of pride.

But, it is time to move on.

The reason for this happening? Much like Alun Jones, Philip Renouf, and many other incredibly bright and talented people, I accepted a position with Microsoft. I start July 11 as a Consultant in the MidAmerica Region of Microsoft Consulting Services. I get to stay in Omaha (bonus for the wife and kids) but will likely travel a bit.

As to the MVP - it's VERY bittersweet. But, all in all - it's a fair trade.

And, to that - I owe MANY of you a very BIG thank you. I've learned from many of you - possibly through your trials that we worked through in lists, Web based forums, news groups, voice and face to face.

Thank you. I'll not be a stranger - just a new e-mail alias!

Rick

Dwelling Pronto - My Absence Explained

rickking — Tue, 21 Oct 2003 09:27:00 GMT

Many of you that know me know that I am very active in circles where my expertise is strong. Over the past 6 months, I've spread a little further into the Security realm, and this has been an eye opening move. However, it's also a good growth step.

But - this has nothing to do with any of this. My wife and I have purchased a new house and we are busily trying to get our current one on the market by the end of October. I live in Nebraska, and once Football season starts and the snow flys, the house market begins to slow. Football season has started, so all I'm waiting for is the snow to assure that houses will go unsold until the Nebraska tundra turns green again.

So, if this space is sparse (I'm still trying to figure out the theme and direction.... this blogging is no where near as easy as I though it was going to be. It requires CREATIVE thought. ;o), you know what I'm doing. Also, once we get into the new house - Mid-January to Early February, I'll post some pictures.

Rick Kingslan
Microsoft MVP - Active Directory

Coming to a Theater Near you! Linux vs. Windows - Part 10,000,562

rickking — Thu, 16 Oct 2003 10:11:00 GMT

Like a bad horror flick sequel, the argument keeps getting dredged up, propped into position, and sent out on it's merry way to cause senseless death and destruction. The initial arguments of 'My OS is better than your OS' were bad - now they're just getting ludicrous. And, much like the junk that Hollywood churns out to continue movie franchises that never should have made it past the first movie, the battle just moves to more unbelievable territory.

The Linux Camp will have you believe that Linux, by default, by design, by golly, is more secure. It's not subject to worms, virus attack, Act of God, or bad hair days. If you mess it up - it's your fault. Now, that's a way to win friends and influence people. But, we're going to get to that - it's an endemic problem.

Similarly, the Windows Camp would have you believe that Windows is now 'Secure by Default', is a strong contender in the secure OS arena, and is just the victim of bad publicity by folks that just don't like the idea that a publicly held company wants to protect its intellectual property to make money. I really hate it when capitalism and the American Way creates a roadblock to progress.

Two articles, point and counter-point, (I wonder if these folks will get sued by 60 Minutes? I mean, why not? I'm sure that 60 Minutes is just as litigious as the rest of America, and it just seems chic these days to sue a computer company or computer people in general.) present good arguments either way.

One proposes that Microsoft's Windows is a festering pool of code, waiting to be infected by worms, virus, demons, and should be spewing pea soup anytime soon. The other defends the Windows OS by proposing that Windows is not the only OS that has issues with exploits and exposures - in fact, Linux has 3 to 5 times the number of vulnerabilities as Windows. In both articles, the browser seems to come under direct fire, and rightly so. IE (Internet Exploder) in this corner, Mozilla (Bugzilla) in this corner. Freddy vs. Jason.....

All in all, the articles present compelling evidence that, regardless of which OS you choose, it's probably a good idea to be security aware. Wow - like this is some kind of earth-shaking revelation. Anyone who has spent more than 3 days supporting an OS in a business setting is aware of this. It's like watching that horror flick and really being surprised that the villain has to be killed 5 different times at the end of the film just so the one lone heroine can walk proudly (though drenched head to foot in water, mud, blood, etc) out of the house at dawn. Yawn.

The mantra that Microsoft put out as the initial rally cry, even in advance of the now famous Bill Gates memo on the 'Trusted Computing Initiative', is 'Get Secure, Stay Secure'. I've been critical of this particular stance in light of the fact that illegal software cannot be patched in the primary methods that Microsoft proposes to make the task easier, but the stance of getting and staying secure is a correct one. The challenge is how do you get all of those 600 million copies of Windows secure? And, to that same point, how does one keep those uncounted numbers of Linux secure? Again, putting on the OS agnostic hat, an insecure system is an attack platform just waiting for the launch orders to be given.

Should all computers have a smart card reader (non-removable - unless however, you don't mind destroying the system) attached - and the OSs made aware of the requirement and refuse to work if a valid smart card is not available? Think about it - if a smart card is REQUIRED to operate the PC, then we can start treating this like a Driver's Exam. Show us that you can Safely and Securely operate your PC, and that you know HOW to update the system - then a smart card will be issued to you. If you go out of security compliance, or you operate your PC in a manner which harms others - Zap! Certificate revoked, thanks for playing.

Yes, I know - literally impossible to implement. Plus, the technical challenges are far from trivial, or even manageable. It's also impossible to enforce. If I can't get Porn Mongers out of my Library, how the heck am I ever going to convince anyone that 'Certified Computer Operator' is a good idea?

So, barring this - let's just blame the OS. Clearly the OS must be the problem. Obviously, the code is faulty (and, yes - in some cases it is - I've said this before, Get over it. People write code. People err. Any questions?) I'd suggest a different tact. Stop blaming the OSs and start attacking the real problem. Educate People. Last I checked, someone still had to set up and operate the computer. Or, did I really miss something, and the machines have taken over and I just haven't been put into my little pod in the 'energy collection tower'?

I guess if that happens, the fight over the OS is going to end. It's about time.

Rick Kingslan
Microsoft MVP - Active Directory

The Issue of Illegal Software and Patching

rickking — Tue, 14 Oct 2003 11:32:00 GMT

In Omaha, NE (the quaint city in the middle of nowhere that I make my home), we have really only two claims to fame. We've got a really cool Air Force Base just south of the city, Offutt Air Force Base which is the home of STRATCOM. You might remember it - Offutt AFB is where President Bush went on 9/11/2001 to determine what the threat was and to confer over super secure, super secret communications equipment with his advisers,while sitting in the security of a bunker complex that would awe the general public beyond belief.

But, to many football (and non-football) fans Nebraska's real claim to fame is what is in a city just 45 minutes South West of Omaha - Lincoln, NE - Home of the University Of Nebraska at Lincoln, or just NU. Yeah, The Huskers, The Big Red. And, folks in Nebraska take the Big Red very seriously. In some cases, it's taken to an unhealthy obsession, but that's just my opinion. For goodness sakes - it's just a game played by a bunch of young 18 - 25 year old guys.

I do know one other thing - when you get a collection of 18 - 25 year old students together, away from home for the first time, lots of things are going to happen. One of those things will be something that seems so innocent, so trivial - they are going to find and steal software. IRC, alt.warez newsgroups, their buddy, mail order from Hong Kong - doesn't matter. Students typically don't have a lot of cash, and sometimes, once you're out from under the watchfully eyes of Mom and Dad - morals slip. Yes, I know that this is a shock to many of you (OK, unless you watched 'Animal House' - trust me - it's closer to the truth than you really want to know.....)

Many of the copies of Windows 2000, Windows XP, Windows Server 2003 that are in the dorms and off-campus apartments of the typical college student is not a 'legally obtained or rightfully owned' copy. This may come as a huge surprise, but students steal. And, they also share the wealth. But, this is not unique to Lincoln, NE. This is rampant across the country, and I dare say, is even more prevalent outside the United States.

I traveled to Japan on business a couple years ago and was able to make it to the Akihabara district of Tokyo. This area of the city is known as an electronic mecca where shops the size of a WalMart down to those the size of a closet co-exist. We're talking blocks and blocks of nothing but shops catering to the electronc and computing nerd and consumer. And, you can buy ANYTHING on any given day if you know who to ask. Illegal software is just a nudge, nudge wink, wink away. And cheap, too. $15 to $30 US is what I found typical for a copy of Windows 2000 Pro. Windows 2000 Server, $50 US. Granted - no warranty, no support, no return - all sales final, blah, blah.

By now, you're wondering what the heck is he getting at? Is there a point to all of this? Yes. There is. We know and are all very aware that Microsoft has been beating the drum for patching our systems: 'Get Secure, Stay Secure'. But, honestly - this only works if everyone does it, too. I can train a monkey to go to Windows Update and to get the latest and greatest updates, and security fixes. It's not hard - my 70 Year old Mom can handle this one (no comparison between you and the monkey here, Mom - honestly!).

But, are you aware that the illegal software from Windows XP and onward cannot go to Windows Update? Microsoft does 'blacklist' the illegal keys, and will not service a system that has not been properly activated via WPA (Windows Product Activation). Most illegal software has been circumvented in some manner that is not going to allow it to be properly activated - and those who steal it aren't interested in doing so anyway. Therein lies the crux - if you're blacklisted, no updates. If you don't activate, no updates. How many of these illegal systems are attached to the Internet, would you suppose? How many are attached to networks with fully compliant and legal netizens? How many are on your local cable segment with a clear shot at you once they are infected with Nachia, MSBlaster, or worse?

The counter-argument to this is - Microsoft has every right to protect their intellectual property and not allowing the software to be updated is one way to force users into compliance. In my opinion, I fully support the right to protect the property , but the whole argument doesn't hold water. If the illegal software is infected AND does damage to other systems, then who really gets hurt? The thief, or the law abiding citizen?

I said in one post, arguing this point, that I'm not willing to be the innocent bystander who gets hit in the forehead by a bullet in the war on piracy.

Anything that is going to apply a Security Patch must be allowed on all systems - legal or not. Make no mistake - I'm not advocating making it easy on thieves. I think they should be caught and prosecuted fully. And, that they should not be gaining any added function and feature through service pack or other enhancement. However, it's been a stated policy that there will be no added feature or function to Service Packs, but we'll see if that trend truly continues.

Microsoft, you lose nothing by allowing hot-fixes and security patches to be applied to illegal systems. You gain EVERYTHING in the public eye BY allowing patching of ALL systems. If the interest is to continue to look like the newer, kinder Microsoft is truly accurate, then this is a big step in the right direction. Your number one priority in the Security game must be to secure the current products. Your second, but a very parallel, goal must be to “Cause no harm”. Until you have all systems patched, you will cause harm by inaction. Can you really afford that?

Do the right thing - allow the patching of all systems, regardless of legal status. Protect your customers from those who steal from you. We're just the innocent by-standers.

Rick Kingslan
Microsoft MVP - Active Directory

Partner Event Sees New Directions in Security initiative

rickking — Fri, 10 Oct 2003 11:50:00 GMT

Microsoft CEO Steve Ballmer addressed the Worldwide Partner meeting in New Orleans, indicating that the next front for the security initiative is on the desktop - providing more tools and..... oh, yeah - that patch management thing again - in trying to stem the tide of difficulties that the Company has faced.

During his keynote, he asked how many people had deployed SUS (Software Update Services) internally, and to customers? Getting the response, he indicated that this was the point he had been making to his internal people - that it wasn't getting done. But, there was one more question to quantify what he thought he already knew:

“How many people really KNOW what Software Update Services 1.0 is? OK, that's kind of what I was afraid of....”

These are the PARTNERS, folks. These are the people that train, consult, develop - if they don't know what it is, how does anyone in Redmond truly expect that the average small to medium business (not to mention Mom and Pop shops) is going to?

I know from personal experience that SUS is a good tool. It's not great - but I'm anxiously awaiting SUS 2.0 - due maybe Q1 2004. But, it's a lot better than a team of techs going from machine to machine with a floppy, CD, USB storage device, what have you.

In my most humble opinion, the response in New Orleans indicates one good reason why security is a problem on Windows systems: The tools that are available are not being leveraged. Point the blame where you will, but the bottom line is Microsoft cannot patch your machine for you. That's your job. If you think that Windows or Microsoft products in general are the only ones with problems, I suggest you take a look at a more impartial outlet - say, SANS? They published the Top 20 Vulnerabilities, 10 going to Windows / Microsoft, the other 20 going to *NIX. Oh, and just for fun - trot over to Red Hat and see how many security bulletins are posted for their Linux 9.0 - 53. Yes, that is a Fifty, with a Three added on. I'm not bashing Red Hat or Linux in general - I'm simply trying to bring things into perspective. I admit that Windows has problems - but the work continues to correct the issues - political, technical, monocultural.

Operating systems, regardless of who puts it out, are vulnerable to flaw. That's it - simple, concise. the good thing is that there are smart people out there (and whether it's for personal gain or not - I don't really care) who report these flaws. Some are reported to the vendor (Microsoft, Red Hat, etc), and then findings divulged with the vendor and credit given, while others are posted directly to the public forum. Obviously, some get their tail feathers ruffled by the latter. If the outcome is a patch to fix the hole, it's a 'good thing(TM)'.

Humans write code, humans make errors, code has errors. Remember the movie “Westworld” (OK, not Oscar material - whatever) “Where nothing can possibly go worng” That's your software development cycle in action - and after the product has shipped.

Rick Kingslan
Microsoft MVP - Active Directory