We have regular ConfCalls with our security support to exchange trends and issues we see. During the last one we had an interesting discussion I would like to share with you: We seem to get a hell lot of calls mainly from the consumer segment with Virus/Trojan/Spyware infections. The way they get the malware is a pretty well known one: You go to a web page which is telling you that your PC is infected by malware and that you have to install the "protection software" immediately – which then installs the malware. That's the reason why we call this software "Scareware". There are two things which frighten me:

One is that it shows how easy social engineering works (once again).

But the second one is much more frightening: The malware installed is by far not sophisticated. It is usually pretty old and well known. Therefore every AV scanner would detect it easily and prevent it from being installed. This tells us that there is still a high percentage of people not running AV software on their PC… Since years we are telling our customers you have to do at least three things to run your system: Use a firewall, keep your software updated, run an Anti-Malware software and keep it updated. Similar things are true for ISPs. Why do people still not do it? Is it the money?

Roger

As you know, I am Swiss. Switzerland is known as being one of the most direct democracies in the world. It is not uncommon for us having (or being allowed) to vote every other month as there are a lot of ways to influence what our politicians and/or our government does. This makes the system often pretty slow but I really, really like it.

When I was working for PricewaterhouseCoopers years ago (I think it is around 10 year ago now), the discussions around e-Voting started to come up. People loved it – and I hated it. Let me tell you why: We have (here in Switzerland) several options to vote: We can go to the local community early during the week before a voting and hand our votes in. We can send it via Post (which I use most often) or hand the vote in on the voting weekend. There is a lot of effort then going on to count the votes and we usually have the results ready on the voting weekend around 5pm or 6pm. So, the system works well but there is significant manual work involved, I know. The key thing here is that this process is in the heart of our democracy. If this process is broken (or just not THAT trusted anymore) this would be a significant problem for our country.

Now there were a lot of politicians would loved to talk about e-Voting (without really knowing the consequences in my opinion) as it gave them the touch of being modern, technology aware etc. and there were trials in different states here in Switzerland which were pretty successful.

Why am I still against it? Well, I am convinced that these systems can be built in a more secure way than the old process. Manually counting votes is flawed, we know that. But guess what: We learned to live with that since a long time and trust this system. Do we trust a computer counting the votes? I do not think so. Do we trust a computer not losing votes if we have to do a re-counting (which happens from time to time here of the result is close) – hmm, I guess not.

And looking at recent articles, I think we are right: Diebold comes clean, admits that its e-voting machines are faulty, Mom, Can My Voting Machine Spend the Night? (people taking voting machines home), Why Election Technology is Hard (Bruce Schneier)

So, it is by far not a technology problem but a trust problem. And guess what: I am a geek and I love technology – I will still use paper to vote!

Roger

I just read an article this morning on Linux servers under the Phalanx gun: A problem with people, not code. There were quite some things which made me think when I read it:

There was a statement in there, which I – obviously – did not like at all: Linux may be inherently more secure as a system, which is always an interesting discussion. The guy writing the blog post claims that Linux is easier to secure than Windows, which I completely disagree with. If you know what you do you can secure each and every system. However, we do a great deal of work to make sure that our systems are as secure as possible by default and additional provide you with tools (like the Security Configuration Wizard) to make sure you can secure the system as far as possible and additionally run as secure as possible. We know and proved it with a lot of figures that our systems have by far less vulnerabilities than others (e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx) and third-party research showed clearly that our systems are less at risk than others.

But as I commented several times already, this discussion does not really lead to more secure systems but just some entertainment for people who like these debates.

Coming back to the article above: One of the conclusions in the article is, that patching is often a people and process problem, rather than a technology problem. This is not new either. The question to me is, why do people not deploy? We do customer surveys about their satisfaction with Microsoft every now and then. People are still not too satisfied with the security of our products. So, there is still a lot of work to do. However, if we ask then whether our updates are easy to deploy, we get a very, very high rating all across the segments and audiences. So, why do they not deploy? Is it because they are afraid of the downtime? Could be, so we have to work harder to reduce the number of reboots (is this different in other OS? I do not know but I doubt). Is it the tools? Is it lack of knowledge? Is it ignorance?

I do not know but would love to understand

Roger

As you (hopefully) know, the release of Internet Explorer 8 is coming closer. One thing we always look at is how to make surfing more secure and more private. The IE team just launched a blog post on the InPrivate features of IE 8 which is definitely worth looking at: IE8 and Privacy

Roger

Yes, it is true: There is somebody who publically put known PINs on the Internet. I bet yours is there too: http://www.positiveatheism.org/crt/pin.htm

Roger