Michael Howard - What if we had an unattackable system?
- Posted: Apr 05, 2004 at 9:42 AM
- 23,337 Views
- 10 Comments
Download
How do I download the videos?
- To download, right click the file type you would like and pick “Save target as…” or “Save link as…”
Why should I download videos from Channel9?
- It's an easy way to save the videos you like locally.
- You can save the videos in order to watch them offline.
- If all you want is to hear the audio, you can download the MP3!
Which version should I choose?
- If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available).
- If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file.
- If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file.
- If you just want to hear the audio of the video, choose the MP3 file.
Right click “Save as…”
- Mid Quality WMV (Lo-band, Mobile)
- WMV (WMV Video)
What if Michael Howard's job became obsolete? After all, he's the top security official at Microsoft. What would the bad guys do if the system itself became unattackable?
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
Follow the Discussion
"This network would be so great, if it weren't for the users" - Random System Administrator
Humans started the fight. They are the ones that wright virii. To attempt to write an un-hackable system with no security bugs sounds like a fools erand. Hence the need for Firewalls, IPSec, and System.Security.Cryptography and why VoIP (at least in MSN Messenger/Netmeeting) and peer-to-peer sucks.
These comments make a huge difference in my views about Microsoft's stance on security. I still think the focus on security has been a long time coming in Microsoft software. I realize that there are only so many people who can put only so many hours into making the programs we use but I think a reasonable request from the users would be that developers listen to Howard's comment.
It seems to me that time and money are often spent in the wrong place. The developers of Outlook spent time writing warnings about opening attachments and even made attachments an optional feature (to be enabled by the user manually) but that time may have been better spent on improving the internal workings of the application to withstand more subtle attacks.
When users run attachments they do so at their own risk. It is not Microsoft's responsibility to prevent users from breaking their own system. Car manufacturers don't control the brakes and steering of the cars we drive. The cars don't crash themselves... nor do they speed and run red lights.
Maybe Microsoft should spend time on user education rather than locking down the system. If my mother saw an ad on TV telling her not to run email attachments unless she knows what they are she would probably be more receptive than when she calls me up and says "Why won't Outlook let me open any attachments?"
It's a shame that we have to address network and application security in terms of the least common denomitator. But my experience and that of others in the tech support community have proven out that it is the best course of action.
Take a look at the latest waves of email-viruses: They are disguised as error messages from email-servers or antivirus-filters and even educated users tend to open these messages. The more educated the users get, the "better" the viruses, trojans, etc. will get.
At this point only the combination with secure software and a secure software will do the trick and provide an acceptable level of overall security. The important thing is not to wait for the users to get more educated before you make your systems more secure or the other aorund. This has to be a development that goes hand-in-hand.
I completely agree with you, even educating end-user's will not solve all security problems. It may, at best, help to mitigate security issues, but not solve them.
As soon as the newest security updates or software come out, I am one of the first people wanting to evalutate them. Although, as far as security patches go, it's pretty hard to get a straight answer out of Microsoft as to whether or not the updates will have a negative effect on an Exchange Server!
I agree that educating the end-user is one of the most important aspects in computer security but it only works if the system itself is secure enough.
Who is to say when a system is secure enough?
When that system does not get hacked as often as some baseline?
When a blue ribbon panel of 'EXPERTS' says its secure?
Sure we all have our own ideas of the answer for that question but you can't protect the user from themselves. Users want it all people. They want their cake AND they want to eat it as well. Take away their email with all of its bells and wistles, and you will have a revolt on your hands. You can educate them on the do's and don'ts of opening and executing email attachments, you can tell them to log off of their machines when they are away, you can tell them all that stuff. You can spend real money training them on all of this and a certain percentage will NOT get the message.
I can almost hear it now...
"You just launched the pink slip virus bla bla bla"
Training users on these points encounters the law of diminishing returns. Some people will never get the message. I am not sure but I think these folks are like the folks who rush off to the beach during a hurricane.
Mr Howard is right on when he says the social vector for an attack has perhaps the most potential for damage because through it lies the exploitation of what is perhaps the only sure thing next to death and taxes, human nature.
my 2c
Impossible ! I believe ! Rules need to be broken like its said in great books . So Hackers do that same job.
Unattackable system in terms of secrity is impossible.
Bascially Hackers show the loop hole in the sysetm by breaking in giving challenges and help in higher level of sophistication in s/w developement.
I am in Cybersecurity but every day one new Hacker hacks the system and shows vunerability makes every day of mine challenging. Humans are the one who design and Humans are the one who break it. So this is never ending fight between Attackers and defenders.
Arun.
Lets not use the word unattackable...Nothing is secure in the world!
Remove this comment
Remove this thread
close