I saw this on your blog, but I didn't think of anything until I just downloaded the Spyware Beta.
OK, this is turning into a rant. And I don't have time to write it cleaner and more objectively. I apologize and this is the best I can do right now.
The first practice I want to see put in this year is people not providing links to the .exe in the download center and instead refering people at least to the download page, so they can see the beta declaration, advice about support and so on, and also be satisfied
that they are making a download of an official MS distribution (even beta). After all, the greatest way to place malware on a computer is as a payload in erstwhile security software, yes? People associated with MSFT should know better.
But this does get me to the second recommendation. I think it comes to not allowing developers to run as administrator, and that includes the guys who make stuff for MSN. I don't want MSN Desktop search running in my administrator account, and I certainly
don't want it running in the administrator account of my wife's system, where there should be no unnecessary services ready-to-hand as temptations for thoughtless behavior. (I finally figured out how to get Outlook be safe at the administrator level by not
giving it any accounts to use, that was the best I could do, and that meant I couldn't run the MSN Outlook Coordinator or whatever it is called on the system at all, because it insisted on running in the administrator account too).
I think something dramatic has to happen around making desktop systems work well with simply-administered products. I don't want to have an MCSE to administer my wife's desktop for her, so asking me questions about ICMP in my installation of the XP SP2 Firewall
without giving me a clue as to the consequences of my choices is really awful. A lot of MSFT security stuff is like that.
OK, so design simply-administrable systems for small SOHO purposes. All systems should be so simply-administrable and it should be the real dogfood. And always walk the talk in every way, every day.
That means stop requiring Microsoft sites to be privileged for mobile code and ActiveX in order for people to do something useful and maybe important (like report a security problem or troubleshoot a problem). So all of the advice that is given about the 3S's,
cutting down the exposure footprint of the browser, etc., is then countered by MSFT requiring lowering of defenses to get anything useful done. (Actually, on MSN I just click the irritating do not permit ActiveX reminder all of the time and find that I lose
nothing by ActiveX being declined.)
So, I bet you the spyware stuff still privileges MSFT and I notice the firewall comes prepped to do that.
What exactly is the lesson you want all of us to learn by what you do rather than what you say?
High-level summary: MSFT needs to get real about who their systems are for, and how they support that. They also need to get real about what business they are in and how they walk their own talk. I don't think I should trust a media- and advertising-oriented
business to offer me security against adware and malware, for example.