Robert Scoble writes:

Kasia is fed up with Microsoft software. Her friends are getting hit by the blaster worm. I feel your pain Kasia. We're working on it but the issues you bring up aren't easy to fix. It took 20 years to get into this hole, now it's gonna take a while to dig our way out of it (there's a major new security fix coming in XPSP2). That said: memorize this site: microsoft.com/protect. That site will help you out -- it should be the first site every PC user visits.

We're all frustrated by this stuff. Sorry for the troubles. Here's a hint: turn on the firewall and the blaster worm will stop working and the messenger spam will stop happening (by the way, that messenger service has nothing to do with the MSN Instant Messenger application/service. Can't we pick different names for these things?)

After you turn on the firewall, you'll still need to clean off the machine (since it'll have a virus that's trying to execute) and you'll still need to go to Windows Update and download all those patches. But, at least the darn thing won't be rebooting every two minutes.

By the way, the folks on the support lines have the schtick down now for the blaster worm.

[The Scobleizer Weblog]

 

I work on the front lines of this every day of my life. As a matter of fact, I just gave two days of presentations to Microsoft customers about securing our products and what we're doing to improve our track record.  I've been an IT administrator.  I've been a desktop technician.  I've been an IT consultant.  I know what it's like, and quite frankly, it deeply pains me to watch our customers go through this.  I can't speak personally for the executives at Microsoft when they say that security is priority #1 for us, but I can tell you from my perspective (and from the others that I work with) that it is for those of us in the field - there's not a thing we wouldn't do to get a customer the help resources they need to help them solve this problem.  I've personally been on conference calls with customers all weekend long when they have issues updating their systems with the latest batch of patches.

The problem is this: talk gets us nowhere.  As Robert says in another post, only time will tell whether we solve this problem.  And I think it's obvious that the stakes are well known - if we fix it, we maintain our position as the most widely used, most successful and most enabling operating system platform on the planet. If we don't - then we probably deserve to lose every single Windows customer to our competitors.

• Don't say this is "An Industry Problem".  You know what - people know that this is an industry problem.  Windows users aren't stupid - they know that Sun patches vulnerabilities, Linux patches vulnerabilities and Apple patches vulnerabilities.  At the end of the day, when IT administrators are working weekends and missing little league games to patch their servers, it's OUR problem.
• No comparisons on the number of vulnerabilities between us and "the other guys".  First, See #1.  The linux machine I built the other day didn't get infected with Blaster.  The Windows Server 2003 machine that I built on Wednesday did - and it got it during the graphical install - even before the darn thing was deployed.  Yes, I know that I should have the NIC disabled until the server is installed and the patches are up to date.  Telling me that doesn't make me feel any better for having to spend 2 hours redoing my work.
• Don't tell people that Linux is worse than Windows and don't show them all the CERT evidence that points to the fact that the OSS community is tardy in delivering patches for vulnerabilities.  Why?  Well, because their are millions of open source developers on the planet with nothing better to do than to prove Microsoft wrong, that's why.  And they eventually will.
• Don't tell customers that if they can just keep their patches up-to-date that they'll be OK.  Because they won't.  See my note above (in bold) - patching is not the answer.  The window of time between which we had a patch for Blaster and the time at which their was an attack was 25 days.  I don't care how good your IT department is or how fancy your deployment tools are - if you have an environment (like GM or Ford or Boeing or...well, you get the point) with tens of thousands of machines, it is statistically impossible to research, download, test and deploy a patch to that many machines in 25 days.  And that's just ONE patch, my friends. 
• Help customers understand that the answer is "defense in depth".  The answer is up-to-date anti-virus software, properly hardened OS images, properly configured firewalls and routers (blocking both ingress and egress traffic) and monitoring everything so that you know what's going on before your users call the helpdesk.  And there's a bunch of other things customers can do, too - research it and get the word out.
• Don't "lead" with how great the improvements in SP2 and "Longhorn" server are going to be.  I list this one without an alternative answer to provide.  I know that it's impossible to go back and update every vulnerability and add new functionality to every version of Windows since WFW 3.11.  I also know that customers' eyes glaze over and they start to doodle on their notepad when I do this.  Why!?  Well, first off - they probably just finished rolling out Windows 2000 Professional and Windows 2000 Server.  Now you're telling them they have to do it all over again just to get secure.  Hell, if they have to do that - why not just replace everything with RedHat Enterprise Server?  If they are on XP and Windows Server 2003, then they're thinking, "How am I going to get the resources to roll out a SP to every machine in my environment?".  And I know what you're saying - they can just use automated software deployment like SMS.  If you said that, you must leave this site right now - because you've obviously never worked in a real IT department.  Even automated deployment solutions require someone to build the package, test it on every feasible software and hardward configuration in their environment, distribute it to their locations, suck up end user productivity while installing it and troubleshoot all the little quirky issues that are going to arise.  Yes, software deployment makes it easier - but it still takes time and $$$.
• Admit responsibility and work with people to help them understand that we are doing everything we can to make it better.  You'd be amazed at how this simple thing will disarm a room full of angry IT managers and get them to listen to what they need to do to be more secure.  I start off with, "You will not hear me make any excuses for Microsoft's past performance from a security perspective.  That's because there is no excuse for it.  Instead, I am going to focus on what we are doing today to fix the problem.  We have a responsiblity to you, our customers, to make this right."  Am I totally wrong here?  I think not...