Please run windows update now

Oddly enough, we've seen *lots* of spammers that are *totally* able to
auto-tune their spew rate to whatever you set the knob to. Set it to 3,293,
and it will quickly adjust to 3,250 or so. Knock the knob down to 67, it will
tune down to 65. There's no reason to expect that the same methods won't
be used again.

If it's an entire network of vulnerable systems, it's perfectly reasonable for
malware to pick one system (the one with the least number of likely-valuable
files) as a sacrificial goat and burn it down, just to see where you've set the
knobs, and then fly under the radar for the rest of the network.

If malware waits till 5:01PM Friday or whenever it detects the user has left
for the weekend, and does a careful search of file extensions for files most
likely to be valuable enough to make the victim pay the ransom, and does them
at 3 per minute, how bad is the situation Monday morning?

So you restrict file change rate to 1 per hour or something draconian when the
user isn't at the keyboard.

What is the likely amount of time the malware can get away with doing 3 files a
minute in the background while the user *is* using the system, before they hit
an encrypted file and realize there's a problem (hint - avoid files modified in
the last few days and target more static files)?

What is the likely amount of time you can restrict the user to 2 files per
minute before they come looking for you with an ax?

Remember - the first rule of designing security is that if you haven't already
thought through the first several iterations of blatantly obvious ways to work
around your proposal, and dealt with them, it's guaranteed that the bad guys
will do so for you.

Remember this as well - the entire reason why Snowden walked away with so many
files was because the NSA was not using all the available security features
*because it put too much of a crimp in legitimate analyst activity*. It's also
why almost nobody outside military and spook systems actually deploys MLS/MCS
security.

Given that we've been at this for well over 4 decades now, and we *still* can't
actually do it right, you should be *very* suspicious of any proposal that says
"Just count the number of opens, tie it to fail2ban, handwave yadda yadda
handwave *SECURE*".

But their failure leads to further intrusions elsewhere. Their failure has consequences beyond their own borders.

IMO, this is a herd immunity problem that Microsoft needs to get better at.

The analogy I would make here is the German versus the American approaches to road fatalities.

In the German approach, if there are significant road fatalities in a given location, then that implies there is a failure with the way the road system is engineered, and it needs to be fixed so that the number of fatalities is brought down. No blame is automatically assumed on the part of the drivers who failed at that location.

In the American approach, if there are a significant number of road fatalities, then it's the drivers own fault and they should have taken more care. They are automatically to blame for their own failure.

But if you're one of the other drivers out there who might be impacted by the lack of due diligence practiced by another driver on the road, which approach are you going to want to see implemented?

LOL. I think that is a really bad example and I see many facilities in it,
including a hasty generalization, as intersections, and roads for that
matter, in America have been resigned to improve safety.
Isn't it true, with any tech product, the more complex features, the less
secure it is? Ask yourself why this is the case, and I believe the true
issue with tech lays there.
If a country must build a China Wall duplicate in 300 days (for some
reason, to save money lets say), unless the team can pull it off and
depending upon how long it must be, the wall you end up with will probably
have some holes in it or pieces of it may collapse at later dates.
I don't know. It is hard to imagine a professional IT nowadays, seriously
blaming Microsoft for every bad thing out there.
What would be more of an interesting discussion, to me, would be why
doesn't Microsoft know about these hoarding of vulnerabilities by State
actors and plug them up?
Are they really that clever of vulnerabilities? Does Microsoft not have the
resources? Is Windows like the ocean, where there are just hundreds of new
species awaiting to be discovered?
Did Microsoft at least know of the NSA vulnerabilities, for example, and
kept it classified until NSA told them to plug them up?

LOL. I think that is a really bad example and I see many facilities in it,
including a hasty generalization, as intersections, and roads for that
matter, in America have been resigned to improve safety.

So, if you want to talk about roads in the US, the first thing you have to do is look at the budgets. There are trillions of dollars worth of road improvements that should have been made over the past decades, but which haven't. You'd have to ask the politicians as to what they think the real reasons are, but my guess is that they were unwilling to make long-term investment on critical infrastructure, because it was seen as being too expensive in the short-term.

And I definitely see a strong analogy there with what Microsoft has/has not done.

Isn't it true, with any tech product, the more complex features, the less
secure it is? Ask yourself why this is the case, and I believe the true
issue with tech lays there.

To a degree, this is true. But there are more iOS devices out there than there are Windows boxes, and while iOS certainly isn't perfect, it definitely has a much better security posture.

So, there is at least one other company out there that can do the job. I have to believe that there is more than just one.

I don't know. It is hard to imagine a professional IT nowadays, seriously
blaming Microsoft for every bad thing out there.

I don't blame Microsoft for every bad thing out there. I do think they are, by far, the worst of the Fortune 25. But there are 24 other companies on that list who all have their own part to play -- including Apple.

What would be more of an interesting discussion, to me, would be why
doesn't Microsoft know about these hoarding of vulnerabilities by State
actors and plug them up?

Well, this one is actually an old vulnerability, right? One that Microsoft supposedly fixed years ago? So, why didn't they fix it properly back then?

Are they really that clever of vulnerabilities? Does Microsoft not have the
resources? Is Windows like the ocean, where there are just hundreds of new
species awaiting to be discovered?
Did Microsoft at least know of the NSA vulnerabilities, for example, and
kept it classified until NSA told them to plug them up?

Good conspiracy questions to ask. But frankly, I don't care that Microsoft wants to blame the NSA for hoarding vulnerabilities. If Microsoft had spent more time/money/effort to get their crap right the first time, then we wouldn't have this mess. We might have a different mess, but we wouldn't have this one.

Note that most of iOS's improved security posture is due to its design as a
launcher of apps from a tightly controlled source that tightly control the user
experience. It's pretty damned easy to harden Windows as well, if you're going
to hobble it into being a canned app launcher.

Of course, that will piss off everybody who's using Windows as a base for
a generalized computing environment rather than an app-launching kiosk,

What would be more of an interesting discussion, to me, would be why
doesn't Microsoft know about these hoarding of vulnerabilities by State
actors and plug them up?

It's pretty hard for Microsoft to know about an exploit the NSA is sitting
on, until Shadow Brokers or similar spills the beans.

Are they really that clever of vulnerabilities? Does Microsoft not have the
resources?

The talent pool for top-flight hackers is not all that large. And even if
you acquire a large skilled team, there is *zero* guarantee that some other
talented team won't find a hole that your team didn't spot. In fact, there's
a lot of good reason to believe that exact situation happens *all the time*.

           Is Windows like the ocean, where there are just hundreds of new
species awaiting to be discovered?

Find statistics on average number of bugs per thousand lines of code.
Find estimate of how many 10s of millions of lines of code ships as part
of Windows. Do the math - and have alcohol handy for the almost certain
drinking binge that the answer will inspire.

Did Microsoft at least know of the NSA vulnerabilities, for example, and
kept it classified until NSA told them to plug them up?

There's lots of informed speculation on that one, but I can almost guarantee that
you'll never get a definitive answer from somebody who actually know.

YOU WENT THERE (ignores enough to run for president)

What would be more of an interesting discussion, to me, would be why
doesn't Microsoft know about these hoarding of vulnerabilities by State
actors and plug them up?

Some state actors they do know. They custom write the security flaws on the state actors request.

Are they really that clever of vulnerabilities? Does Microsoft not have
the resources? Is Windows like the ocean, where there are just hundreds of new
species awaiting to be discovered?
Did Microsoft at least know of the NSA vulnerabilities, for example, and
kept it classified until NSA told them to plug them up?

Of course Microsoft knew, since they wrote in the backdoor in the first place. That is why when informed by their employers that the backdoor was going to be made public, they could undo the changes they had introduced so rapidly.

Do you have any actual evidence or citations that in fact, this was an
intentionally inserted backdoor?

You'll have to speak up, he can't hear you over the rustling of the tin
foil.

- Matt

Pretty low blow considering if I saw "greys" in my yard,
I'd be all: "OMGF illuminati!"

Equal in quantity and quality to the evidence to the contrary.

In that case, "Of course Microsoft didn't know" is equally probable.

In fact, it's *more* probable, because if it was intentional, they'd
have to have ways in place to make sure that if some random programmer
managed to find it and report it, the bug wouldn't get fixed - and the
fact that there was a long-standing bug not fixed didn't get noticed by
the QA team and the rest. After all, once some TLA paid good money to
get that backdoor installed, the *last* thing you want happening is the
sentence, "What do you mean, you accidentally fixed it?"

Plus, since "Microsoft didn't intentionally put the MS17-010 bug in as
a backdoor" is the null hypothesis, it requires zero evidence, and it's
your job to bring positive evidence for the non-null hypothesis.

Can we end this thread? I think the original intent has come and gone.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Not in all parts of America. Highway 18 here just got a full metal
barrier separating the opposing traffic in much of the 4 lane section.
55 mph limit, lots of tight curves, about 18 inches separation between
the opposing traffic, and a bunch of drivers that don't know how to
drive around a curve. Someone got tired of all the head on crashes, so
they "fixed" the road.

In article <m2lgpycpjr.wl-randy@psg.com> you write:

fyi, current opinion in the security community seems to be that win10 is
better secured than linuxes, bsds, ... see http://cyber-itl.org/; still
pretty sparse, but getting flushed out.

Not against Microsoft.

R's,
John