I have my doubts about many things and the arguments here and in the comments section loom large.
Yes, I can see that business sees no need for an 'arms race' escalation of desktops once the basics are there. A few people, gamers, developers, might want personal workstations that they can load up with memory and high performance graphics engines, but for the rest of us, its ho-hum. That Intel and AMD are producing chips with more cores, more cache, integrated graphics and more, well Moore's Law applies to transistor density, doesn't it, and they have to do something to soak up all those extra transistors on the chips.
As for smaller packaging, what do these people think smart phones and tablets and watches are?
Gimme a brake!
My phone has more computing power than was used by the Manhattan project to develop the first nuclear bomb.
These are interesting, but the real application of chip density is going to have to be doing other things serving the desktop. its going to be
And for #1 & #3 Windows will become if not an impediment, then irrelevant.
Its possible a very stripped down Linux can serve for #1 & #3, but somewhere along the line I suspect people might wake up and adopt a proper RTOS such as QNX much in the same way that Linux has come to dominate #2. It is, however, possible, the Microsoft will, not that Gates and Balmer are out of the scene, adopt something Linux like or
work with Linux so as to stay relevant in new markets. The Windows tablet isn't the success they hoped for and the buyout of Nokia seemed more to take Nokia out of the market than become an asset for Microsoft to enter the phone market and compete with Apple and Samsung. many big forms that do have lots of Windows workstations are turning to running
SAMBA on Big Iron because (a) its cheaper than a huge array of Windows Servers that present reliability and administrative overhead, and (b) its scalable. Linux isn't the 'rough beast' that Balmer made out and Microsoft's 'center cannot hold' the way it has in the past.
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes .... but.
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.
This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.
But if you are using closed-source products such as those from Microsoft, are you giving up control? Things like validation checks and integrity controls are are 'internal'.
Well, its a bit of a word-play.
- SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
- SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.
With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted
The key to the SOA is SCOPE.
This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What's that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.
Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.
No technical measure can overcome human frailty in this regard.
- Avira antivirus upgrade wreaks 'catastrophic' havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser 🙂 (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don't Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- 'Catastrophic' Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
What's interesting here is that this isn't preaching "The Cloud" and only mentions VDI in one paragraph (2 in the one-line expanded version).
Also interesting is the real message: "Microsoft has lost it".
Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes - it *HAD* to be to have survived that long. (One could say the same about sharks!)
"Keeping desktop systems in good working order is still a labour of Sysiphus .."
Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.
A prediction, however.
The problem with DOS/Windows was that the end user was the admin and could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same 'end user in control' model that we had with Windows. Its going to be a malware circus.
- eWEEK Review: Unidesk Simplifies VDI Deployment and Management (prweb.com)
- Dell Delivers Desktop-as-a-Service (informationweek.com)
- Zenk GmbH to Distribute Unidesk VDI Management Software in Germany (prweb.com)
- The key questions you must ask to save your virty desktop dream (go.theregister.com)
- 6 Common Desktop Virtualization Mistakes (informationweek.com)
- 5 Best Alternatives of Windows 8 (indianbloggist.com)
It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:
rather than solely focusing on threat vectors and actors.
To be honest, I sometimes wonder why people obsess about threat vectors in the first place. There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.
Look at it this way: what do you have control over?
Why do you think that people like auditors refer to the protective and detective mechanisms as "controls"?
Yes, if you're a 600,000 lb gorilla like Microsoft you can take down one - insignificant - botnet, but the rest of us don't have control over the threat vectors and threat actors.
What do we have control over?
Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the "vulnerability surface" such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn't it behind the web server, which in turn is behind a firewall).
Asset to a large extent. Document them. Identify who should be using them and implement IAM.
And very import: we have control over RESPONSE.
Did the FBI equation mention response? I suppose you could say that 'awareness' is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.
And response is - or should be - totally independent of the threats
since it focuses on preserving and recovering the assets.
I think they have it very, very confused and this isn't the most productive, most effective way of going about it. But then the FBI's view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.
But lest face it, most corporations and are not in the business of policing. neither are home users.
Which is why I focus on the issue of "what you have control over".
Related articles by Zemanta
- School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
- The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
- FBI searching for 'Flavor Flav Bandit' (seattlepi.com)
- Why Security Vendors are loosing (tech.bl0x.info)
- Editorial: Flawed F.B.I. Background Checks (nytimes.com)
- FBI details surge in death threats against lawmakers (americablog.com)