Yes, I can see how the company that holds 95% of the OS market would clearly be bullied by their competitors. Personally, I think Vista isn't that bad, but the issues it has are largely because M$ screwed up on it. I couldn't tell you how many IT people I know who would rather cut off their right arm rather than own Vista. 90% of the developer market doesn't want to touch it. Businesses in general don't want to touch it.
Oh yes, i can totally see why people would want to invest in your crappy OS when the refined version is supposed to be out in 2009. ::)
[url]http://storefrontbacktalk.com/story/071108homa[/url]
Former Hannaford CIO: Avoid Microsoft And Change PCI's Encryption Rules
Written by Evan Schuman
July 11, 2008
Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."
But Homa's key point is that most retailers handle security backwards: Don't pour everything into protecting the front door. Assume they'll get through and have a plan to control them once they're inside.
One of the most frustrating IT security realities in retail today is the quintessential oxymoron: The more serious the CIO is about keeping data secure and the more sophisticated a defense is deployed, the more points of vulnerability emerge.
For example, an especially risk-averse IT exec might opt for multiple distant off-site backup locations, which only increases the number of potential places and subcontractors that could lose—or maliciously access—those data files. Or security specialists who install a wide range of cutting-edge and redundant security applications may find themselves at the mercy of any crash-causing glitch in any of them.
Consider PCI. The most dedicated PCI program is subject to the whims of a potentially careless assessor, who would also be a potential data leak. Then there's operating system changes for the sysadmin dedicated enough to immediately download and install every patch and security update, only to find that they open more holes. A less aggressive effort might have been spared that pain, as the community identifies the hole before it's installed.
This came to mind as I was chatting the other day with Bill Homa, who on July 1 could say for the first time in 12 years, "Today, I am not the CIO of Hannaford."
PCI-compliant Hannaford was, of course, the victim of an especially large data breach (data from 4.2 million payment cards grabbed).
Homa has become a fan of simplification in battling security. "We used a lot of Linux," Homa said. "None of the breach was anything related to Linux. All of it was Microsoft."
Asked whether he believed that Microsoft is less secure because it's truly less secure software or whether its overwhelming marketshare makes it a cyber thief target, Homa said it was the other way around. Microsoft's marketshare is not what attracts so many attackers. "Microsoft is so full of holes. That's why it's still a target," he said.
Would he counsel other CIOs to avoid Microsoft like the plague? "That's what I'd do. If you limit your exposure to Microsoft, you're going to be in a more secure environment," he said, adding that Microsoft's philosophy is decentralized, forcing IT to manage more points. That means more license fees for Microsoft and more potential security gotchas for the CIO. "Hence, you see my aversion to Microsoft."
As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: "Either the standards weren't strong enough or the assessor wasn't doing his job."
He finds particular fault in one aspect of the current PCI standard: "All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI," which only requires encryption when transmitting over a public network such as IP.
The PCI rationale is that private point-to-point networks—such as the one Hannaford uses—are sufficiently secure that they don't need encryption. Homa disagrees. "Nowadays, encryption is not that expensive. And there's no such thing as a secure network," he said. "If you think your network is secure, you're delusional."
Homa has his own strong security strategy, which seems to be a minority view. It's futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they'll get in.
"Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don't do that, they'll have free reign to do whatever they want."
By Rick Whiting, Kevin McLaughlin, ChannelWeb
1:17 PM EDT Tue. Jul. 08, 2008 Windows Vista has been dragged through the mud by the bullies with which it competes, but those bullies are about to get hit with some long overdue retaliation.
That's the message from Brad Brooks, Corporate Vice President of Windows Consumer Products, who in a Tuesday keynote speech at Microsoft (NSDQ:MSFT)'s Worldwide Partner Conference in Houston attempted to swat away the negative mojo around the OS that has built up since its launch.
"There are a lot of myths around Windows Vista. We know the story is very different than what our competitors would like us to think," Brooks told the audience.
In a clear dig at Apple (NSDQ:AAPL) and it's 'I'm a PC, I'm a Mac' advertisements, Brooks suggested that Microsoft is preparing to retaliate against "noisy competitors" with a major new multi-million dollar advertising campaign, something that many channel partners have been hoping the software giant would do for months.
"You thought the sleeping giant was still sleeping. We've woken up and it's time to take this message forward. This is the true story of Vista," Brooks said.
Security is one of the areas in which Vista simply hasn't received its due, Brooks said.
Vista has actually had a cleaner security track record in its first year since launch than any other open source or commercial OS in history, Brooks said. Vista also had 20 percent fewer security problems than XP in 2007, and users running Vista are 60 percent less likely to get malware than those running XP SP2, he added.
"This is the real Vista story, and it's only getting better," said Brooks.
Acknowledging that Vista was a major break from earlier versions of Windows, Brooks said the market is beginning to realize that Microsoft made these changes with their best interests in mind. "Yes, the changes did cause a lot of pain. But customers are starting to see benefits," Brooks said.
Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.
"Make the investment [in Vista] now," Brooks exhorted channel partners. "Because when you make the investment in Windows Vista, you're not only making it in Vista, it's going to pay forward into the next generation of the operating system we call Windows 7."
Compatibility issues in Vista have also been exaggerated, and Microsoft's Windows Vista Compatibility Center, a database that shows the compatibility status of the most Windows popular devices and software products, is aimed at clearing the air on this front, according to Brooks.
Brooks also introduced the Vista Small Business Assurance program, under which Microsoft will offer free support and one-on-one coaching to small businesses.
"Windows Vista is a good product," Brooks told partners. "We need to make our voices heard."
[url]http://www.crn.com/it-channel/208803174[/url]
Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.
Windows Vista has been dragged through the mud by the bullies with which it competes, but those bullies are about to get hit with some long overdue retaliation.
"There are a lot of myths around Windows Vista. We know the story is very different than what our competitors would like us to think," Brooks told the audience.
In a clear dig at Apple (NSDQ:AAPL) and it's 'I'm a PC, I'm a Mac' advertisements, Brooks suggested that Microsoft is preparing to retaliate against "noisy competitors" with a major new multi-million dollar advertising campaign, something that many channel partners have been hoping the software giant would do for months.
Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.
This is what bothers me about MS, the next version of windows due out in 2009 or early 2010. They are always looking to pad their pocketbook. Finish fixing at least one operating system sometime.
Heck if they keep puting out new operating systems at this rate I can skip probably 2 or 3 versions before I buy my next PC.
Smoke and mirrors my man, smoke and mirrors. It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).
So Bill Gates says to the Devil, "You mean I have to spend Eternity down here using Vista? Can't we just cut to the fire and brimstone?
To which the Devil replies, "Actually you don't have to spend Eternity down here. All you have to do is install Linux on your Vista machine and you can go to Heaven."
"No sweat, I'll be out of here in 20 minutes."
"But there's a catch," says the Devil with a grin.
"Catch? What catch?"
"You have to download and burn your own Linux install CD using only the tools that come with Vista".
And this has what to do what with Vista?
But they're the ones using security for a marketing campaing. Vista is a decent OS, but Microsoft isn't ready to run an ad campaign on security and be taken seriously.
And this has what to do what with Vista?
It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product. Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable. They can't even secure their server products.
And this has what to do what with Vista?
It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product. Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable. They can't even secure their server products.
I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?
Smoke and mirrors my man, smoke and mirrors. It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).:police: Lets try and keep the political stuff in Hot and Spicy please. :police:
:police: Right wing / Left wing doesn't matter. keep it in the appropriate forum :police:
Smoke and mirrors my man, smoke and mirrors. It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).:police: Lets try and keep the political stuff in Hot and Spicy please. :police:
:police: Right wing / Left wing doesn't matter. keep it in the appropriate forum :police:
OG, it was a slight joke. Sorry. Shall not ever do it again. :-X
And this has what to do what with Vista?
It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product. Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable. They can't even secure their server products.
I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?
I don't care if it's an IBM mainframe, a sandbox is an infrasturcture partition, not an OS or logical one. I realize it'll save smaller companies money, but from a PII perspective, I think it'll cause more problems than it will solve.
How do you think a sandbox would fit into a trusted computing model? especially in an environment where trusted is defined at a circuit level?
Microsoft products don't rate above C1 on the Trusted Computing scale, so perhaps it's the definition of security that is at issue.
And this has what to do what with Vista?
It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product. Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable. They can't even secure their server products.
I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?
I don't care if it's an IBM mainframe, a sandbox is an infrasturcture partition, not an OS or logical one. I realize it'll save smaller companies money, but from a PII perspective, I think it'll cause more problems than it will solve.
How do you think a sandbox would fit into a trusted computing model? especially in an environment where trusted is defined at a circuit level?
Microsoft products don't rate above C1 on the Trusted Computing scale, so perhaps it's the definition of security that is at issue.
In the WinServer08/Vista instance they've extended the concept to a network level.
Can you drop me a link on who is determining the C1 scale? I'd like to read how they are testing and what criteria they're using...you know, the usual BS.
Smoke and mirrors my man, smoke and mirrors. It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).:police: Lets try and keep the political stuff in Hot and Spicy please. :police:
:police: Right wing / Left wing doesn't matter. keep it in the appropriate forum :police:
OG, it was a slight joke. Sorry. Shall not ever do it again. :-X
You gotta do it in a fashion that's witty, hip, insane, and completely and permanently destroys any and all credibility to your sanity and mental stability.
You gotta say, "It's a conspiracy man!!! Just like the gremlins that steal my socks from the dryer. The sock industry is in league with the gremlins to make more money. But, at the very least they recycle my socks by washing them up and selling them again."
*takes a bow and farts and grabs a gas mask*
Yeah, I know. But heck I have been seeing a political endorsement for the last long time on a signature, figures alittle joke couldn't hurt.
Hmm, been chewed out for commenting on a post because the thought wasn't finished even tho the post was done. Chewed out over a few other little things. Guess I go back to reading for the most part.
And this has what to do what with Vista?
It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product. Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable. They can't even secure their server products.
I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?
I don't care if it's an IBM mainframe, a sandbox is an infrasturcture partition, not an OS or logical one. I realize it'll save smaller companies money, but from a PII perspective, I think it'll cause more problems than it will solve.
How do you think a sandbox would fit into a trusted computing model? especially in an environment where trusted is defined at a circuit level?
Microsoft products don't rate above C1 on the Trusted Computing scale, so perhaps it's the definition of security that is at issue.
In the WinServer08/Vista instance they've extended the concept to a network level.
Can you drop me a link on who is determining the C1 scale? I'd like to read how they are testing and what criteria they're using...you know, the usual BS.
[url]http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria[/url]
[url]http://en.wikipedia.org/wiki/Common_Criteria[/url]
You could maybe make a case that MS is B1, but it's unlikely. Also, I misspoke, Server is C2 not C1.
Divisions and Classes
The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
[edit] D — Minimal Protection
Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division.
[edit] C — Discretionary Protection
C1 — Discretionary Security Protection
Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
C2 — Controlled Access Protection
More finely grained DAC
Individual accountability through login procedures
Audit trails
Resource isolation
Required System Documentation and user manuals.
[edit] B — Mandatory Protection
B1 — Labeled Security Protection
Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over select subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
B2 — Structured Protection
Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed
B3 — Security Domains
Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
A security administrator is supported
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400
[edit] A — Verified Protection
A1 — Verified Design
Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is SCOMP, a precursor to the XTS-400
Beyond A1
System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB).
Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.
I read through the material and I do not find anywhere in where the DoD rate all of Microsft at a C1 or C2.
Microsoft never gets closer to my credit card data than generating reports from an SQL database that has had the card numbers masked before arrival.
Smoke and mirrors my man, smoke and mirrors. It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).:police: Lets try and keep the political stuff in Hot and Spicy please. :police:
:police: Right wing / Left wing doesn't matter. keep it in the appropriate forum :police:
OG, it was a slight joke. Sorry. Shall not ever do it again. :-X
You gotta do it in a fashion that's witty, hip, insane, and completely and permanently destroys any and all credibility to your sanity and mental stability.
You gotta say, "It's a conspiracy man!!! Just like the gremlins that steal my socks from the dryer. The sock industry is in league with the gremlins to make more money. But, at the very least they recycle my socks by washing them up and selling them again."
*takes a bow and farts and grabs a gas mask*
Yeah, I know. But heck I have been seeing a political endorsement for the last long time on a signature, figures alittle joke couldn't hurt.
Hmm, been chewed out for commenting on a post because the thought wasn't finished even tho the post was done. Chewed out over a few other little things. Guess I go back to reading for the most part.
According to a study of 106 major U.S. airports and 800 business travelers published by the Ponemon Institute and Dell Computer, about 12,000 laptops are lost in airports each week. Only 30 percent of travelers ever recover the lost devices. Nearly half of the travelers say their laptops contain customer data or confidential business information.
The report offers a very different view from sources that collect breach disclosure information, such as Attrition.org, where only a few companies disclose laptop thefts each week. Many employees are embarrassed to report the loss of a laptop, and many companies don't report them, experts say.
"It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for," said Larry Ponemon, chairman and founder of the Ponemon Institute. "IT departments must re-evaluate the steps they’re taking to protect mobile professionals, the laptops they carry, and company data stored on mobile devices."
Yes, I can see how the company that holds 95% of the OS market would clearly be bullied by their competitors. Personally, I think Vista isn't that bad, but the issues it has are largely because M$ screwed up on it. I couldn't tell you how many IT people I know who would rather cut off their right arm rather than own Vista. 90% of the developer market doesn't want to touch it. Businesses in general don't want to touch it.
Oh yes, i can totally see why people would want to invest in your crappy OS when the refined version is supposed to be out in 2009. ::)
Beside the devlopers I personally know, the boards I lurk on (www.codeproject.com) express just the opposite sentiment than you assert.
IT peeps. Bah! By nature they hate change. Vista has nothing to little to do with their unwillingness to accept new technologies.
As an IT guy of a meager dozen years or so... I can say that from "my" standpoint. Vista is great as a home OS. However it doesn't offer enough to make it worth the hassle yet to upgrade in our campus. However I expect by this time next year it will. That is how it goes with large institutions... It wouldn't matter at all how good the OS is... anything on this big a scale takes time!
I have had more trouble with OSX 10.5 than I care to relate... and that is on a whopping 8 machines.
GE-Raven
As an IT guy of a meager dozen years or so... I can say that from "my" standpoint. Vista is great as a home OS. However it doesn't offer enough to make it worth the hassle yet to upgrade in our campus. However I expect by this time next year it will. That is how it goes with large institutions... It wouldn't matter at all how good the OS is... anything on this big a scale takes time!
I have had more trouble with OSX 10.5 than I care to relate... and that is on a whopping 8 machines.
GE-Raven
Interesting- my experience with OS X has been nothing g but pleasant. I would be very interested in hearing the problems you've had. I suppose that sounds like a taunt, but I promise you it isn't.
My sister just bought a Mac with OS X..
For the first 2 weeks, she loved it..
Now that she is realizing that 95% of her software needs emulators to work them and WINE is incompatible with much of her software and Cross Over isn't working correctly as well.. she is considering taking it back and exchanging it for a PC...
Add on top of that, there is hardly any software market for OS X or Linux..
She is going to make her decision in the next 3 days and then she either has to keep the machine or exchange it.. the 30 return policy.. got to love it.
Ha.. I could take you to meet a room full of mainframe programmers who are holding out for Cobol's inevitable return to popularity.
Yes, I can see how the company that holds 95% of the OS market would clearly be bullied by their competitors. Personally, I think Vista isn't that bad, but the issues it has are largely because M$ screwed up on it. I couldn't tell you how many IT people I know who would rather cut off their right arm rather than own Vista. 90% of the developer market doesn't want to touch it. Businesses in general don't want to touch it.
Oh yes, i can totally see why people would want to invest in your crappy OS when the refined version is supposed to be out in 2009. ::)
Beside the devlopers I personally know, the boards I lurk on (www.codeproject.com) express just the opposite sentiment than you assert.
IT peeps. Bah! By nature they hate change. Vista has nothing to little to do with their unwillingness to accept new technologies.
Perhaps you are right- I read that in a cnet article a couple weeks ago (about 90% of developers not switching). If my source was erroneous, then so was my statement, but not sure how I can verify it.
As for IT professionals, yeah, they do resist change, because it increases their workload. Still though, I don't remember this many IT guys being upset with XP (though I do recall hearing some griping).
My sister just bought a Mac with OS X..
For the first 2 weeks, she loved it..
Now that she is realizing that 95% of her software needs emulators to work them and WINE is incompatible with much of her software and Cross Over isn't working correctly as well.. she is considering taking it back and exchanging it for a PC...
Add on top of that, there is hardly any software market for OS X or Linux..
She is going to make her decision in the next 3 days and then she either has to keep the machine or exchange it.. the 30 return policy.. got to love it.
As an IT guy of a meager dozen years or so... I can say that from "my" standpoint. Vista is great as a home OS. However it doesn't offer enough to make it worth the hassle yet to upgrade in our campus. However I expect by this time next year it will. That is how it goes with large institutions... It wouldn't matter at all how good the OS is... anything on this big a scale takes time!
I have had more trouble with OSX 10.5 than I care to relate... and that is on a whopping 8 machines.
GE-Raven
Interesting- my experience with OS X has been nothing g but pleasant. I would be very interested in hearing the problems you've had. I suppose that sounds like a taunt, but I promise you it isn't.
He's been brainwashed by that bastard Steve Jobs and his mystical turtleneck sweaters!!
DAMN YOU STEVE JOBS!! DAMN YOU TO HELL!!
As an IT guy of a meager dozen years or so... I can say that from "my" standpoint. Vista is great as a home OS. However it doesn't offer enough to make it worth the hassle yet to upgrade in our campus. However I expect by this time next year it will. That is how it goes with large institutions... It wouldn't matter at all how good the OS is... anything on this big a scale takes time!
I have had more trouble with OSX 10.5 than I care to relate... and that is on a whopping 8 machines.
GE-Raven
Interesting- my experience with OS X has been nothing g but pleasant. I would be very interested in hearing the problems you've had. I suppose that sounds like a taunt, but I promise you it isn't.
He's been brainwashed by that bastard Steve Jobs and his mystical turtleneck sweaters!!
DAMN YOU STEVE JOBS!! DAMN YOU TO HELL!!
I hate turtlenecks, I never did get that hippy bastards fascination with them. On the up side, they did a good job: my brain has never been so clean.
OSX Problems so far...
General Flaky beahvior with Iprint Client (sometimes it works and other times it wont ask for credentials or worse yet it "thinks" it knows them)
Transfer of user settings.... sure the documents came over but the issue is Apple insists it is best to do this at first boot of the machine. Yeah... great idea let me transfer all the settings for software that has yet to be loaded on the new machine!!! End result... Office 08 thinks it is patched when it isn't... and give the brilliance of Mac doing things for you, you can't force it to upgrade without nuking the user settings, then uninstall, reinstall, update, then manually copy back the user settings.
Keychains... borked on anything that isn't native Apple software (afp shares etc.) Basically you need to delete them and re do them on every boot.
Adobe Illustrator Disk access... in 10.5 attempting to save crashes the program.... UNLESS you "export" as a pdf then once you have done that once Illustrator saves with no problem... until you reboot, then you must export one file to get it to work again.
This doesn't happen on every machine, but some. You can also "repair" the disk security before EVERY run of Illustrator, which also fixes it. Neat!
So yeah... this is just a sample of the fun I have had. Mind you none of this happened with 10.4
Oh well... Luckily I only support a dozen macs.
GE-Raven