I hear the question from time to time what the advantages and disadvantages of Windows 3.0 were. Windows 3.0, released in May 1990, is generally considered the first usable version of Windows. The oft-repeated advice to always wait for Microsoft’s version 3 is a direct reference to Windows 3.0 that still gets repeated today, frequently.
Although Windows 3.0 is clumsy by today’s standards, in 1990 it had the right combination of everything to take the world by storm.
The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.
Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.
I had an old Compaq Evo D510 full-size tower/desktop convertible PC, from the Pentium 4/Windows XP era, that I wanted to upgrade. The machine long ago outlived its usefulness–its Pentium 4 CPU is less powerful than the average smartphone CPU while consuming enough power to be a space heater–but the case is rugged, professional looking, and long since paid for. So I thought it was worth dropping something more modern into it.
I chose the Asrock Q1800, which sports a quad-core Celeron that uses less than 10 watts of power and runs so cool it doesn’t need a fan. It’s on par with an early Intel Core 2 Duo when it comes to speed, which won’t turn any heads but is plenty fast to be useful, and the board can take up to 16 GB of DDR3 RAM and it’s cheap. I put 16 GB in this one of course. I loves me some memory, and DDR3 is cheap right now.
Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.
Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.
So why do we see so many more Android bugs? Drake had an answer.
Windows 10 is out today. Of course I’ve been getting questions about whether to upgrade from Windows 7 to 10, and I’ve been seeing mixed advice on upgrading, though some of that mixed advice is regarding Microsoft history that isn’t completely relevant today.
My advice is to upgrade immediately if you’re running Windows 8 or 8.1, and to wait, perhaps six months, if you’re running Windows 7, but I still think you should do it. I’ll explain.
I’ve heard enough scoffing over the past few days over the Navy re-upping its contract for paid support for Windows XP to last a lifetime.
But it’s not just a Navy problem, and it’s not necessarily as bad of a problem as it sounds. Necessarily.
I was on a conference call discussing the Microsoft product lifecycle with several coworkers and our Microsoft-assigned support engineers when someone asked if a server version of Windows 10 was going to come out.
The Microsoft rep said no comment. Then I chimed in.
“We need to assume they will release a server version, probably about six months after the desktop version, and we need to start testing and preparing to deploy it when it comes out,” I said.
“Shouldn’t we wait for Service Pack 1?”
I went in for the kill. Read more
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.
Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”
Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.
My name, and my department’s name in general, gets thrown around a lot at work. We have a bit of a reputation as the can’t-do guys.
Professionalism dictates I not go into specifics about what kinds of things we reject or disapprove, but if I were to explain them, no security professional would disagree with me.
The other side of the argument, of course, is that the system still does its job the way it’s supposed to do and the system cost a lot of money. Here’s a story of a tense situation and how we were able to come to an understanding. Read more