I hope I haven't offended you. It wasn't my intent if I did. You and Steve aren't going to see eye-to-eye on this, nor is it even necessary or required that you both do. I sense you are getting frustrated, annoyed, and maybe even a tad angry. If true, my apologies. I, nor any other Administrator, want to make any member feel uncomfortable or of lessor value.

Time to close this thread, I think. I hope the rest of our members don't mind the insult you just threw at them.

So in other words, if you don't have any degree(s) on your wall(s), you are full of $#1+, umm, OK, I guess that means MILLIONS of others are full of $#1+ too. Nice one. How about I just come here for tech support until my subscription runs out? Being talked to like a child is really annoying.

There is a huge difference between corporate world doublespeak fluff and real world experience. Obviously the latter counts for nothing.

I will respond to various points here, and this will be my final reply to you.

The Privacy Rights Clearninghouse has been tracking data breaches since 2005. The 2013 Ponemon study of data breach costs estimates the average consolidated worldwide cost per breached record to be $136. An interesting exercise is to multiply these two numbers together. The result is approximately $84 billion in costs to recover from attacks since 2005. If you read through the summaries at Privacy Rights Clearinghouse, you will find that the vast majority have to do with poor configurations and sloppy data handling practices. Bugs in all software have contributed to this staggering sum.

Sounds like you know how to take care of your machines pretty well, then. Congratulations.

See, this is the kind of claim that just weakens your general arguments. Microsoft has no control over any of these technology dealers and service companies.

I have provided ample evidence that explains why UAC was added to Vista. Your worldview is necessarily limited to the, perhaps, hundreds of people you've worked with, likely home users and small businesses. Please consider the scale that we had operate under. A billion machines, the majority owned by large enterprises, were running poorly-written third-party programs whose authors had no incentive to improve. Microsoft does not buy their products. No amount of pleading from us made them realize the danger they caused their customers. So, yeah, we caused the world some pain. The end result is that customers demanded better software from their third party providers. In response, vulnerability counts went down, and we relaxed some of UAC's more onerous controls. These results are documented quite well in the series of bi-annual Security Intelligence Report published by the group I was in, Trustworthy Computing. By the way, UAC and the EULA have no relationship to each other. Again, another baseless claim.

Windows XP did not include a license for the necessary decoders to play DVDs. There was no conspiracy here; it was a business decision. As for the digital version of whatever movie you had, perhaps the studio that created the DVD included a program that allowed you download it. If that program failed, it's the fault of the studio. Furthermore, as you can see, no dissection is necessary; I'm supplying facts.

Friendly banter is fine, but please (all) be aware of it turning into non-useful argument, or worse, anger and personal attacks (soft, mild, direct). If (big IF) that happens here, I'll close this thread.

Just in case anyone wants to know "who" Steve Riley is, well:

Steve Riley's Summary


Over 23 years experience in information technology. Areas of emphasis include:
* information security
* local- and wide-area networks
* cloud computing
* telecommunications
* digital multimedia
* enterprise architecture
* research and evaluation
* computing standards
* technical presentations and articles

Interests include:
* intersection of technology and social policy
* effective use of information security as a business enabler
* on-going evolution of information technology as a tool to enhance business efficiency and promote social and cultural development
Specialties

* Comprehensive familiarity with Internet standards, protocols, design, and operation
* Skilled in security analysis, assessment, and incident response
* Effective communicator across broad and mixed technical and business audiences



Steve Riley's Experience


Technical Director, CTO office

Riverbed Technology


Public Company; 1001-5000 employees; RVBD; Computer Networking industry
January 2011 – Present (2 years 10 months)
The growth of data communications traffic continues to outpace expectations and technical capacity. Riverbed Technology offers solutions to optimize data traffic, thus reducing your bandwidth costs, and solutions to simplify cloud storage, thus increasing the reliability and integrity of your data.

At Riverbed my role is to research cutting-edge developments that help customers maximize their infrastructure investments. This includes working with customers to develop and improve technical architectures, incorporating feedback into the product planning and development processes.


Sr. Technical Program Manager

Amazon.com


Public Company; 10,001+ employees; AMZN; Internet industry
July 2009 – December 2010 (1 year 6 months)
The momentum behind cloud computing continues to grow. Unlike the application service provider (ASP) days of yore, cloud computing is here to stay: the business models are mature, the technology can support the requirements, and there are clear customer benefits.

My role at Amazon Web Services was to help customers of all sizes, from small start-ups to large enterprises, understand the benefits of infrastructure as a service style cloud computing and how to integrate the various elements into their existing infrastructures; also to track requirements, concerns, and opportunities so that Amazon’s offerings match the needs of its customers.

Many organizations are keen to explore cloud computing, but have reservations particularly about availability, reliability, security, compliance, and manageability. In my role I concentrated on these issues, helping customers understand the depth and maturity of AWS's technical solutions.


Sr. Security Strategist

Microsoft Corporation


Public Company; 10,001+ employees; MSFT; Computer Software industry
January 2003 – May 2009 (6 years 5 months)
Executive customer engagement with chief security officers and security architects. Discuss long-term technical and buiness requirements to prioritize investment areas for future product versions. Develop and maintain trending data on top security issues over time to influence product design. Consistently rated in top 10%; highest speaker effectiveness rating for 2008

Worldwide security speaking engagements annually reaching 25,000-30,000 people. Areas of focus include policy, process, technology improvements, human security. Goals: increase customer security knowledge, improve satisfaction, influence opinion. Consistently rated in top 10%, often top score. Events: TechEd, Windows Connections, TechMentor, SANS Institute, BlackHat Windows, Institute for Advanced Network Security. Received the Microsoft Executive Briefing Center Top Speaker award.


Sr. Consultant, security practice

Microsoft Corporation


Public Company; 10,001+ employees; MSFT; Computer Software industry
January 2002 – December 2002 (1 year)
Security consulting practice that worked with governments, large enterprises, and small-business startups.

* Security policy reviews and vulnerability assessments
* Multi-site VPN designs
* Wireless network security architectures (first customer deployment of 802.1x)
* ISA Server firewall designs and access infrastructure deployments
* PKI design and deployment planning
* SharePoint publishing architectures (first customer deployment of ISA Server for SharePoint publishing)
* Intrusion detection deployment planning


Sr. Consultant, telecommunications practice

Microsoft Corporation


Public Company; 10,001+ employees; MSFT; Computer Software industry
November 1998 – January 2002 (3 years 3 months)
Practice within Microsoft Consulting Services dedicated to telecommunications customers. Most projects involved first-time customer deployment of Microsoft products by online infrastructure and application service providers.

* Multi-tenant service architectures and configuration
* Hosted Exchange service security architecture (first customer deployment of ISA Server for Exchange publishing, including driving post-release ISA Server functionality additions)
* Hosted web service design and deployment
* Vulnerability assessments and remediation
* Active Directory domain and forest designs, group policy configuration
* ISA Server architecture designs and deployments
* IPsec policy development and deployment (including server and domain isolation)
* Routing optimizations for streaming media
* DNS and Active Directory configurations for multi-domain/forest shared facilities
* Security audits and policy reviews


Systems analyst and Internet component architect

American Electric Power


Public Company; 10,001+ employees; AEP; Utilities industry
January 1995 – May 1998 (3 years 5 months)
* Internet and intranet strategic planning
* External connectivity design and architecture
* Internet acceptable use policy
* DHCP design and deployment
* Training for first- and second-line support personnel
* Network bandwidth assessments; QoS planning for voice and video
* Help desk call system application development
* TCP/IP migration planning


Systems analyst and computer engineer

Ashland


Public Company; 10,001+ employees; ASH; Chemicals industry
June 1987 – December 1994 (7 years 7 months)
* Networks and telecommunications
* Lotus Notes administration and development
* Training
* Product evaluation and standards
* Computer and network management and support





Steve Riley's Skills & Expertise

• Security
• Network Security
• Computer Security
• Security Management
• Security Audits
• Data Security
• Information Assurance
• Information Security Management
• Information Security Policy
• Internet Security
• Network Architecture
• Wireless Networking
• Wireless Security
• IP Networking
• Windows Security
• Windows Networking
• Windows Network Administration
• Windows Server
• TCP/IP
• Technical Writing

View All (50) Skills


Steve Riley's Publications

• Protect Your Windows Network
  • Addison-Wesley Professional
  • May 2005
  
  Authors: Steve Riley, Jesper Johansson
  In this book, two senior members of Microsoft's Security Business and Technology Unit present a complete defense-in-depth model for protecting any Windows network -- no matter how large or complex. Drawing on their work with hundreds of enterprise customers, they systematically address all three elements of a successful security program: people, processes, and technology.
  
  Unlike security books...more
  
• Auditing Cloud Computing
  • Wiley
  • August 2011
  
  Authors: Steve Riley, Ben Halpert
  This book is a collection of writings by several authors. My contribution is Chapter 4, System and Infrastructure Lifecycle Management for the Cloud.
  
• Articles published
  
  Authors: Steve Riley
  * “Maximizing cloud storage security,” Riverbed whitepaper, August 2011
  * “Optimization is for the clouds,” Riverbed whitepaper, June 2011
  * “Extend your enterprise IT with Amazon Virtual Private Cloud,” October 2009
  * “Groovy security in Windows 7,” TechNet Magazine, October 2009
  * “Untangling the confusion of client security,” Microsoft Security Newsletter, October 2008
  * “Supporting your...more
  

Steve Riley's Honors and Awards

• One Microsoft Executive Briefing Award
  
  Microsoft Corp.
  • 2008
  
  For outstanding customer dedication.
• Performance Excellence Executive Briefing Award
  
  Microsoft Corp.
  • 2008
  
  For highest-rated speaker effectiveness.
• Distinguished Speaker Award
  
  ISACA Singapore Chapter
  • 2005
  
  
• ISA Server MVP Award
  
  Microsoft Corp.
  • 2004
  
  
• Top speaker awards for several Microsoft TechEds worldwide
  
  Microsoft Corp.
  During 2001-2009.

Steve Riley's Certifications

• Microsoft Certified Technology Specialist
  • Microsoft Corp.
  • September 2011
  
  
• Microsoft Certified Systems Engineer + Internet
  • Microsoft Corp.
  • November 2000
  
  
• GIAC Certified Incident Handling Expert
  • SANS Institute
  • June 2000
  
  
• SANS Security Essentials Certification
  • SANS Institute
  • August 2001

Steve Riley's Courses

• Technical Director, CTO office
  
  Riverbed Technology
  
  
  • Riverbed Steelhead Deployment
  
  
• Sr. Consultant, telecommunications practice
  
  Microsoft Corporation
  
  
  • Microsoft Solutions Framework
  • Microsoft Commercial Internet System
  
  
• Systems analyst and Internet component architect
  
  American Electric Power
  
  
  • Adaptive Architecture Immersion Seminar
  • Keane Productivity Management
  
  
• Systems analyst and computer engineer
  
  Ashland
  
  
  • Basic Systems Analysis
  • Train the Trainer
  • Successful Project Management
  • Advanced VINES System Administration and Planning

Steve Riley's Education


The Ohio State University

BS, computer and information science

1985 – 1989
Concentrations: software engineering, database design, programming language theory, technical writing and communications.


He does know of what he speaks.

To be fair, Steve was responding to a specific claim that you made about Microsoft, not defending the company in general. Having worked there, it's only natural that he knows a lot about them, and is in a position to point out where you were wrong. You can be incorrect about that specific claim and Microsoft can still be a nasty company!

As for Batman, you didn't miss much

I don't think anyone here is going to disagree about how annoying DRM is.

Feathers

Steve, you missed your calling, you should have been a salesperson/politician, lol. You can dress a pitbull up in a tutu but it's still a pitbull. If Microsoft's EULAs weren't so locked down and airtight, they would have been sued in to the ground YEARS ago, they've...and yeah I am saying this without a link because it's the easiest paranoid tin-foil hat estimate I've ever made...cost domestic and enterprise billions of dollars in damages, down time, data loss, third party 'protection-ware', etc, etc. I've been servicing other peoples' computers since the early 00's, the same people would come back to me every six months, with totally infested and corrupted machines, mine of course never had problems, so let's say for schizz n giggles the percent of users that become savvy like me is what, oh, say 10%, that leaves the other 90% to dangle in the wind at the mercy of unscrupulous tech repair dealers/servicing and Microsoft. All that being said, UAC was nothing more than an extension of their airtight EULA, so they can say "you got a popup, you opened the file anyway, it's out of our hands", phhht. All those passed bucks went right in to Bill and Steve's bank accounts. Windows was (I say was because their reign is over IMHO) the biggest fraud/scam perpetrated on the consumer in the history of man, I can easily say that because Bill became the richest man in the world. If they put half the money back in to the OS that they paid shareholders and themselves, we wouldn't be having this conversation, Windows would have been a good product and even I would still be using it. They can't even give it away anymore, I've heard some copies go for as little as $39.99, a far cry from the hundreds of yesteryear.

Here is a little story for you about the day I had enough of Windows, aka, the last straw...my old computer, Core 2 Duo, store bought legal XP Home, my gf buys me a store bought legal copy of Batman: The Dark Knight, so for schizz n giggles I pop the movie DVD in my computer's optical drive thinking all will be well because after all, like a good law abiding citizen, every thing was legal and paid for with honest money, a message box pops up, something to the effect that because of DRM I can't watch the movie on my PC, then it says well here is a link, go *here* and you'll be able to download the movie file (I think they used the term "digital version"), I click the link and nothing, I get a message saying I'm not entitled to the file even if the webpage was working. So the machine cost me $2,000 to build, XP cost me $150 but the disk would play on a $99 Walmart DVD player hooked up to any old garbage TV, do you see the problem there? But I don't need to explain this to you, you worked there, I am telling you this REAL WORLD STORY because this is what I and MILLIONS of others went through on a regular basis running Windows on our computers. Please don't try to dissect this story, I have no reason to make this up.

So when the smoke clears Steve, you actually look kind of sad defending the substandard product of your former employer. Window-gees are not happy campers Steve, I'm a good example. This forum isn't the only FOSS I've donated too, have you heard of Testdisk? 37 Euros all the way across the ocean to France, just one example of course, used to use PClinuxOS at one time, Texstar was my bud but he couldn't control some a-hole mod in his forum, among other things, they got some good bucks from me, but that's just me, people I think DESERVE my money get some, that being said, I wouldn't run Windows again unless by force, somebody holding a gun to my temple.

Edit: Almost forgot, there was a happy ending to the Batman movie story, just so happens, I had a PCLinuxOS disk with the 'copy to ram' option kicking around, the 'copy to ram' came in handy because I had to remove the OS disk from the optical drive to play the Batman movie after installing a few codecs 'on-the-fly', worked like a charm, was so impressed, I made a video of it with my old HP digital camera and posted the incident on Youtube.

I completely accept your point about security holes in code, and free software being no better than non-free in terms of having a proper audit.

The other consideration, and the point that I believe many people are trying to make when they say libre software is better, is about the intentions of the developers.

I trust that some random XDA developer/Canonical employee, has better intentions than developers that are primarily trying to make money, and may see screwing the users over as the easiest way to do it. Mostly, it's a judgement call that isn't based on evidence. If you gave me a good reason not to trust these people then I would change my position. We already have some pretty good reasons not to trust those "$BIG-SOFTWARE-COMPANIES", but AFAIK canonical has a fairly clean record (apart from the unity search thing, which was kind of questionable).

Feathers

I know! What was I thinking?!

So optimistic! You should know better

Feathers

This is such a Slashdot comment thread! Haha. It always descends into talking about compromised compilers. For me, once you reach that level of detail the conversation is still interesting and informative but it doesn't actually help anyone because virtually nobody is going top take the time to be that paranoid!

Can we agree that free software may have just as many security holes in it as non-free, possibly more, but that you can be fairly certain it doesn't have any deliberate malicious features put there by developers to control the users, which is the point. Security holes may be difficult to spot, but whole features are not. Having a 100% free system at least gives you that.

Not that mine is 100% free, lol.

No. The landscape of attacks has become quite vast; it is inaccurate now to state "most [malware] is written to attack Windows." The evidence in the three reports from Verizon, Symantec, and McAfee contain data to support this assertion.

An article published by an anti-virus software company, quoting an ex-Cisco security strategist who claims that anti-virus software can't keep up with malware changes. That's certainly an...interesting...bit of evidence to put forth. Oh, and the claim of 49 million new strains of viruses misrepresents the actual report: AV-TEST's statistics are not granular; the 49 million number for 2010 includes all categories of malware.

Apparently you didn't follow my suggestion to read page 24 of the Symantec report. Otherwise you would have learned that Internet Explorer has the second lowest number of vulnerabilities of the five major web browsers. I hope, for your sake, that if you really care about security, you're using only Opera.

UAC was an intentional strategy to get third parties to write better code. It was never intended to be a security boundary. Software vendors are lazy and won't change unless their paying customers demand it. After trying several strategies to coerce third parties to get better and having no success, we took the UAC route. Yes, it was painful, but it worked.

I completely agree.

Cogent, reasoned argument is perfectly acceptable here. No one is censoring. You should expect, though, that I will challenge blatantly false reportage, like the article you highlighted about the TPM and NSA. Furthermore, I would hope that all of our members feel comfortable scrutinizing, questioning, and validating what passes for "news" in the contemporary tech press.

You do realize I was a Windows user up until a few years ago right? That's 13 years of firewall and anti-virus program trying/using, etc etc, it was a MUST. So essentially you are saying because there are new kinds of hacking and fraud + Android phones/tablets coming on the scene, the threat to Windows disappeared overnight? And you talk about my baseless arguements, wow, just wow, I lived the nightmare sir, but I was quite savvy at it and had little to no problems, I even did registry tweaking to shut off Microsoft's embedded 'spyware'. For some reason searches aren't yeilding anti-virus dollars spent anually data, like it's a protected fact, very strange, NOW you can call me paranoid, lol. Ope, wait, I think I might have found something...

"While, in 2000, the total number of new strains are almost less than 1 million, the handiwork of amateurs , by 2012 there were 49 million new strains, as per the AVI-Test, a German research institute that evaluate anti-virus products. - See more at: http://www.spamfighter.com/News-1813....UOUNX7qj.dpuf "

49 million huh? Yeah, OK, the threat to Windows is gone, we all can breathe a sigh of relief now, lol.

Edit: Years ago I stopped using IE because I realized it's Swiss cheese security wise, aside from buggy, flakey and unreliable, which just so happens to be ingrained in the Windows OS, love the option they gave to hide it, too funny, but no uninstall, very strange that, whatever happened to the anti-monopoly decision? That was the result, you're stuck with it but you can hide it? That's like a car dealer telling me I can put seat covers over the pink seats, they'll still be there, phht. But you've probably heard all this rant before from other people, what I don't understand is when it's coming from me, it's paranoid tin-foil hat conspiracy laden bull schizz, again, I lived the Windows 'experience'.

Edit 2: I just reread the second part of your 'Nope', it would appear you are saying Microsoft is blaming everybody but themselves now, I think that's called finger-pointing, I'll give you Windows is more locked down (beloved <insert sarcasm> DRM) than it used to be (but nothing and nobodys' software is 100% secure 100% of the time), but foisting blame on the customer by UAC was just pathetic, distancing themselves right at the user/GUI level, brilliant strategy, absolutely brilliant.

Edit 3: Don't worry Steve, I'm getting the hint, stop bashing Windows in what is supposed to be a neutral forum about Kubuntu. But if we backtrack a little, all I did was post a story link in Geek News and you jumped all over it. Why do this and other non-Kubuntu OS sections in this forum exist? You mods would save a lot of time and headache not having to censor/control them.

Nope.
* Verizon: cash machines, stolen credentials, people.
* Symantec: Flash, Java, Acrobat, Quicktime, Firefox, Chrome, Safari, bad server configs (page 24 is especially illuminating).
Attacking Windows has become much more difficult than 10 years ago.

Doesn't matter, because aside from Android, the OS is not interesting to bad guys anymore.
* McAfee: As a category, viruses don't even show up now.

It is obvious that you and I will not reach agreement in this thread or the other one. I strive to make points that are fact-based, supported by evidence, and informed by three decades of working with system-level software, including compiler design, protocol implementation, and malware research. Your claims lack evidence and tend to exhibit a worrisome conspiracy theory aspect. Unless you can start bringing some actual facts to the debate, I'm not sure there's any point in continuing.

So to get back on topic, Ive been playing around with Lightbeam. I dont normally use Firefox, but I spent an hour browsing as normal with similar security settings that I have on Opera, my main browser. I have a cookies white list and deny all other cookies. My lighbeam graph is clean as a whistle.

So...to tie this in with what Steve said...on any system, with any browser or any other programs, the user is the weakest link.