Sunday, 30 January 2005

An "open letter" to Microsoft...

Once again, commenters everywhere are espousing opinions on Microsoft's latest statements regarding the company's plans to disallow updates for pirated copies of Windows (and other software).

We all know taking that position results in one primary problem: Unpatched computers get infected or overrun and then bombard computers of others - making victims of people with valid, paid-for copies of Windows.

I understand Microsoft's position, I disagree with it, and I have a solution.

Patch the pirated computers, "update" the pirated computer's firewall to control two-way traffic, then turn that firewall on. Turn it on all the way. Like as in "nothing-in, nothing-out." Stop all the network traffic on those machines. And put "PIRATED" in all four corners of the screen, like you do with Safe Mode. Heck, for that matter, only allow users to boot into safe mode if it's pirated.

Of course, you could leave open connections to, say, a Microsoft site where people could be allowed something like, oh maybe 30 days to register their software. Give 'em a reduced registration rate maybe. Or maybe not. That's up to you.

Seriously - A significant portion of my job is protecting my company from all those unpatched and out-of-date computers. My time is valuable, and so is the time of many others like me. The ball belongs in your court - Where thousands of people have to spend hours and hours defending networks, you can fix it for all of us in one fell-swoop.

Microsoft's failure to patch problem computers makes for a less-secure Internet. It makes for higher operating costs for my company. It means I am focusing my time on things I need not deal with. It means I'm not focused on more important things that deserve my individual time.

Revenues are important, sure, but so are your customers, and so is wide area network security. This is the one area where revenues might just need to take a back seat. Think about it. Do the right thing.

Drastic? Sure, but healthier than leaving security holes all over the planet.

By not helping your enemies, you hurt your friends. You can't win, but you can make sure the people who are already on your side are taken care of.

Patch that software. Then get 'em with the firewall. Do it. We need you.

And thanks for listening.

EDIT:

P.S. - Is this a little tongue in cheek? Sure it is, somewhat. The idea is to discuss all the options and possibilities, and I think people need to talk more about the option of making it harder for software thiefs, regardless of the PR impact. Talking about it and actually doing it are two very different things, and often useful ideas come out of the conversations about the "fringe" options.

Already several emails and opinions are coming in (keep 'em coming, and you can also use the comments link below), so let me point out a few things...

  • First, I don't think Microsoft is "evil" - and that was not my point. Not even close.
  • Second, I know automatic updates would still work for pirated software under the proposed plan. That's not my concern - apparently there are some idiots who steal software that just don't have the brains or desire to turn it on, for whatever reasons.
  • Third, I'm not freaking out over something that hasn't happened yet. Rather, I am thinking about and commenting on something that's being discussed and in which I have professional interest and experience. Part of my experience is that if you offer opinions before Microsoft takes action, you're more likely to have your opinion count for something, however small. Come to think of it, that's more about the way the world works in general than it is about Microsoft...
  • Fourth, my thoughts are more about Microsoft asserting itself from both the "security-custodian" and "software-seller" roles. Two statements (drastic ones, granted) in one brush stroke.

Mitch Wagner at Security Pipeline has his own opinions on the matter, too. See what other people are writing about the subject with Feedster.

Interesting conversation. What do you think?



Add/Read: Comments [5]
IT Security | Tech
Sunday, 30 January 2005 23:15:50 (Pacific Standard Time, UTC-08:00)
#  Trackback

Joe Stagner, a Developer Community Champion at Microsoft, will be presenting a series of two webcasts per month, starting this week and running through May on the general topic of designing and writing secure applications.

Dubbed the "Digital Blackbelt Series," the webcasts will cover these topics:

MSDN Webcast: Digital Blackbelt Series: Building an Intentionally Secure Development Process (Level 200)
Friday, February 18, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-8)

MSDN Webcast: Digital Blackbelt Series: Developer Security Principals and Guidelines (Level 200)
Friday, March 4, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-8)

MSDN Webcast: Digital Blackbelt Series: Protecting Secret Data (Connection Strings, Passwords, etc.) (Level 200)
Friday, March 18, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-8)

MSDN Webcast: Digital Blackbelt Series: Defending the Database (Part 1 of 2): The SQL Injection Attack in Detail (Level 300)
Friday, April 8, 2005
11:00 A.M.–12:30 P.M. Pacific Time, United States and Canada (UTC-7)

MSDN Webcast: Digital Blackbelt Series: Defending the Database (Part 2 of 2): Making the Right Design Choices (Level 300)
Friday, April 22, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-7)

MSDN Webcast: Digital Blackbelt Series: Beating the Hacker: Don't Let Them Steal Your Code (Level 200)
Friday, May 6, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-7)

MSDN Webcast: Digital Blackbelt Series: Social Engineering and Mitigating System Vulnerability (Level 200)
Friday, May 20, 2005
11:00 A.M.–12:00 P.M. Pacific Time, United States and Canada (UTC-7)



Add/Read: Comments [0]
IT Security | Tech
Sunday, 30 January 2005 22:22:51 (Pacific Standard Time, UTC-08:00)
#  Trackback

Today was a real win for - and by - the people of Iraq. Today was a great day.

Read reports direct from Iraq here, and see more photos here.

Markofpeace

Atheer Almudhafer, from Falls Church, Va., gives the Iraqi sign of victory after casting his absentee ballot at the New Carrollton, Md., voting station, Jan. 28, 2005. His finger is marked with indelible blue ink, intended to prevent double voting. "I give the sign of peace and voting. Together it is victory," Almudhafer said. Defense Dept. photo by Tech. Sgt. Cherie A. Thurlby, U.S. Air Force.

Blue_mark



Add/Read: Comments [0]
Random Stuff
Sunday, 30 January 2005 16:39:56 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 29 January 2005

Microsoft has opened up the Office document formats and made them available for the world to see.

The Schemas provide developers and representatives of business and government a standard way to store and exchange data stored in documents. The download contains documentation on a number of XML schemas for Microsoft® Office 2003 Editions including:

  • Microsoft Office Word 2003
  • Microsoft Office Excel 2003
  • Microsoft Office InfoPath® 2003
  • and Microsoft Office Visio® 2003

It also includes schema information for:

  • Microsoft Office OneNote® 2003
  • Microsoft Office Project 2003
  • and Microsoft Office Research Services

Download the schemas and documentation and read the Office 2003 XML Reference Schemas Frequently Asked Questions.

News coverage from TechWorld:

"The move puts Microsoft on a better footing to compete against open-source applications and non-proprietary document formats. Governments around the world have begun to reconsider the use of proprietary formats, which usually lock them into using particular applications and may hinder archiving efforts.

"Microsoft Office formats have become a de facto standard, one of the factors making it difficult for organisations to use alternative applications."

(via Robert Scoble)



Add/Read: Comments [2]
Office 2003 | Tech
Saturday, 29 January 2005 23:36:25 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 28 January 2005

My employer, Corillian Corporation, has a few openings, including one for an employee to work on the IT Department's Help Desk. Maybe you'd be interested, or maybe someone you know would fit the bill?

Corillian is a Portland, Oregon-area software company, and IMHO it's a pretty darn nice place to work. Great challenges, great opportunity, and great people.

The IT Help Desk job is an entry-level or early-career position, working in the corporate IT department. The employee in this position acts as the point person for the company's internal help desk. Managing requests for service and basic Windows computer and network troubleshooting are the primary day-to-day job tasks. Excellent customer service skills and a customer-oriented, confident, on-your-game personality are critical. The company is looking for someone who can hit the ground running from a customer-service standpoint.

If you or someone you know is interested, time is of the essence - So email or call me and I will put you in touch with the hiring manager. My email is greg@greghughes.net and my office phone is 503-629-3771.

QA and Software Developer Positions: I am told that Corillian is also looking for QA and Software Engineers, so if you are what a leading-edge software company would consider a top performer in either of those areas, email or call me about those positions, too, and I will make sure you are put in touch with the right people. It'll be competitive, I can tell you that, so be prepared, but don't hold back.

Note: This post is my own, and is not a communication by or for my employer. I am just trying to make people aware of some opportunities that I happen to know about. In the interest of full disclosure, I should say that if you get hired, depending on the position they might spot me a small bonus that would probably pay for a nice lunch or dinner for you and me. But don't count on it - and the help desk job reports under me in the organizational scheme, so I am not eligible for any bonus on that position. Phew! :-)



Add/Read: Comments [0]
Random Stuff | Tech
Friday, 28 January 2005 21:43:08 (Pacific Standard Time, UTC-08:00)
#  Trackback

D2x_picNikon has announced that their cool new D2X digital SLR camera will be available on February 25th, and that it will sell for a "suggested" street price of $4999.00. Hook up a GPS device to record location data. Transmit data via WiFi. Remote control the camera. Instant-on and fast shutter response time of 37ms - great improvements for low-lag operation. Flash sync at 1/250th of a second. Awesome metering. Fast continuous shooting. All nice stuff.

But there's one thing that will keep me from even considering buying this camera. And it's not the price.

It's this bit of info, gleaned from the fine print in the spec sheet:

    • Approx. 1.5x focal length in 35mm [135] format equivalent

Argh, no! I have to say, I was pretty darned surprised to find this hidden in the back of the specs list, especially since they are marketing the D2X as being capable of "5fps continuous shooting mode full size or 8fps in a 6.8MP cropped mode." Turns out the "cropped mode" means a 2x multiplier over 35mm equivalent, as opposed to non-cropped mode, which has a 1.5x multiplier.

Very sneaky. Very sucky.

At 12.4 megapixels and $5000, someone tell me why in the world camera manufacturers can't put a chip in the thing that will make it act like a real 35mm camera from the field-of-view/coverage perspective. I'd take lower effective resolution (say 8 megapixels or so?) and no multiplier at this point.

Believe it or not, to someone who was a film photographer for several years, this actually matters to me. Nothing aggravates me more about digital SLR cameras than an image that has a telephoto-style crop and a short-lens depth of field. I hate that. I have a D70 that does that. Don't get me wrong, for $1000 I like the D70 just fine. It's a consumer-grade camera, and sure I'd like it a heck of a lot more if it had a chip that would use the lens the way it was built to be used. But this camera is more than the D70 can dream of being.

So, if I am going to pay five times the cost for a better camera, put in a full-sized chip that uses the full field the lens was built to cover. Seriously.

Hey Nikon - Just so you know, I was actually ready to seriously consider spending $5000 on your new camera - but now I guess I'll just wait. Again.



Add/Read: Comments [7]
Geek Out | Photography | Tech
Friday, 28 January 2005 21:03:59 (Pacific Standard Time, UTC-08:00)
#  Trackback