Category Archives: End-user Focused

On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

Posted on by
1

I have a bone to pick with the idea of vendors suddenly offering price drops on their assessments and such “in response to the financial crisis.” In my opinion, this is nothing more than a gimmick. A cheap come-on to win more business while the times are tough and the chips are down. If you can offer these discounts today without it impacting your margins at a serious level or making it tough on you to do business, then why couldn’t you do it last week, last month or last year? I’ll tell you why, because you were caught up in that extra margin and extra charge to your clients and in making that extra profit.

At MicroSolved, I have refused to play these games with our customers for 20 years. I strive every day to keep our prices as low as possible for the work we do, to pay our team fairly and to keep us in business. We contribute to the community, support the Credit Union movement, engage with companies and organizations all around the world that are dedicated to “doing the right thing.” We continually strive to focus on increasing our value to clients and keeping our costs as low as possible. Here are a few examples of some of the steps we have taken and are taking to do so:

Consultant presence. Years ago, our onsite presence for assessments and pen-testing was a high cost item for clients. Travel, lodging and per diem were and are high ticket items. Several years ago, in an effort to lessen the financial impact on our clients and staff, we began using VPN connectivity and shipping appliance computers instead of people. The cost of shipping this hardware remains expensive today, but nothing like airfare and hotels for a security team. In 2009, our team is moving to create and deploy stable, trustworthy virtual machine images that we can move over the Internet to bring these costs to near zero. Developing these tools and testing them takes time, resources and money, but we are dedicated to continuing to bring the most value to our clients for the least amount of dollars possible. This is just one more way we can work with clients to improve their security and reduce their cost to minimize risk.

Simplified reporting for VA/PT. Our clients tell us all of the time that our reports are the best they have seen and are provided in the most useable format they can imagine. We long ago (several years) stopped shipping HTML reports and the like. Today, our typical reporting is an easy to read executive summary with a one page dashboard for the engagement findings, a technical manager report that identifies and ranks root causes of the security issues we identify and a technical details report that is provided as a detailed Excel spreadsheet so you can change, sort, import or manage the data as you see fit. Our reports have received positive comments from auditors, regulators and clients from around the world. This year, we will again be undertaking a special project to continue to refine our reporting structures. For us, leading the industry is not enough, we want to establish even more value for our clients and help them manage the reporting data in ways that reduce their heavy lifting. As always, if you have ideas on this, let us know.

Real humans to talk to. We don’t have a web portal for your reports. We don’t have an automated system for requesting assessments or the like. We do have a technical project manager that is assigned to your account. They have access to the actual engineers doing your assessments and pen-testing, and so do you. We don’t believe that dealing with some complicated web application that also might have exposures to vulnerabilities and other issues makes our clients more productive OR more secure. MSI clients talk to real humans. We talk to clients routinely during their engagements and keep them up to date as they desire on the testing and work as it moves forward. You can communicate with your technical project manager on the phone, via email or via SMS if you like. You can have a call with the engineers to clarify issues or to get answers to technical questions about the engagement. We even support our engagements for one year, allowing you to ask questions, interact with the security team and get answers up to 12 months after the engagement!

Approaches like HoneyPoint. HoneyPoint is our leading-edge software for managing the insider threat. It was designed from the ground up with the idea of “deploy and forget” (SM) in mind. We created it so you could have security visibility around your environment in a powerful way that eliminates false positives, signature updates and tuning. Long before the current “financial crisis” we wanted to help organizations get better security with less resources, and we have. Today, organizations are using HoneyPoint along with tools like OSSEC to replace IDS/IPS systems and finding the total cost of ownership to be 1/2 and the total resource costs to manage the solutions to be 1/10 of their older, less evolved solutions. In fact, many small and home-based organizations have begun using our “scattersensing” approach with HoneyPoint Personal Edition to identify bot-net infections and malware breakouts, as well as suspicious insider activities for a total software cost of ~$30.00 US!

There you have it. I have “put my money where my mouth is”. At MSI, we know the financial stress is real. We know you have significant security AND budget challenges. We are striving to help you with both, BUT, NOT JUST TODAY and NOT JUST FOR A WIN FOR US. We can’t just knock arbitrary costs out of our prices because we spend EVERY DAY focused on keeping those prices low and our value high for our clients. That has been our focus for 20 years and as long as I am the CEO, it will continue to be our focus. We believe that our engineers, sales and marketing teams and other employees support our efforts. They have shown time and time again to be committed to VALUE for our clients. We may not always be the cheapest security vendor. I know our services cost more in some cases than the “scan and forget” vendors out there. I am OK with that. For 20 years I have enjoyed doing business with clients who appreciate honesty, trust, better communication and the MSI work ethic. Our clients love the work we do for them and many tell me repeatedly how much value we bring. That, in the end, I believe, is the measure of true success.

So, if you are looking for a security vendor to help you find the most value for your security budget, give us a call. We will be happy to talk to you about your needs and how MSI may be able to help. We will put together flexible payment plans, menus of services and subscriptions for engagements if you desire. We hope to talk to you soon about how we can help you be more secure with less time and money. That’s our commitment today and long after the current “financial crisis” has passed.

MicroSolved, Inc. (614) 351-1237 x206

info < at > microsolved <dot> com for more information via email

So, You Wanna Be in InfoSec?

Posted on by
3

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂


Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!

Operation Anaconda: Putting the Squeeze on the Insider Threat

Posted on by
Reply

Organizations today are facing increased pressure to combat the “insider threat”. More and more compromises are occurring from “inside the secure perimeter”. The financial crisis, exploding use of mobile technologies, surges in bot-net infections and capabilities plus a myriad of other conditions are only making the problem more urgent. This condition exists across market verticals and it doesn’t matter whether you are charged with protecting national secrets, bank account information, credit card data or whatever, the insider is still the most dangerous threat of all.

At MicroSolved, we know that this is the most serious issue facing organizations today. We know that the threat is real, that budgets are tightening and that all of us will have to do more with less. We also know that as the economy worsens, data thieves, bot-herders and industrial espionage attacks will become more common.

Today, we have begun a special project – called Operation Anaconda. The purpose of this project is to study the problem of insider threats, identify rational approaches to reducing the risk of insider attacks and develop additional products, services, knowledge-based documents, methodologies and public information to help all of us better protect our businesses, data and assets from threats that originate inside our organizations. We don’t claim to have all of the answers, and we know that the risk can never reach zero, but we dedicate ourselves to finding better solutions to the problem than those that are common today.

“Normally, these kinds of press releases and articles are done in conjunction with new products or service offerings,” said Brent Huston, Security Evangelist (and CEO) of MicroSolved, Inc. “but we wanted to let customers and organizations know that we have heard them when they told us what was hurting them. We heard them and we are committed to doing our part to making that pain go away!”

“Over the next several months, you will see a plethora of articles, tools, techniques, products, services and approaches targeted at solving this problem. Our company will lead the way in identifying what works, what doesn’t and how to reduce the insider risk AND the security budget at the same time. Solutions have to be out there, and together, we will find them.” vowed Huston.

MicroSolved is currently building a project plan and forming study groups around facets of the problem. If you or your team would like to participate in one of the public study groups or discussions, please feel free to contact us. We will make more logistics known as the groups firm up their agendas. Stay tuned to http://www.stateofsecurity.com for more information and please feel free to comment on Operation Anaconda or responses to the insider threat. Thanks for reading and feel free to spread the word!

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Prepping for Release of HoneyPoint Personal Edition 2.00

Posted on by
Reply

Great news!

We are currently prepping for the public release of HoneyPoint Personal Edition 2.00 on Monday. The product has been through two closed Beta’s and a great period of pre-release testing. Thanks to all who helped with the testing and for all who contributed to our cause with product feedback. A special thanks to “DA” from a local organization who really held my feet to the fire on changes and interface updates. Hopefully, everyone will be pleased with the interface and features! (BTW – D – we kept the “lights”…<grin>)

Here is a screen shot of the new main interface on the Mac.

Snapz Pro X001.png

New features include:

HornetPoint defensive fuzzing (patent pending)

Plugins capability from HPSS

Public support for Linux and OS X in addition to Windows

and a few other goodies….

Also, this represents the beginning of the new line for HPPE. Development will remain ongoing on it and we have few more tricks up our sleeves. We are also working on HPSS 3.00 and will begin alpha testing of that new architecture very soon.

Stay tuned for the launch and for more details as they become public!

3 Links for Securing USB Drives

Posted on by
Reply

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)

Application Fuzzing Can Be Fun

Posted on by
1

One of the things my mother always said I was good at was breaking things. Apparently, as a young Evangelist, I chose to be an agent of entropy. I guess I always have been a huge fan of how things are continually breaking down and according to my mother at least, I did a lot to help them along the way. My mother just loves to tell stories about me taking things apart (clocks, radios, tv sets, lamps, my sister….) but I will save you from those, unless you choose to have coffee with my mother some day… 🙂

Today though, breaking software applications and studying how they fail has become a huge part of my work. I study how they fail, what causes the underlying issues, how those bad decisions could be exploited and what makes applications, devices and other things, tick. I am truly a student and professor of entropy.

You too can participate in these exercises. Tons of new tools are available to fuzz a variety of things, or you could choose to write your own fuzzers (this was a very worthwhile thing for me and led me to create “Defensive Fuzzing” which is the core of the HornetPoint defensive tools). (Patent Pending)

Here is a quick list of some books, papers and tools that you might want to explore if you are interested in playing with and learning from these techniques:

Fuzz testing – Wikipedia, the free encyclopedia

Ethical Hacking and Penetration Testing: Fuzzers – The ultimate list

Fuzzing – OWASP

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery: Michael …

22C3: Fuzzing

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications | Darknet …

These links should give you plenty of materials and links to tools. I would highly encourage any security folks to set up a small lab, try the tools and just learn a bit about breaking applications. You will be surprised at how easy it is and how much insight it will give you into information security. Give it a shot and let me know how it goes!

Toata Moves On To Additional Targets

Posted on by
Reply

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

Win7, Linux and the Future of the Desktop OS

Posted on by
Reply

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.