Ed Bott of "Ed Bott's Microsoft Report" takes issue with many of the blogger's who reported on this story (I'd assume he includes this blog in his "echo chamber" comment).  Here's a quote

OK, now go read the linked story from the Seattle Times. There’s not a word - not one word - about back doors or encryption. Sadly, the usual suspects in the Techmeme echo chamber are whipping the inaccuracy around the infield at major league speeds. CrunchGear says Microsoft has “developed a thumb drive that helps Johnny Law quickly extract information, encrypted or otherwise, from computers.” And Valleywag talks about “a USB dongle that plugs into a computer, bypasses any Windows passwords or encryption, and quickly downloads sensitive data such as your Web browsing history.”

and

In fact, if this rather unremarkable collection of Microsoft-developed hacker tools actually did contain anything new, I would certainly expect that the highly vocal security community would have said something. If there turned out to be a back door in BitLocker or any other form of encryption, the real experts would be publishing the results. But they haven’t said a thing, because there isn’t a story here.

Let’s see how long it takes for the corrections to begin appearing. I’m not holding my breath.

The problem is this: While Ed Bott rightfully "calls everyone out" for jumping to negative conclusions on limited facts he then takes the same limited facts and jumps to the opposite (positive) conclusion.  He even goes further by assuming Microsoft's COFEE is the equivalent of another tool on the market (again, based on no real evidence)...

For anyone who is ill-informed enough to think that these tools are going to land in the hands of bad guys, I have some bad news. They’re way ahead of you. The community-developed USB Switchblade has been around since at least September 2006. And as security expert Jesper Johansson points out, it has an impressive feature set:

In truth, Microsoft is vague on what exactly is in this device and their claims lead one to think there are "back doors" involved.  When they say that the device can retrieve password protected data off a PC in "as little as 20 minutes" they open themselves up to suspicion.  Especially as the maker of the system doing the password protection. 

As for corrections, I said this (bold added for this post)...

Microsoft's job when making an OS is to make it as secure as possible.  I, as a Microsoft customer, trust that they will do everything they can to make their system secure (as they claim to do).  The fact that they'd even build a device like this seems like a violation of that trust.  Especially since it seems they put hooks into the OS to facilitate its creation.

and I stand by it.  The logical conclusion based on the comments Microsoft had made was that Microsoft used their extensive knowledge of Windows (including the source code) to create this device and make it as effective as it is (for the record, Microsoft has since denied using any "back doors")

Finally, even if it doesn't contain a single piece of inside information I still take offense at Microsoft pointing out ways to crack my OS.  Again, it comes down to me as a customer putting faith in them as a software developer to do everything they can to boost my security (as opposed to circumventing it).  Creating a way to crack that security and giving it away as marketing is still very upsetting.

P.S.  Given how condescending Mr. Bott's post was I think I deserve some kind of karma credit for getting through this entire post without once using the phrase "poor man's Mary Jo Foley"

I'm not one who obsesses over my data privacy.  I mean, as far as my life goes...I like it...but to the outsider I suspect it would be pretty boring.  So if someone wants to snoop on me I really don't care.

But even I found this a tad disturbing...

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

For the record, "Forensic Data" translates to "All Your Personal Information"

I honestly don't have an issue with Law Enforcement having access to this sort of thing.  They have the right to obtain the data anyway so this just seems like an easy way for them to get what they need.  If anything, it saves me money as a tax payer.

But I do have a couple issues here...

1.  Though I understand why the Government would want a device like this I think its irresponsible for Microsoft to provide it.  Microsoft's job when making an OS is to make it as secure as possible.  I, as a Microsoft customer, trust that they will do everything they can to make their system secure (as they claim to do).  The fact that they'd even build a device like this seems like a violation of that trust.  Especially since it seems they put hooks into the OS to facilitate its creation. 

2.  My understanding is that this is no bigger than a thumb drive which makes me certain at least one will fall into the wrong hands.  Given that I don't see why they didn't make it bigger and harder to steal.  Particularly since, despite what the original article says, the police have to seize the PC anyway (to maintain a chain of evidence) so portability isn't an issue.

To me, this is the best argument I've seen for Open Source in a while.  If Microsoft is inclined to put hooks into its OS which allow for the quick bypassing of the system's security I'd at least like to know.  The fact that they felt the need to, as the article says, "quietly" distribute this says to me that they knew I'd want to know and specifically took steps to hide it from me. 

That bothers me.

As a Microsoft customer I think their responsibility is to me not to law enforcement.  The fact that they don't see it that way makes a pretty compelling argument for systems with source that is open for everyone to see.

Addendum: Since I’ve already gotten two e-mails on this I wanted to clarify something.  When I said…

“Particularly since, despite what the original article says, the police have to seize the PC anyway”

I was taking that from a friend who is an assistant District Attorney (and who I IMed while writing the post)

This is conceptually pretty simple.  The cops can use this device and get all your files but they aren’t going to go over each file right then and there.  Since there’s no ruling in existence saying this Microsoft device is admissible in place of the computer itself the cops have to take the computer with them.  Otherwise you could erase the files between when the cops used the device and when they came back to actually confiscate the computer.

Since I praised Erick Schonfeld for his post on the Yahoo-Google merger a few days ago it only seems fair that I take him to task on something else now.  From his post on Techcrunch...

Ever since the rear-guard at the Wall Street Journal won the battle to keep its news pages behind its subscription wall (although, its opinion pages are now free), they have been cracking down especially hard on anyone trying to breach that wall—even if those people happen to be paying subscribers. In what appears to be an attempt to discourage freeloaders, the WSJ.com is locking out anyone from its site when it detects more than one simultaneous log-in on the same account. But innocent, rule-abiding subscribers who may be using multiple computers, or doing nothing wrong other than forgetting to log out of their accounts, are being shut out as well (see email below).

That is no way to treat your customers. In fact, it shows an utter disdain for how normal people actually use the Web. But it is an understandable, and classic, reaction. Incumbent executives always try to fend off inevitable disruption by blindly protecting their current sources of revenues. I liked Rupert Murdoch’s original idea of tearing down the entire subscription wall much better.

Now, I'm not going to cover the Wall Street Journal again because I've already done that.  What bothers me about this is the idea of twisting what was obviously a stupid technical issue to look like an intentional slight on the Journal's part.   

I will happily eat my words if the people at the Wall Street Journal saw this repercussion coming and intentionally did this.  But my feeling is that they implemented a standard security measure badly and this was the consequence of that. 

Painting that mis-step as intentional so you can use it to slam them for a decision you don't like is a low blow on Mr. Schonfeld's part.

Addendum: I wrote this a couple days ago but only got a chance to post it now.  Since then Dow Jones (owners of the Wall Street Journal) replied to the original Techcrunch article. They said...

Our subscribers often use multiple computers to access their accounts; therefore, we’ve had a long-standing policy of allowing up to three concurrent logins in order to deliver the best customer experience possible. Customer satisfaction and service are of the utmost importance, and we regret any inconveniences incurred by this user.

Cheers to Techcrunch for posting the update, Jeers to Techcrunch for posting the article in the first place.

Jon Galloway has a nice rebuttal of the article from yesterday.  You can read it here (too much good stuff to even bother trying to quote).

Wanted to follow up on a few things from yesterday.  First, to an extent, I owe Mr. Atwood an apology.  I still stick by everything I said yesterday but I think the tone was wrong.  The truth is, while I still think his post was ridiculous, it wasn't completely without merit and any idea with merit deserves to be treated fairly and with an open mind.  So to the extent that I didn't do that I'm sorry.

Another point from yesterday comes from the comments to Mr. Atwood's post.  The commenter wrote...

Jeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.

The link leads to an article by Marcus Ranum who claims to be "a renowned expert on security design and implementation" who was "the implementor of the first commercial firewall" (he spelled implementer wrong not me).  For the record, I don't know if those claims are true or not and the reason I put them in quotes was only because I couldn't find any verification for them aside from Wikipedia.  

Anyway, in a post entitled "The Six Dumbest Ideas in Computer Security" he lays out "idea #2" for us...

Why is "Enumerating Badness" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness. In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:

• Spyware
• Viruses
• Remote Control Trojans
• Exploits that involve executing pre-installed code that you don't use regularly

Thanks to all the marketing hype around disclosing and announcing vulnerabilities, there are (according to some industry analysts) between 200 and 700 new pieces of Badness hitting the Internet every month. Not only is "Enumerating Badness" a dumb idea, it's gotten dumber during the few minutes of your time you've bequeathed me by reading this article.

The basic flaw in Mr Ranum's theory is that he's living in the 80s where every application was on the desktop and every communication was 1-to-1 over a modem.  The web allows people to use applications that their administrators wouldn't have even dreamed of and it allows them to do it in packets that are often encrypted. 

More to the point everyone's addiction to the web keeps administrators from blocking most sites outright.  I would love to live in a world where I could specify what sites users were allowed to visit and block all the rest but that isn't the world we live in.

Given that fact I'd argue that web data, specifically secure web data, can't be enumerated.  This leads me to Mr Ranum's next point...

Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.

Well, I don't think CTO's are saying they don't know what different apps they rely on I think what they are saying is that they can't limit what web apps a user uses to only the ones that are business related.  Everyone in most companies, including senior management, uses the web for their personal use at this point and most of that usage is over their corporate network.

Anyway, I've already spent far too much time on this.  I don't know why it annoyed me so much but I think it has something to do with the prevalent attitude in the blogosphere that "we're right and everyone else is an idiot".  So Jeff Atwood can contradict decades of conventional wisdom with no real explanation as to why he thinks almost every other security expert in the world is either an idiot or a liar and no one questions it.  When people do that without even acknowledging how crazy their idea sounds it makes it seem like the blogosphere isn't a place for serious debate and that annoys me.

I've always thought of Jeff Atwood as one of the smarter bloggers out there but his most recent post on Virus Scanners borders on lunacy.  In a nutshell he says they're completely unnecessary if you just run your PC under a non-Administrator account.

Let me preface this with a little background, I am the administrator of an organization with around 190 computers (which varies depending on how many employees we have at any given time).  With very few exceptions no one has Administrator or even Power User privileges (the few exceptions being where it was necessary such as in the case of our Payroll program which requires it be used under an admin account).  We use both Norton Anti-Virus Corporate Edition and Webroot's Spy Sweeper on every workstation. 

That said, let me quote Mr. Atwood so you can get his whole point...

The performance cost of virus scanning (lose 50% of disk performance, plus some percent of CPU speed) does not justify the benefit of a 33% detection rate and marginal protection. I would argue the illusion of protection is very, very dangerous as well.

Ask yourself this: why don’t Mac users run anti-virus software? Why don't UNIX users run anti-virus software? Because they don't need to. They don't run as administrators. Sadly, the cost of running as non-admin is severe on Windows, because MS made some early, boneheaded architectural decisions and perpetuated them over a decade. But the benefit is substantial. There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator.

I believe we should invest our money, time, and effort in things that make sense, things that work. Things like running as a non-administrator. And we should stop wasting our time on voodoo, which is what anti-virus software ultimately is.

He then corrects himself right after the above paragraph saying...

To be fair, anti-virus software is more effective than I realized. In the August 2007 Anti-Virus Comparatives, the lowest detection rate was 90%, and the highest was 99.6%.

That alone should be reason enough not to listen to him on this.  Someone who is that far off is obviously not an expert in the field.  But putting that aside lets address the Mac/Unix point.  Mac and Unix machines aren't targeted by virus writers because their install base is so low and that's pretty much an established fact.  There has already been a "proto-virus" that proved OS X could be infected so the idea that they are immune doesn't hold much water. 

Which brings me to my biggest point, you don't need to be an administrator to destroy user files.  Lets be logical here, a malicious virus has two goals (A) to compromise the machine so it can spread and (B) to do damage to the machine's valuable files.  I can tell you from personal experience that a limited account can still run scripts and it can still send e-mails which means it can still do everything that a virus would need it to do.

Remember, a virus doesn't need to destroy system files to be effective!

I don't know.  I honestly had to think long and hard about posting on this because the idea is just so preposterous to me that I was afraid it would turn into an attack post.  The only reason I decided to go ahead was because I didn't want to see some young IT person go around pushing this idea and get fired for doing so.  Let me make that point in closing, if you are an IT person who thinks he/she can run a network without virus protection you will get fired!  Because if anything goes wrong you'll have no defense for yourself. 

"I know every bit of professional guidance says you need security software but this guy with no obvious security experience wrote on his blog that it was unnecessary..." 

Not going to go over well.

Mr Atwood makes another point about Blacklists but I'm going to save that for a later post because I think that justifies its own post. 

Addendum: For the record, he is right about security software being a performance hog and that is a significant problem but certainly not one that justifies ignoring security all together.

Microsoft’s main message in its communications with press and bloggers this week is that they should take another look at Vista. The Softies acknowledge now that the product got off to a rough start, in terms of missing drivers, application compatibility and overall performance and reliability. But as a result of numerous Vista updates pushed out over Windows Update, as well as changes that ISVs and hardware makers have made to their products, Vista is now running a lot more smoothly and reliably than it did a year ago, Nash said.“A lot of the first imressions that enterprise users were having with Vista were at home,” Nash said. Initially, those experiences may not have been as solid as Microsoft and its users were hoping. “But now that experience is changing,” Nash said.

As has been the case with Vista for a while now, Microsoft misses the point here.  The real issue isn’t that Vista had problems out of the gate; every OS has problems out of the gate.  The issue with Vista is that to this day I can find no earthly reason to upgrade my companies’ PCs to it.

The advantages between it and XP Service Pack 2 are minimal at best and in many ways (such as with the new UI) it makes more sense to stay with XP.  I really don’t need fancy looking windows on my corporate computers particularly when they take up tons of processing power.   As far as security is concerned the reality is that I’m doing just fine.  The combination of XP SP2, a decent firewall and virus/malware protection has served me quite well.  It has been over 3 years since my last real security problem (though now that I’ve said that I’m sure I can expect one shortly) 

Microsoft needs to accept that Vista is a disaster and just move on.  Even putting aside my corporate needs as an IT manager Vista is the first Microsoft OS since ’95 that I didn’t rush to upgrade to (I was an OS/2 guy back then).  I just have no interest and I’m not the only one.  So Microsoft, if you have any sense, cut your losses here.  Split the upcoming Windows 7 into two releases and implement half the features by the end of 2008 rather than 2010.  Give yourself a fighting chance. 

Because honestly, I’m the head of a Windows IT shop that programs using .Net and I for the first time am considering a Mac for my next notebook.  That’s very bad for you (especially since the thing holding me back is the fact that I won’t have Visual Studio, a concern most of your users don’t share).