Tag Archives: Hack

IIS may be Microsoft’s most important product

I’ve been asked a couple of times why I accepted a position working with IIS 7. Someone even quipped that I took it because it was the only job that Microsoft offered me. Quite honestly, if I had my druthers, I would still love to join this team. Obviously, some people can’t understand the importance of this product. This post will serve as the formal answer to the inquiries about my upcoming role.

I believe in my heart that IIS could possibly be the most important product in Microsoft’s arsenal today. If you blindly accept this hypothesis, you need not read any further. However, if the need to provide some supporting evidence to my assertion haunts your dreams, go ahead and finish reading this post before you lay your head on the pillow tonight.

In the book, Freakonomics by Steven Levitt and Stephen Dubner, the authors overtly opine that information is one of the most powerful tools in today’s age. One example given by the duo is that of the ruin of the Ku Klux Klan after WWII. Once the war was over, the “Klan” had started to regain their footing. Stetson Kennedy infiltrated the group and exposed all of their secrets to a popular radio program at the time — Superman. This turned the upsurge in Klan membership on its ugly hooded ear. The book demonstrates time and time again that sunlight is, indeed, the greatest disinfectant.

The proliferation of data in the “information age” is one of my favorite bi-products, or perhaps, the purpose of my very career field. Software applications seek to provide information in a concise form that makes sense to data consumers. Websites such as realtor.com and edmunds.com provide data that prevents the lay-folk from being ripped off in the same or purchase of a home or car, respectively. Sites such as encarta.com and wikipedia.com provide us with reasonable and free research — and in the case of the later, people actually volunteer their time to build on that knowledge. I have to admit that I am addicted to information. In an instant, I can be searching for stock quotes, searching for health information, getting the latest news headlines, or just reading blogs at any given moment. I can access information on my smart phone, my tablet pc, my notebooks or any number of desktop machines at home. There are even refridgerators with web browsers in them now!

Yes, information is important. But getting information out there in an efficient, reliable, and secure way is the key. I have watched IIS grow from a simple application-level server that leaked memory like crazy and provided a million security vulnerabilities while provided basic database/index server query capabilities (HTX/IDC and IDA/IDQ), to a mixture of kernel-mode listeners and intricate inter-process operations that serve up millions of pages of dynamic information and object requests in a secure environment as though it was bored to tears. The information this product serves up, for the most part, is pure gold and it already does it so well. IIS is, indeed, improving with each and every release.

Some may say the success of IIS is why they question my joining the team. “What else could you possibly do with that product”. While I’m not going to be a developer for IIS 7, I do cherish the opportunity to leave my ideas at the desk of those that can at least consider just what I think can be improved. Depending on what survey you read, Microsoft’s market share of the web server space has plenty of room for improvement. In fact, since the .COM bust, it appears that IIS 7 has been losing its market share. But obviously, market share isn’t everything: “What does it profit a man if he gain the whole world but lose his soul?” So what else is there? How about increased security and anti-fraud mechanisms? Dissemination of information is only as good as the information being purveyed. Sure IE 7 is going to take up some of the slack here. But couldn’t IIS 7 also provide some of this capability as well? Couldn’t it help protect against spoof sites? Perhaps a combination of IE 7 and IIS 7 would help scuttle the whole phishing business all together.

As I stated in my previous post, I have a million ideas, and at times, I’m overwhelmed with what to do with them. I’m hoping to pour some of this emotion into a product, and I cannot see a better product to be a part of — in whatever capacity I can be of use.

I hope this satisfies some of your curiosity. Thanks for listening.

Hackers Attack via Chinese Web Sites

I don’t know if anyone caught the Washington Post story a few days ago titled “Hackers Attack via Chinese Web Sites“. It seems to have slipped past everyone in the news. Of course, The WP has become so disreputable and biased that it shouldn’t surprise me that no one paid attention. However, we were warned well in advance, so it should be no surprise.

This begs the question, however. The government has to be, without a doubt, one of the largest consumers of computer goods and services. While I am not an advocate of increased tax spending, this area could use some. Perhaps its time to take a different approach with that spending, however. We have tried many things over the years: Internet War Games, hiring our own elite forces, and even creating more laws and policies. These are certainly deterrents, but security in depth is the key here.

Any good football team has a good offense, a good defense, and a great different game plan depending on who their enemy is. We have the offense now (as mentioned above), we have ‘some’ defense as well. Laws do us no good when dealing with hackers in foreign countries. So what is the answer? I will not purport to have that ‘nail in the coffin’ answer to cyber terrorism and anyone that claims they do is selling you a bill of goods (And they will typically have the abbreviations “Sen.” or “Rep.” in front of their name). However, there are a few other things we need to explore. One mark of a great football team is that they have the ability to surprise and misdirect their enemy. Making the opponent attack in the wrong direction has often led to victory in some of the best games I have seen played. In IT, the misdirection can be supplied with honey pots and misinformation. We can take a trip from the tabloids and start putting out information that sounds correct and feasible, but is nothing more than fodder for the masses. For instance, sending out communications that will most likely be intercepted to “expose” a weakness that is actually a strength can cause a huge failure on an attacker.

This is also not a new concept in typical warfare. Many of you may remember the move “The Patriot”, which was a loose description of the revolutionary war battle in Cowpens, SC, made use of a “double envelopment” strategy, which essentially used a perceived weakness to entice the enemy into a trap. Obviously, this was not the first use of the strategy either, but is highly notable due to the movie’s popularity. Honey pots and misinformation are highly useful in this same context. We strengthen what we may now understand is a weakness, and then taunt the enemy with the weakness again. While the enemy attacks, we have a better chance of pinpointing their location, and perhaps sending them a nice drone-delivered “ACK” to their received packets.

The football analogy works to some degree when trying to put together a cyber security policy. However, we do not “play” against one enemy at a time. We play every team out there — known and unknown. This is why defense is our most important aspect of policy. Our defense needs to be highly educated, state of the art, and driven. We have no way of knowing who is going to attack and when. There is no way we can be prepared for every attack possible. However, we can at least provide some misdirection while we shore up our defense and plan our counter-attacks.