Microsoft unveiled details of its Strider HoneyMonkey research, a project that sniffs out sites hosting malicious code, and hands the information to other parts of the company for patching or legal action. The technical report (pdf) outlines the concept of cruising the Web with multiple automated Windows XP clients – some unpatched, some partially patched, some patched completely – to hunt for Web sites that exploit browser vulnerabilities.
Very cool idea. How about also fixing known vulnerabilities (see secunia.com)?
Well first of all secunia doesn’t tell new vunerabilities in system like HoneyMonkey is planned to do. Secondly some of Secunia’s warnings are pure shit. I think they too much for publicity and that’s why they keep list of stuff that aren’t really security problems.
A vendor (commercial) who publishes it’s vulnerabillities is almost a contradiction in terms,the more bugs are found the better for the project and the worse for the developers/company.Furthermore it isn’t independend research.My take: a controlled marketing stunt no more no less.
Please keep your zealotry in your parents basement where it belongs. The article is discussing a legitimate academic report (which is even linked in the synopsis above). This project presents an interesting approach to finding malicious sites on the Internet. Rather than wait to hear of wide-spread infection, HoneyMonkey takes an active approach and seeks out the sites that are thought to be installing malware. This allows them to (a) confirm the threat and (b) get a “sample” machine which can be catalogued and analyzed for creating a fix. Furthermore, as the article pointed out, having these machines browse the net also prove that patching has a quantifiable effect on mitigating infection, which Microsoft can use as an indication of progress as well as a way to demonstrate to businesses the value of installing patches ASAP upon release. To say this is a stunt or a crutch for poor quality coding is naive.
Only with the reinsurgance of Apple does M$ finally try to do something about the insecurity of it’s software.
Well others might easily forget 21 years of crappy code, rewarding the intelligence community and a bloated IT workforce, but I won’t.
I fling a steaming bag of poop at Redmond and all it’s cronnies.
Bring on Desktop Linux, I’ll buy!
yep, it’s another news about windows.
placing blame on the black hats when they should fix their swiss cheese OS.
There’s plenty of blame to spread around. People who are maliciously exploiting systems deserve the majority.
you don’t seem to get it…
hand a steak to a wild tiger and you’re going to get your hand bitten off.
malicious code is to blame for being in existence yes, but MS has done little to secure their flagship products because they can’t. instead, they blame others to draw attention away from their horrible developers and business tactics.
if you do something wrong, stand up and admit it, then do whatever you need to fix it.
basic character 101.
it’s what you do with you life and how it affects others that you will be measured.
How about you take Basic Reading 101 and read up on what has been happening over the last 4 years.
“How about you take Basic Reading 101 and read up on what has been happening over the last 4 years.”
go ahead…
explain the last 4 years.
Let’s see, complete code review of Windows gives us Windows 2003 and IIS6, which was/is such a giant leap from 2000.
.NET API
XPSP2
Microsoft actually spending time on getting Vista right.
Most everything that still has problems, security wise, hasn’t had a re-release since the focus shift!
Uhhh… so instead of fixing browser vulnerabilities, they try to get rid of sites that pose a threat to their browser?
Well, I guess it’s cheaper to pay a few people to do that instead of paying several people to actually fix the code.
Except they also pay people to fix the problems in the browser….
I hate to be rude, but don’t be a jackass.
Yes, they pay as little as possible to the people in India who they outsource to.
Besides, fixing the problems after they occur is no real solution. If they took a more proactive approach to security from the ground up, there wouldn’t be so many holes to patch in the first place.
Kind of off-topic, but I was one of the many people who were foolishly lead to believe that much if not all of the core apps etc. in Longhorn were going to be re-written using managed code.
Of course, that’s not turned out to be the case, but thankfully a large portion on the new code in Vista is managed.
Any of the vulnerabilities I see related to anything .NET have been in code that .NET merely wraps around instead of replacing. I guess it was too much to hope for that WinFX would have had no reliance what-so-ever on the aging Win32 code, but like all things, it’s evolutionary, and we won’t see a completely managed (and much more safely coded) version of Windows for a few revisions yet.
Regardless, they are still slowly making progress in the security arena, but like most software, not so quickly as we require.
And how do you expect them to find out what the browser vulnerabilities that they should be fixing are? They do it by determining what the malicious sites are doing.
If MS knew ahead of time what the problems were, they would have fixed them already.
“rewarding the intelligence community and a bloated IT workforce”
What the fuck are you talking about?
“rewarding the intelligence community and a bloated IT workforce”
What the fuck are you talking about?
Spooks and Outsourcing
M$ should be happy to find malicious site triggering new attack in their browser or code: it is a way to force code to improve faster. The joe six pack wont encounter 99% of common vulnerabilities by doing so.
But shutting down a hacker with legal action is a nonsense, since there is for sure 10 others which are doing the same at the same time.
add to this that I am convinced that they wont patched all securities problems…too much money involved and loss of possible image.
a proud user of suse since 2 years…
http://www.waltercedric.com
But shutting down a hacker with legal action is a nonsense, since there is for sure 10 others which are doing the same at the same time.
Just like the others who are spamming through open proxies and SMTP relays or running the latest phishing scam?
A lack of reporting and responsible action allows the problems to continue in perpetuity, whether it’s a worm infected user or malicious websites.
But shutting down a hacker with legal action is a nonsense, since there is for sure 10 others which are doing the same at the same time.
So what? Whether others are doing the same thing at the same time has no bearing on whether that particular hacker is doing it. Would you also say that the police shouldn’t ticket someone for running a stop sign in a residential neighborhood just because others do it too?
To say this is a stunt or a crutch for poor quality coding is naive.
———
Dont worry. If a major Linux distro did the same thing it would heralded as a great and ingenious idea. Gotta remember the double standards.
Is there somewhat of a double standard among the linux community….. yeah
Is there somewhat of a double standard among the Windows community….. yeah
However, I beg to differ on this one….. if a linux distro did this they would be b!@#$ slapped to the other side of the moon for this idiocy, especially since the vast majoirty of malitious sites don’t even apply to Linux.
in fact…. I’de be the first in line to smack em.
This scheme is just a sham to give Microsoft some appearance of legitimacy as their spy on your Windows machine.
These fuckers never stop.
“Microsoft unveiled details of its Strider HoneyMonkey research”
So instead of opening the source so everyone can point out bugs, they’re rewarding monkeys with honey for playing the game Strider for hundreds of hours?
http://www.mozillazine.org/talkback.html?article=7123
This is a very good idea, whether you Linux zealots like it or not.
Linux distros should do the same.
are you retarded or what ?
Despite your attempt to generate an emotional response by the confrontational tone of your first sentence, your post does ask a valid question.
However, what makes you think that coders aren’t looking for bugs/exploits? The same method that Microsoft is using isn’t practical for a Linux system, as these types of web/browser exploits aren’t really there. The biggest problem would be the typical buffer overrun types of coding errors that allow code execution, or rootkits. These things are best worked on by looking at the code (no one outside of Microsoft’s programmers can work with Microsoft’s code) and finding errors the old-fashioned way. And, being 100% open, the source can be looked at the various hobbyists around the globe.
This is one example where “doing the same” as Microsoft would be pointless and less efficient than regular debugging. And, this method seems to be working, as it is being shown that the defects are being reduced, even as the code base grows.
http://www.internetnews.com/dev-news/article.php/3524911
I’d love to work somewhere with a bloated IT workforce rather than be understaffed, and chasing fires caused by the latest XP exploit. I imagine I cold actually get some *work* done if the IT workforce was bloated! Sign me up for bloated IT workforce, stat!
WTF does outsourcing have to do with industry “bloat?” Outsourcing is despicable, short-sighted, and irresponsible, but it doesn’t make things bloated.
There is no shortage of infected windows machines. Millions of idiots find malicious web sites every day. Their reach far out stretches their grasp on this one, the problem is not that people are using the exploits, the problem is people are using their POS leaky browser. A publicity stunt to make people feel like they are pro active is not real impressive, sorry. A bulletproof browser and secure os, now that would be impressive.
what political system
what company??
tied the browser so deeply into the os?