Communicating Windows 7

May 27, 2008 – 5:46 AM

Typically when Microsoft ships a new OS (like Windows Vista), we immediately start talking about the next version-which begs two questions: 1) is Microsoft working on a new version of Windows, and if so, 2) why aren’t you talking about it?

I thought I would spend a minute giving you an update on where we are. First, yes, we are working on a new version of Windows. As you likely know, it’s called Windows 7.We are always looking for new ways to deliver great experiences for our customers.  This is especially true of Windows – where we’re constantly examining trends in hardware, software and services to ensure that we continue to drive the innovation that has both made Windows the world’s most popular operating system and has provided a foundation on which our partners built great products and businesses. When we shipped Windows 2000, we were already working on Windows XP and we started working on Windows Vista even before we released Windows XP. So naturally, we’ve been thinking about the investments we made in Windows Vista and how we can build on these for the next version of Windows.

What is a little different today is when and how we are talking about the next version of Windows.  So, why the change in approach?  We know that when we talk about our plans for the next release of Windows, people take action. As a result, we can significantly impact our partners and our customers if we broadly share information that later changes.  With Windows 7, we’re trying to more carefully plan how we share information with our customers and partners.  This means sharing the right level of information at the right time depending on the needs of the audience.  For instance, several months ago we began privately sharing our preliminary plans for Windows 7 with software and hardware partners who build on the Windows platform.  This gave them an opportunity to give us feedback and gave us the opportunity to incorporate their input into our plans. As the product becomes more complete, we will have the opportunity to share our plans more broadly. Steven Sinofsky, Windows and Windows Live Engineering SVP, talks more about this in his interview with CNET’s Ina Fried, published today: http://news.cnet.com/8301-13860_3-9951638-56.html.

We know that this is a change in our approach, but we are confident that it will help us not only to build even better products, but also to be more predictable in the delivery of our products. We also know that this change has led to some confusion, so we would like to share information today that will hopefully clear up some of this.

Read the rest of this story…

Local Physical Attack Against VISTA To Obtain SYSTEM

May 26, 2008 – 8:44 AM

Pretty cool video doing a local physical attack against a Vista Box.

http://www.offensive-security.com/movies/vistahack/vistahack.html

McGrew Security Blog pointed me to it:

“he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine. In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe . The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U.”

Its short and worth a look.

Via Carnal0wnage

How to Sell Security

May 26, 2008 – 8:35 AM

It’s a truism in sales that it’s easier to sell someone something he wants than something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It’s not they don’t ever buy these things, but it’s an uphill struggle.

The reason is psychological. And it’s the same dynamic when it’s a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with her company’s employees.

It’s also true that the better you understand your buyer, the better you can sell.

First, a bit about Prospect Theory, the underlying theory behind the newly popular field of behavioral economics. Prospect Theory was developed by Daniel Kahneman and Amos Tversky in 1979 (Kahneman went on to win a Nobel Prize for this and other similar work) to explain how people make trade-offs that involve risk. Before this work, economists had a model of “economic man,” a rational being who makes trade-offs based on some logical calculation. Kahneman and Tversky showed that real people are far more subtle and ornery.

Here’s an experiment that illustrates Prospect Theory. Take a roomful of subjects and divide them into two groups. Ask one group to choose between these two alternatives: a sure gain of $500 and 50 percent chance of gaining $1,000. Ask the other group to choose between these two alternatives: a sure loss of $500 and a 50 percent chance of losing $1,000.

These two trade-offs are very similar, and traditional economics predicts that the whether you’re contemplating a gain or a loss doesn’t make a difference: People make trade-offs based on a straightforward calculation of the relative outcome. Some people prefer sure things and others prefer to take chances. Whether the outcome is a gain or a loss doesn’t affect the mathematics and therefore shouldn’t affect the results. This is traditional economics, and it’s called Utility Theory.

But Kahneman’s and Tversky’s experiments contradicted Utility Theory. When faced with a gain, about 85 percent of people chose the sure smaller gain over the risky larger gain. But when faced with a loss, about 70 percent chose the risky larger loss over the sure smaller loss.

This experiment, repeated again and again by many researchers, across ages, genders, cultures and even species, rocked economics, yielded the same result. Directly contradicting the traditional idea of “economic man,” Prospect Theory recognizes that people have subjective values for gains and losses. We have evolved a cognitive bias: a pair of heuristics. One, a sure gain is better than a chance at a greater gain, or “A bird in the hand is worth two in the bush.” And two, a sure loss is worse than a chance at a greater loss, or “Run away and live to fight another day.” Of course, these are not rigid rules. Only a fool would take a sure $100 over a 50 percent chance at $1,000,000. But all things being equal, we tend to be risk-adverse when it comes to gains and risk-seeking when it comes to losses.

Read the rest of the story…

Ad-Aware 2008 Has Arrived!

May 24, 2008 – 10:39 AM

We’re proud to announce: Ad-Aware 2008 Free, Plus, and Pro versions are now available.

While we continue to offer a full-powered anti-spyware solution that is free of charge for personal home use, with this new release, there’s more reason than ever to boost your defenses with our Plus or Pro products. Ad-Aware 2008 Plus and Pro now offer even bigger and better detection; integrated anti-virus along with real-time monitoring provides constant protection to guard against today’s complex threats. Visit our Ad-Aware 2008 Free, Plus and Pro product pages to see the full features of each new version.

Need Ad-Aware Plus or Pro on more than one PC? Save big – up to 71% – with our new multi-pack licenses! More details on our 3-license and 5-license packs are available on each version’s product page.

Want to try before you buy? Now you can! Visit our Trial Center to download a free 30-day trial of Ad-Aware Plus or Pro.

Source: Lavasoft Blog

Newest Firefox Beta has Critical Flaws, Mozilla Admits

May 24, 2008 – 10:32 AM

Mozilla has identified 10 high-priority bugs in Firefox 3.0, three of them pegged “critical,” but won’t decide until next week whether to release the browser anyway or restart the final stretch by issuing a second release candidate (RC2).

“We are making a go/no go decision early next week, as we are still collecting feedback [on Release Candidate 1],” Mike Schroepfer, Mozilla’s vice president of engineering, said in an e-mail Thursday.

Firefox 3.0 Release Candidate 1 (RC1) launched a week ago, but Mozilla has not yet committed to RC2. Previously, the company has only said it is targeting June as the release window for the final code.

On the “mozilla.dev.planning” newsgroup, Schroepfer also said that on May 27 Mozilla will either call Firefox 3.0 finished with RC1, or build RC2 with fixes for the 10 bugs that have been collected.

In the meantime, testing will begin on the 10 bugs. “If we need to do an RC2, they’ll be ready to go,” he said. “If we ship RC1, we can get them in the 3.0.1.”

The bug list includes three marked “critical” on Bugzilla, Mozilla’s bug-tracking database and management system. Eight of the bugs affect Firefox on Windows, Mac OS X and Linux, while two afflict only Linux.

Read the rest of the story…