Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

CyTRAP Labs global security forecast 2008 – Steve Balmer replacing Bill Gates will not improve reliability and usability of Microsoft products

January 8th, 2008 · No Comments ·

3rd posting as part of our top IT security challenges for 2008
Apparently, the cyber security forecast for 2008 looks grim and iPhone is expected to be a major target for cybercriminals in 2008.
But for most system administrators what matters the most is that Microsoft continues to release products that are not ready for the market.Windows Home Server corrupting files and Windows Vista SP 1 bringing 300 and more security hotfixes to your desktop does not make us expect to have a less stormy IT security year than we had with 2007

xRecently we outlined why we need a lot of work during 2008 regarding:

REGULATION has to enable regulators to go where the cash is – survey says


as discussed here:

CyTRAP Labs global security forecast 2008 – biggest obstacles against a safer Internet are …

The art of forecasting tomorrow’s troubles is intimately related with the art of forecasting tomorrow’s pointless wonders.

CyTRAP Labs global security forecast 2008 – users take care – silliness is everywhere

Nonetheless, we know two things

1) 2008 will not make it easier for us and, as importantly,

2) the new year arrived at great speed and many of us might still be scrambling to get ready for it (see train image below)

fast like the ICE train - 2008 is here x

If you cannot see the above image – get it here: fast like the ICE train – 2008 is here

So what else should we work on besides improving regulation and awareness levels of our school children?


1 it is important to note that forecasts about information security are inevitably forecasts about information systems and the software that makes them run properly. Unfortunatley, a large part of what makes information systems open to attack is that they contain bugs, often and pertinently referred to as undocumented features. The more experience one has with any one piece of software the more holes can be closed.

Yet, even a perfect fix lasts only until the next innovation hits the system.

2 software vendors have continued to release products that are not ready for the market without being punished for sloppy work as should be the case in competitive markets. For instance, Microsoft released its Windows Home Server just about a year ago. Imagine, a product that damages information that is being saved. Worst is that this happened 12 months after the product was announced with great fanfare by Bill Gates during last years Computer Electronics Show or CES in Las Vegas.

Releasing a product with a serious bug is one thing. Continuing selling a defect product for 12 months borders on irresponsibility and flagrant disrespect for customers.

The least it would suggest that a few things remain amiss with Microsoft’s quality control.

How much trust can a home-user put in such kind of product engineering. As a professional we should run for cover. We reported about this here:

CyTRAP Labs quicktip – Windows Home Server corrupts files

3 but not enough with the above Microsoft has outdone itself with admitting that it will release more than 300 security hotfixes for Windows Vista just about 13 months after the product was released to the public. We reported about it here:

Windows Vista SP1 includes more than 300 hot fixes

The above shows that with Microsoft’s market dominance

CyTRAP Labs legislative watch – European Court of First Instance rules on Microsoft vs. European Commission – Looser is …?

Things are far from being perfect.

And now Bill Gates has just told us during his last speech as the Microsoft spokesperson giving the keynote at the 2008 CSE in Las Vegas

    … the next decade will be about making digital devices easier to use.

Why aiming that low – how about releasing products that are safe, secure and usable?

Microsoft Chairman Bill Gates and Robbie Bach, President of the Entertainment & Devices Division- the opening keynote of CES 2008.


Recently, Andrew Jaquith stated that based on some work he did (a report for his employer whose name shall remain confidential) his view is that security vendors will be forced to strengthen the detection and recovery parts of their product portfolios. At the same time he praised Dan Geer (not dated about Nov. 2007) A Quant Looks at the Future Extrapolation via Trend Analysis

    … a masterful synthesis of a lot of other people’s data. The upshot: things are getting worse.Needless to say, it beats the pulp out of any of the other Internet security trend reports I’ve seen all year. Stupendous. I doff my feathered foofy cap in your general direction, sir Dan.

But analyses of such data is of questionable merit because how it was collected does not allow for generalizations (FBI security survey, other interesting data sources). There are various not necessarily what a statistician would consider valid or reliable data sources used to show tons of charts and apparent trends.


While Dan Geer’s report is very interesting and revealing, its also important that the security community shapes up its own disclosure process and does not act like a bunch of sheep.

The herd behavior phenomenon was exhibited just around 2007-01-02 when everybody started issuing a Real Player alert without having seen the technical details. Issuing an early warning based on unreliable data or no first hand information at all seems to be a hazardous if not outright irresponsible behavior:

how the sheep followed the grand-daddy of all CERTs across the cliff – survey says …

Calling such a non-document vulnerability being very critical while neither having the exploit code nor any technical details raises some serious questions about early warning systems (EWS) added value and how little trust we should maybe put in their services.


2008 will be an interesting year for sure with such challenges as:

1) People giving up their privacy without realizing it. People must beware that anything posted online to ones friends now, could very easily come back to haunt one in days, months, or even years to come.

2) Besides these, threats to and exploits of Radio Frequency Identification (RFID) systems will represent a further erosion of privacy rights and protection for citizens everywhere as we outlined here, for instance:

CyTRAP Labs legislative trend – will National Identity Register NIR offer new opportunities for crime?

As you can see, security experts forecasting stormy 2008 are probably right and plenty of malware, vulnerability, and zero-day exploit kind of threats will be coming our way. But some of the biggest threats are due to Microsoft’s market dominance and our unwillingness to pay for security until it is usually too late.

Microsoft’s market dominance will continue to bring us defect products being released to users around the globe.



Alerts, zero-day exploits advisories, risk tools, regulatory intell and SEO marketing from CyTRAP Labs are trusted by the experts.
For instance, FiRST’s CERT members receive much of
CyTRAP Labs‘ reports and intell via the FiRST news and threat alert service.
Why not become one of our readers by subscribing right now to one or more of our highly acclaimed services?

More information on this topic you can find here:

CyTRAP Labs forecast about malware – acquired cyber immunodeficiency syndrome – ACIDS the digital version of AIDS?

CyTRAP Labs’ IT security predictions and trends for 2007: Top ten threats and exploits

4 protecting the ecosystem – Microsoft ends support for Windows XP …



→ No CommentsTags: activatable · attachments · forecasting · forecasts · inevitably · macros · menagerie · pertinently