Microsoft has revealed the guidelines it gives its own developers to help them decide when users need a rude reminder to stop putting themselves at risk of security problems. Redmond's rules boil down to being neat and spruce, but the two adjectives are acronyms rather than items in a dress code. NEAT stands for the following …
..serious about security since -- oh wait !
Hey, give'em a break, they made posters and called meetings and everything!
A security risk has been detected.
Please format hard drive and install another OS.
I know. Flame away- I'm chilly.
Re: A security risk has been detected.
As long as you're a Microsoft developer it's a bit difficult if you wish to keep your job.... and in this hard times losing a job is pretty stupid.
Re: A security risk has been detected.
I thought the standard open source response was "[insert flavour] has been doing this for years!"
I'm missing an option...
"A warning should only interrupt a user if it is absolutely necessary to involve the user. "
So what about the situation where a user (admin in my case) wants to be interrupted? Sometimes such warnings can help you find bigger problems. And yes; most likely you could find those in the event logs, that's not my point since we're talking about interruptions here.
Re: I'm missing an option...
If you want to nit-pick, I expect the pedants will claim that if it's "wanted" then it isn't an "interruption".
OS wars aside, I have to applaud the common sense found in the following excerpt:
“Microsoft engineers do not have time in their day to read 24 pages and 68 bullet points about usable security"
How refreshingly honest.
Do they hang around the coffee vending machine most of the day?
I wonder if that was 'once, at hire time' or 'for every security issue'
I'm guessing it is the former.
I really like the amount of effort MS are putting into supporting and assisting developers with guidelines and how-tos. I've been seriously impressed with what they're coming out with over the last six months. Beer for MS for really turning things around.
Did you just imply that they've been doing it wrong for ~30 years?
other application for SPRUCE
could probably be used for organising oneself before taking an issue needing a decision to a manager.
or if you are fortunate to have staff under you, for them to present the issue in a structured way.
Details about security .. in a .docx document.
Bwahahahahaaaahaha. Hoohahahahaaa. Hihihihi.
Sorry, hihi, I, hahaha, have to lie down for a moment. BWAHAHAHAHAHA. Hihihi. Sniffel. Hihihihi.
Let me know who falls for that one. Hahahaha. Absolutely epic..
Hm let me guess - would you have the same fun at security paper published in pdf format? You know, like the one used by Secunia White Papers etc.?
Now, check the number of exploits against Adobe Reader in recent years compared to Microsoft Word 2007 (where .docx was introduced) or later. Anything coming to mind?
You know, I have actually done some analysis on that (I got bored one day, doesn't happen often), and I found that text files cover about 90% of my needs because it's the fastest medium for my profession, followed closely by images when something is easier explained in a picture (typically hardware related, or a structure). Combine the two and .rtf is all you need.
Next to that come spreadsheets, but that's no longer just info, that's modelling.
From that follows that every other bit of formatting is superfluous (I have to stress that that is for ME) - it may make things look prettier but doesn't add any value - but also doesn't invite the "must add pretty picture to make it look good" syndrome or the hour long fiddling with formatting which doesn't improve the data itself.
Now for data formats. I read PDFs in non-Adobe readers because I have long given up trusting them to produce something that works without the need for updates every hour (very Microsoft compatible), so I'm less worried here - and the process is sandboxed by default.
My personal preference for office format is ODF, which happens to be a European Standard that was achieved by consensus rather than bribery and flat out structural abuse. It just happens to be less risky as well..
Now, to answer your question: apples and pears. That another format is less or more risky is irrelevant. The current format is laughable. I see no real reason why such data cannot be placed online in a wiki or other open, more risk free accessible format. I don't see why users must yet again have this deplorable abomination of an office format rammed down their throats.
Oh, wait. Forget I mentioned it.
" I see no real reason why such data cannot be placed online in a wiki or other open, more risk free accessible format."
I have answer to that, and it's very simple. Some employee of a large corporation (it's irrelevant which one) got paid to produce this document. It was scrutinized by his bosses, bosses of his bosses and also possibly helped by his PA, PA of his boss and perhaps a whole bunch of other people. As much as said employee would have (imaginably) liked to have just written text and be done with it, at some level of large corporations, plain txt just "does not seem to work". Because, as it happens, somewhere up in the hierarchy there are people who get rash on seeing a document without (totally unnecessary) formatting. These are usually the people who care less about the content than about the form. Luckily formatting can be easily added, using local tool of choice.
It is sad that time of technical experts is wasted in getting them to write things down with (totally superfluous) formatting, but that's how these things work.
Sounds like something every developer should take to heart, especially considering how low priority both security and usability tend to get in many development organizations. Catchy acronyms can help, especially for developers to remind each other -- and to communicate with management., as in "Yes, we should actually spend five hours development and testing time to change these messages, in order not to confuse and enrage our users."
Interupted for the millionth time in a day
I remember those warnings, I really wanted to throw the computer out of window thanks to programs stealing focus whenever I type going ZOMG such and such has a new update, we're going to steal focus and annoy you by trying to install Ask.com toolbar.
What I find hilarious
is that this is coming from the SAME COMPANY that to this very day gives you jack and squat for info on patches from Windows Update without launching your browser! Would it REALLY kill them to give us more than a pointless KB number that doesn't tell us what the patch is for? maybe a teeny tiny summary, would that be so hard.
Glass houses and stones MSFT, glass houses and stone.