Archive for November, 2015
Users report that they are unable to print. You verify that the print spooler service is running. What should you do next?
A. Purge the service
B. Disable the service
C. Pause the service
D. Restart the service
To protect a server in case of a blackout, you should use a/an:
A. Uninterruptible Power Supply.
B. Dedicated surge protector.
C. Power Supply Unit.
D. Redundant power supply.
E. Hot-swappable power supply.
F. Line conditioner.
Power On Self Test (POST) runs when a computer first boots.
Which component software issues this test?
A. Complementary Metal Oxide Semiconductor
B. Northbridge On Board Chip
C. Basic Input/Output System
D. Southbridge On Board Chip
Explanation: The four main functions of a PC BIOS (Basic Input/Output System).
POST – Test the computer hardware and make sure no errors exist before loading the operating system. Additional information on the POST can be found on our POST and Beep Codes page.
Bootstrap Loader – Locate the operating system. If a capable operating system is located, the BIOS will pass control to it.
BIOS drivers – Low level drivers that give the computer basic operational control over your computer’s hardware.
BIOS or CMOS Setup- – Configuration program that allows you to configure hardware settings including system settings such as computer passwords, time, and date.
You have an Active Directory infrastructure that contains one domain and seven domain controllers. How many forests can you have without creating any trusts?
Explanation: In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationships. A two-way, forest trust is used to form a transitive trust relationship between every domain in both forests.
You are troubleshooting a permissions issue with the Reports share. The permissions are shown in the following image:
The groups connect to the share.
Use the drop-down menus to select the answer choice that answers each question. Each correct selection is worth one point.
Which RAID level mirrors a set of disks and then stripes across the disks?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10
Explanation: A RAID 1+0, sometimes called RAID 1&0 or RAID 10. RAID 10 is a stripe of mirrors.
You are employed as an analyst at ABC.com. ABC.com makes use of Project Server 2013 in their
You are currently performing a Portfolio Analysis. You want to identify projects that should be
included in or excluded from the portfolio automatically.
Which of the following actions should you take?
A. You should consider making use of the Filtering options.
B. You should consider making use of the Sorting options.
C. You should consider making use of the Grouping options.
D. You should consider making use of the Force In and Force Out options.
You are employed as a project manager at ABC.com. ABC.com makes use of Project Server 2013
in their environment.
Edit permissions have been granted to all project managers. After successfully editing and
publishing a project in Project Web App (PWA), you are informed that other project managers are
unable to edit your project.
You then access the Project Center in PWA to fix the problem.
Which of the following actions should you take?
A. You should consider making use of the Resource Plan button.
B. You should consider making use of the Build Team button.
C. You should consider making use of the Check in My Projects button.
D. You should consider making use of the Project Permissions button.
You are employed as a portfolio manager at ABC.com. ABC.com makes use of Project Online in
The following have been set for a portfolio selection:
•The main constraints to identify the efficient frontier.
ABC.com has accumulated business cases for new proposals, of which a large number can apply
to the same business requirement.
You have been instructed to make sure that the analysis generates the most suitable proposal
with regards to cost and resources. You also have to make sure that the portfolio selection does
not include any recurring efforts.
Which of the following actions should you take?
A. You should consider creating a mutual exclusion dependency among all these projects.
B. You should consider creating a mutual inclusion dependency among all these projects.
C. You should consider creating a specific exclusion dependency among all these projects.
D. You should consider creating a specific inclusion dependency among all these projects.
You are employed as a program manager at ABC.com. ABC.com makes use of Project Server
2013 in their environment.
ABC.com has a data warehouse that collects relational information from various business areas.
The execution of this data warehouse is currently your responsibility.
You want to make sure that project managers have the ability to administer the execution for a
business area as individual projects, while the dependencies are still accepted at a program level.
You have instructed the project managers to create, save, and publish sub-projects for every area.
Which of the following actions should you take NEXT?
A. You should consider defining dependencies.
B. You should consider creating a master project file.
C. You should consider inserting the sub-projects into a program-level project.
D. You should consider creating a shared project file.
You are employed as a program manager at ABC.com. ABC.com makes use of Project Server
2013 and Project Professional 2013 in their environment.
ABC.com is in the process of implementing a data warehouse. You have been given the
responsibility of supervising this process.
Part of your duties is to configure a program master project that includes subprojects for every
implementation area. Alterations to the dependencies must occur between projects.
You need to achieve your goal in the shortest time possible.
Which of the following actions should you take?
A. You should consider making use of Project Server 2013 to access the program-level project
from Project Web App (PWA).
B. You should consider making use of Project Professional 2013 to access the program-level
project from Project Web App (PWA).
C. You should consider making use of Project Server 2013 to access each of the required
subprojects from Project Web App (PWA).
D. You should consider making use of Project Professional 2013 to access each of the required
subprojects from Project Web App (PWA).
Exam 70-697 Configuring Windows Devices (beta)
Published: September 1, 2015
Audiences: IT professionals
Technology Windows 10
Credit toward certification: Specialist
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam. View video tutorials about the variety of question types on Microsoft exams.
Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.
Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification program.
If you have concerns about specific questions on this exam, please submit an exam challenge.
Manage identity (13%)
Support Windows Store and cloud apps
Install and manage software by using Microsoft Office 365 and Windows Store apps, sideload apps by using Microsoft Intune, sideload apps into online and offline images, deeplink apps by using Microsoft Intune, integrate Microsoft account including personalization settings
Support authentication and authorization
Identifying and resolving issues related to the following: Multi-factor authentication including certificates, Microsoft Passport, virtual smart cards, picture passwords, and biometrics; workgroup vs. domain, Homegroup, computer and user authentication including secure channel, account policies, credential caching, and Credential Manager; local account vs. Microsoft account; Workplace Join; Configuring Windows Hello
Plan desktop and device deployment (13%)
Migrate and configure user data
Migrate user profiles; configure folder location; configure profiles including profile version, local, roaming, and mandatory
Create and configure virtual machines including integration services, create and manage checkpoints, create and configure virtual switches, create and configure virtual disks, move a virtual machine’s storage
Configure mobility options
Configure offline file policies, configure power policies, configure Windows To Go, configure sync options, configure Wi-Fi direct, files, powercfg, Sync Center
Configure security for mobile devices
Configure BitLocker, configure startup key storage
Plan and implement a Microsoft Intune device management solution (11%)
Support mobile devices
Support mobile device policies including security policies, remote access, and remote wipe; support mobile access and data synchronization including Work Folders and Sync Center; support broadband connectivity including broadband tethering and metered networks; support Mobile Device Management by using Microsoft Intune, including Windows Phone, iOS, and Android
Deploy software updates by using Microsoft Intune
Use reports and In-Console Monitoring to identify required updates, approve or decline updates, configure automatic approval settings, configure deadlines for update installations, deploy third-party updates
Manage devices with Microsoft Intune
Provision user accounts, enroll devices, view and manage all managed devices, configure the Microsoft Intune subscriptions, configure the Microsoft Intune connector site system role, manage user and computer groups, configure monitoring and alerts, manage policies, manage remote computers
Configure networking (11%)
Configure IP settings
Configure name resolution, connect to a network, configure network locations
Configure networking settings
Connect to a wireless network, manage preferred wireless networks, configure network adapters, configure location-aware printing
Configure and maintain network security
Configure Windows Firewall, configure Windows Firewall with Advanced Security, configure connection security rules (IPsec), configure authenticated exceptions, configure network discovery
Configure storage (10%)
Support data storage
Identifying and resolving issues related to the following: DFS client including caching settings, storage spaces including capacity and fault tolerance, OneDrive
Support data security
Identifying and resolving issues related to the following: Permissions including share, NTFS, and Dynamic Access Control (DAC); Encrypting File System (EFS) including Data Recovery Agent; access to removable media; BitLocker and BitLocker To Go including Data Recovery Agent and Microsoft BitLocker Administration and Monitoring (MBAM)
Manage data access and protection (11%)
Configure shared resources
Configure shared folder permissions, configure HomeGroup settings, configure libraries, configure shared printers, configure OneDrive
Configure file and folder access
Encrypt files and folders by using EFS, configure NTFS permissions, configure disk quotas, configure file access auditing Configure authentication and authorization
Manage remote access (10%)
Configure remote connections
Configure remote authentication, configure Remote Desktop settings, configure VPN connections and authentication, enable VPN reconnect, configure broadband tethering
Configure mobility options
Configure offline file policies, configure power policies, configure Windows To Go, configure sync options, configure Wi-Fi direct
Manage apps (11%)
Deploy and manage Azure RemoteApp
Configure RemoteApp and Desktop Connections settings, configure Group Policy Objects (GPOs) for signed packages, subscribe to the Azure RemoteApp and Desktop Connections feeds, export and import Azure RemoteApp configurations, support iOS and Android, configure remote desktop web access for Azure RemoteApp distribution
Support desktop apps
The following support considerations including: Desktop app compatibility using Application Compatibility Toolkit (ACT) including shims and compatibility database; desktop application co-existence using Hyper-V, Azure RemoteApp, and App-V; installation and configuration of User Experience Virtualization (UE-V); deploy desktop apps by using Microsoft Intune
Manage updates and recovery (10%)
Configure system recovery
Configure a recovery drive, configure system restore, perform a refresh or recycle, perform a driver rollback, configure restore points
Configure file recovery
Restore previous versions of files and folders, configure File History, recover files from OneDrive
Configure and manage updates
Configure update settings, configure Windows Update policies, manage update history, roll back updates, update Windows Store apps
In major metropolitan areas and smaller cities alike, governments are adopting software-defined networking (SDN) and network function virtualization (NFV) to deliver the agility and flexibility needed to support adoption of “smart” technologies that enhance the livability, workability and sustainability of their towns.
Today there are billions of devices and sensors being deployed that can automatically collect data on everything from traffic to weather, to energy usage, water consumption, carbon dioxide levels and more. Once collected, the data has to be aggregated and transported to stakeholders where it is stored, organized and analyzed to understand what’s happening and what’s likely to happen in the future.
There’s a seemingly endless list of potential benefits. Transportation departments can make informed decisions to alleviate traffic jams. Sources of water leaks can be pinpointed and proactive repairs scheduled. Smart payments can be made across city agencies, allowing citizens to complete official payments quickly and reducing government employee time to facilitate such transactions. And even public safety can be improved by using automated surveillance to assist the police watch high-crime hotspots.
Of particular interest is how healthcare services can be improved. There is already a push to adopt more efficient and effective digital technology management systems to better store, secure and retrieve huge amounts of patient data. Going a step further, a smart city is better equipped to support telemedicine innovations that require the highest quality, uninterrupted network service. Telesurgery, for example, could allow for specialized surgeons to help local surgeons perform emergency procedures from remote locations — the reduction of wait time before surgery can save numerous lives in emergency situations, and can help cities and their hospital systems attract the brightest minds in medical research and practice.
The smart city of today
While the smart city is expected to become the norm, examples exist today. Barcelona is recognized for environmental initiatives (such as electric vehicles and bus networks), city-wide free Wi-Fi, smart parking, and many more programs, all of which benefit from smart city initiatives. With a population of 1.6 million citizens, Barcelona shows that smart city technologies can be implemented regardless of city size.
But even smaller cities are benefitting from going “smart.” In 2013 Cherry Hill, New Jersey, with a population of only 71,000, began using a web-based data management tool along with smart sensors to track the way electricity, water, fuel and consumables are being utilized, then compared usage between municipal facilities to identify ways to be more efficient. Chattanooga, Tennessee, population 170,000, along with its investment to provide the fastest Internet service in the U.S., has recently begun developing smart city solutions for education, healthcare and public safety.
How do cities become smart? The most immediate need is to converge disparate communications networks run by various agencies to ensure seamless connectivity. To achieve this, packet optical based connectivity is proving critical, thanks largely to the flexibility and cost advantages it provides. Then atop the packet optical foundation sits technology that enables NFV and the applications running on COTS (commercial off-the-shelf) equipment in some form of virtualized environment. SDN and NFV allow for the quick and virtual deployment of services to support multiple data traffic and priority types, as well as increasingly unpredictable data flows of IoT.
Decoupling network functions from the hardware means that architectures can be more easily tweaked as IoT requirements change. Also, SDN and NFV can yield a more agile service provision process by dynamically defining the network that connects the IoT end devices to back-end data centers or cloud services.
The dynamic nature of monitoring end-points, location, and scale will require SDN so that networks can be programmable and reconfigured to accommodate the moving workloads. Take for example, allocating bandwidth to a stadium for better streaming performance of an event as the number of users watching remotely on-demand goes up—this sort of dynamic network-on-demand capability is enabled by SDN. Additionally, NFV can play a key role where many of the monitoring points that make the city “smart” are actually not purpose-built hardware-centric solutions, but rather software-based solutions that can be running on-demand.
With virtual network functions (VNF), the network can react in a more agile manner as the municipality requires. This is particularly important because the network underlying the smart city must be able to extract high levels of contextual insight through real-time analytics conducted on extremely large datasets if systems are to be able to problem-solve in real-time; for example, automatically diverting traffic away from a street where a traffic incident has taken place.
SDN and NFV may enable the load balancing, service chaining and bandwidth calendaring needed to manage networks that are unprecedented in scale. In addition, SDN and NFV can ensure network-level data security and protection against intrusions – which is critical given the near-impossible task of securing the numerous sensor and device end points in smart city environments.
Smart city business models
In their smart city initiatives, cities large and small are addressing issues regarding planning, infrastructure, systems operations, citizen engagement, data sharing, and more. The scale might vary, but all are trying to converge networks in order to provide better services to citizens in an era of shrinking budgets. As such, the decision on how to go about making this a reality is important. There are four major smart city business models to consider, as defined by analysts at Frost & Sullivan (“Global Smart City Market a $1.5T Growth Opportunity In 2020”):
Build Own Operate (BOO): In a BOO model, municipalities own, control, and independently build the city infrastructure needed, and deliver the smart city services themselves. Both operation and maintenance of these services is under the municipality’s control, often headed up by their city planner.
Build Operate Transfer (BOT): Whereas in a BOO model, the municipality is always in charge of the operation and management of smart city services, in a BOT model that is only the case after a little while – the smart city infrastructure building and initial service operation is first handled by a trusted partner appointed by the city planner. Then, once all is built and in motion, operation is handed back over to the city.
Open Business Model (OBM): In an OBM model, the city planner is open to any qualified company building city infrastructure and providing smart city services, so long as they stay within set guidelines and regulations.
Build Operate Manage (BOM): Finally, there is the BOM model, which is where the majority of smart city projects are likely to fall under. In this model, the smart city planner appoints a trusted partner to develop the city infrastructure and services. The city planner then has no further role beyond appointment – the partner is in charge of operating and managing smart city services.
SDN and NFV: The keys to the (smart) city
With the appropriate business model in place and the network foundation laid out, the technology needs to be implemented to enable virtualization. Virtualized applications allow for the flexibility of numerous data types, and the scalability to transport huge amounts of data the city aims to use in its analysis.
SDN and NFV reduce the hardware, power, and space requirements to deploy network functions through the use of industry-standard high-volume servers, switches and storage; it makes the network applications portable and upgradeable with software; and it allows cities of all sizes the agility and scalability to tackle the needs and trends of the future as they arise. Like the brain’s neural pathways throughout a body, SDN and NFV are essential in making the smart city and its networks connect and talk to each other in a meaningful way.
How should the enterprise address the growing adoption of wearables?
The Internet of Things and wearable technology are becoming more integrated into our everyday lives. If you haven’t already, now is the time to begin planning for their security implications in the enterprise.
According to research firm IHS Technology, more than 200 million wearables will be in use by 2018. That’s 200 million more chances of a security issue within your organization. If that number doesn’t startle you, Gartner further predicts that 30% of these devices will be invisible to the eye. Devices like smart contact lenses and smart jewelry will be making their way into your workplace. Will you be ready to keep them secure even if you can’t see them?
According to TechTarget, “Although there haven’t been any major publicized attacks involving wearables yet, as the technology becomes more widely incorporated into business environments and processes, hackers will no doubt look to access the data wearables hold or use them as an entry point into a corporate network.”
While it’s true that IT cannot possibly be prepared for every potential risk, as an industry we need to do a better job of assessing risks before an attack happens. This includes being prepared for new devices and trends that will pose all new risks for our organizations.
How many of us read the news about a new data breach practically every day and have still yet to improve security measures within our own organizations? If you’re thinking “guilty,” you’re not alone. Organizational change can’t always happen overnight, but we can’t take our eyes off the ball either.
In a 2014 report, 86% of respondents expressed concern for wearables increasing the risk of data security breaches. IT Business Edge suggests, “With enterprise-sensitive information now being transferred from wrist to wrist, businesses should prepare early and create security policies and procedures regarding the use of wearables within the enterprise.” Updating policies is a smart move, but the hard part is anticipating the nature and use of these new devices and then following through with implementing procedures to address them. It seems it may be easier said than done.
We all know that wearables pose security challenges, but how do IT departments begin to address them? This can be especially challenging considering that some of the security risks lie on the device manufacturers rather than the teams responsible for securing the enterprise network the technology is connected to. Many wearables have the ability to store data locally without encryption, PIN protection, or user-authentication features, meaning that if the device is lost or stolen, anyone could potentially access the information.
Beyond the data breach threat of sensitive information being accessed by the wrong hands, wearables take it a step further by providing discreet access for people to use audio or video surveillance to capture sensitive information. Is someone on your own team capturing confidential information with their smartwatch? You may not realize it’s happening until it’s too late.
How can we effectively provide security on devices that appear insecure by design? It seems the safest option is to ban all wearables in the enterprise – there are too many risks associated with them, many of which seemingly cannot be controlled. If this thought has crossed your mind, I may have bad news for you. This isn’t really an option for most organizations, especially those looking to stay current in today’s fast-paced society. TechTarget’s Michael Cobb explains, “Banning wearable technology outright may well drive employees from shadow IT to rogue IT – which is much harder to deal with.”
If the threat of rogue IT isn’t enough to convince you, also consider that there may very well be real benefits of wearables for your organization. According to Forrester, the industries that will likely benefit from this technology in the short term are healthcare, retail, and public safety organizations. As an example in the healthcare field, Forrester suggests that “the ability of biometric sensors to continually monitor various health stats, such as blood glucose, blood pressure and sleep patterns, and then send them regularly to healthcare organizations for monitoring could transform health reporting.” There are many examples for other industries, and the market continues to evolve every day.
It all boils down to this: enterprise wearables present a classic case of risk versus reward. We know there are many security risks, but are the potential rewards great enough to make the risks worthwhile? This answer may vary based on your industry and organization, but chances are there are many real business opportunities that can come from wearable technology.
If you haven’t already, it’s time to start talking with your teams about what those opportunities are and the best ways to ease the associated risks. As we all know, the technology will move forward with or without us and the ones who can effectively adapt will be the ones who succeed. It’s our job to make sure our organizations are on the right side of that equation.
Object lessons from infamous 2005 Sony BMG rootkit security/privacy incident are many — and Sony’s still paying a price for its ham-handed DRM overreach today.
Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview comedy about a planned assassination on North Korea’s leader. Some say all this is karmic payback for what’s become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management.
“In a sense, it was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, CTO for incident response platform provider Resilient Systems in Cambridge, Mass.
LogRhythm CEO hobbies
Mikko Hypponen, chief research officer at F-Secure, the Helsinki-based security company that was an early critic of Sony’s actions, adds:
“Because of stunts like the music rootkit and suing Playstation jailbreakers and emulator makers, Sony is an easy company to hate for many. I guess one lesson here is that you really don’t want to make yourself a target.
“When protecting its own data, copyrights, money, margins and power, Sony does a great job. Customer data? Not so great,” says Hypponen, whose company tried to get Sony BMG to address the rootkit problem before word of the invasive software went public. “So, better safe than Sony.”
The Sony BMG scandal unfolded in late 2005 after the company (now Sony Music Entertainment) secretly installed Extended Copy Protection (XCP) and MediaMax CD-3 software on millions of music discs to keep buyers from burning copies of the CDs via their computers and to inform Sony BMG about what these customers were up to. The software, which proved undetectable by anti-virus and anti-spyware programs, opened the door for other malware to infiltrate Windows PCs unseen as well. (As if the buyers of CDs featuring music from the likes of Celine Dion and Ricky Martin weren’t already being punished enough.)
The Sony rootkit became something of a cultural phenomenon. It wound up as a punch line in comic strips like Fox Trot, it became a custom T-shirt logo and even was the subject of class skits shared on YouTube. Mac fanboys and fangirls smirked on the sidelines.
“In a sense, [the rootkit] was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, Resilient Systems CTO.
Security researcher Dan Kaminsky estimated that the Sony rootkit made its mark on hundreds of thousands of networks in dozens of countries – so this wasn’t just a consumer issue, but an enterprise network one as well.
Once Winternals security researcher Mark Russinovich — who has risen to CTO for Microsoft Azure after Microsoft snapped up Winternals in 2006 — exposed the rootkit on Halloween of 2005, all hell broke loose.
Sony BMG botched its initial response: “Most people don’t even know what a rootkit
is, so why should they care about it?” went the infamous quote from Thomas Hesse, then president of Sony BMG’s Global Digital Business. The company recalled products, issued and re-issued rootkit removal tools, and settled lawsuits with a number of states, the Federal Trade Commission and the Electronic Frontier Foundation.
Microsoft and security vendors were also chastised for their relative silence and slow response regarding the rootkit and malware threat. In later years, debate emerged over how the term “rootkit” should be defined, and whether intent to maliciously seize control of a user’s system should be at the heart of it.
In looking back at the incident now, the question arises about how such a privacy and security affront would be handled these days by everyone from the government to customers to vendors.
“In theory, the Federal Trade Commission would have more authority to go after [Sony BMG] since the FTC’s use of its section 5 power has been upheld by the courts,” says Scott Bradner, University Technology Security Officer at Harvard. “The FTC could easily see the installation of an undisclosed rootlet as fitting its definition of unfair competitive practices.”
Bill Bonney, principal consulting analyst with new research and consulting firm TechVision Research, says he can’t speak to how the law might protect consumers from a modern day Sony BMG rootkit, but “with the backlash we have seen for all types of non-transparent ways (spying, exploiting, etc.) companies are dealing with their customers, I think in the court of public opinion the response could be pretty substantial and, as happened recently with the EU acting (theoretically) because of [the NSA’s PRISM program], if the issue is egregious enough there could be legal or regulatory consequences. “
As for how customers might react today, we’ve all seen how quickly people turn to social media to take companies to task for any product or service shortcoming or any business shenanigans. Look no further than Lenovo, which earlier this year got a strong dose of negative customer reaction when it admittedly screwed up by pre-loading Superfish crapware onto laptops. That software injected product recommendations into search results and opened a serious security hole by interfering with SSL-encrypted Web traffic.
In terms of how security vendors now fare at spotting malware or other unsavory software, Schneier says “There’s always been that tension, even now with stuff the NSA and FBI does, about how this stuff is classified. I think [the vendors] are getting better, but they’re still not perfect… It’s hard to know what they still let by.”
Noted tech activist Cory Doctorow, writing for Boing Boing earlier this month, explains that some vendors had their reasons for not exposing the Sony rootkit right away. “Russinovich was not the first researcher to discover the Sony Rootkit, just the first researcher to blow the whistle on it. The other researchers were advised by their lawyers that any report on the rootkit would violate section 1201 of the DMCA, a 1998 law that prohibits removing ‘copyright protection’ software. The gap between discovery and reporting gave the infection a long time to spread.”
Reasons for hope though include recent revelations by the likes of Malwarebytes, which warned users that a malicious variety of adware dubbed eFast was hijacking the Chrome browser and replacing it, by becoming the default browser associated with common file types like jpeg and html.
Schneier says it’s important that some of the more prominent security and anti-virus companies — from Kaspersky in Russia to F-Secure in Finland to Symantec in the United States to Panda Security in Spain — are spread across the globe given that shady software practices such as the spread of rootkits are now often the work of governments.
“You have enough government diversity that if you have one company deliberately not finding something, then others will,” says Schneier, who wrote eloquently about the Sony BMG affair for Wired.com back in 2005.
The non-profit Free Software Foundation Europe (FSFE) has been calling attention to the Sony BMG rootkit’s 10th anniversary, urging the masses to “Make some noise and write about this fiasco” involving DRM. The FSFE, seeing DRM as an anti-competitive practice, refers to the words behind the acronym as digital restriction management rather than the more common digital rights management.
F-Secure Chief Research Officer Mikko Hypponen: “I guess one lesson here is that you really don’t want to make yourself a target.”
Even worse, as the recent scandal involving VW’s emissions test circumvention software shows, is that businesses are still using secret software to their advantage without necessarily caring about the broader implications.
The object lessons from the Sony BMG scandal are many, and might be of interest to those arguing to build encryption backdoors into products for legitimate purposes but that might be turned into exploitable vulnerabilities.
One basic lesson is that you shouldn’t mimic the bad behavior that you’re ostensibly standing against, as Sony BMG did “in at least appearing to violate the licensing terms of the PC manufacturers” TechVision’s Bonney says.
And yes, there is a warning from the Sony BMG episode “not to weaponize your own products. You are inviting a response,” he says.