You have to ask: is there malware on my system? You can be 100 per cent certain there is no malware that you can detect, but less than 100 per cent certain that there is no malware at all. Now, ladies and gentlemen, isn’t this true of every computer we already have? There is no difference just because it’s virtualisation.

Read the entire article at ZDNet.

Spam doesn’t normally catch my attention, but this particular piece of spam left as a comment on this site really caught my eye. I’ve read spam emails before, but never this ridiculous.

{Dear Sir. Mr. Dr. D.I.}
i am mr simon okoye from london,,the Executive director operations intercontinental Bank plc Branch london,28years in Banking system guideline,58 years of age on earth also a married man with three children two boys and one girl,below are there name,pius okoye,peter okoye,olivia okoye,also my wife merry okoye,

So Mr and Mrs Spammer and their three little Spammer kids say hello.

Please take my good day, how are you today,I hope all is transferring very well if so doxology.

Things are transferring very well thanks, and doxology to you too.

SwitzerlandworldBank was confirm about,the money on July 3rd1997, the owner of the money late, Mr,chife, sir, rocky-tiger-king-from isreal

I want to change my job title to Rocky Tiger King now.  From Israel is optional though.

address 22 abarbanel st apt 31 {attn c/o tzur,family rishon 75309 isreal nationality isreal citizen occupations computer formal bank director , age 46 date of birth 23-02-1962 late sir,was the formal executive bank director operations at mercantile discount bank limited isreal bank ,on the years 1994,17 branch 668 rishon lezion isreal ,

I think he’s saying the guy is from Israel… land of the rocky-tiger-kings.

Help to forward this to convert all the documents with
your name backups at Intercontinental bank Plc.
(Forward needed {to i.e.} Boss/Director)
{Your picture and what your occupation is}
{Your telecommunication number}
{Your account detail address of the bank}
{Your account signature}
{Your age and also your fax number}
{Your wife age and occupation}
{The number of your children and what their occupation is}
{The age of your father}
{The age of your mother}
{Your identity card number}

Consider it done Mr Okoye!

Are a must know
1,Bankers need to keep account records
2,Doctors need to keep patient report
3,Lawyers need to keep client report
4,Engineers need to make presentation
5,Secretary need to keep office record
6,Company need to keep trues record
7,Student need to make themselves globally relevant,
this are what the lord almighty created on his world

This is after he explained in great length how the US$965 million would be paid to me in 92 installments.

I promise you that all the money would be transferred into your own account and bear this in mind that all the money would be dividend into 70% is to 20%by 10%

Deep in my heart I want to believe him!

Thanks and Topic by (SA)
Mr. Simon Okoye Director (ie) Bank, and john Anth
Confirm (Sec) Bank.
Yours faithfully,
The Lord bear with us - Amen.70%, 20%.by 10%
THE EXECUTIVE DIRECTOR OPERATIONS INTERCONTINENTAL BANK PLC BRANCH LONDON,

Amen.70%, 20%.by 10% brother.

Jeff Jones posted a blog entry to celebrate Red Hat fixing their 1000th unique security vulnerability.  He also draws attention to a Red Hat post on their “Truth Happens” blog back in August, which itself quotes a post on Lxer.com.

Jeff posts quarterly statistics on his blog that show how many vulnerabilities have been patched for various operating systems.  The LXer.com post takes one of his reports and uses it to demonstrate that Linux is more secure than Windows because Linux vendors fix more security vulnerabilities.

A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix more Windows flaws than the number of open software flaws fixed by the major open source companies . Red Hat, having forty times less employees than Microsoft, did the best job, by fixing and closing the most security bugs, also closing even minor bugs - where Microsoft didn’t even fix one minor bug in the same period. Even Apple did a better job than Microsoft by fixing lots of flaws in Mac OS X.

Jeff found this to be a little amusing.

Seriously, I loved this post, it made me laugh out loud!  Fixing more security vulnerabilities is apparently a good thing in the world of Red Hat Truth.

Well, for those who actively support that theory, I have some fantastic news for them!  According to my calculations, in July 2007, the Red Hat Enterprise Linux 4 team fixed their 1000th unique security vulnerability.  Now, 164 of these were Low severity and 479 were Medium severity, but still, that is a ton of work accomplished by that team, especially given that the product only shipped in February of 2005.

To put that in context, (again by my calculations) Microsoft has fixed only 649 security vulnerabilities for all supported products across the company since the year 2000.

I’m not sure what to think.  Jeff is quite clear on how his reports are generated.  Linux supporters used to tell me that fewer vulnerabilities meant a product was more secure.  Now Linux supporters want to say that more vulnerabilities means the product is more secure, or as one comment on LXer.com puts it:

You spin the data by saying “we fixed the most bugs, leaving the fewest bugs in the new code, therefore we are the best.”

Round and round we go.

Tom Shinder of ISAServer.org takes an amusing shot at the myth in some circles that a “hardware” firewall or “firewall appliance” offers more security than a Microsoft ISA Server firewall.

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

Cisco Pix

OpenBSD

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

This morning I sat the Microsoft certification exam 70-350 for ISA Server 2004.  I’d been putting this one off for a while, having already worked through the Microsoft Press training guide, a lot of whitepapers, and worked with the product for a lot of different customers over the last couple of years.  I passed the exam with plenty of room to spare.

Someone gave me the tip that the exam is not particularly difficult.  I tend to agree, but that would largely have to do with all of the work and study I’ve put into it beforehand.  ISA Server 2004 is a great product, and the new versions are excellent too.  The biggest hurdles in understanding it seem to be early on when you first start using it.

If you’re looking to do some training on ISA Server 2004 with the goal of certifying then I would strongly recommend the Microsoft Press training guide.  The books contents will thoroughly prepare you for the exam provided you work through the material properly and don’t skimp on the practical exercises or review questions.

You can also make use of the extensive ISA 2004 Technical Library on the Microsoft website.  The documentation there could be used for all of your training instead of using the training guide, but won’t take you through the subject in the same fashion.  However it does make for excellent complimentary material for your training and for your real world work with the product.

I would give you tips on which areas to focus on but really the exam questions I faced pretty well broadly covered the entire product.  There was no particular areas to focus on to the exclusion of others.  I would certainly recommend though that you do not sit the exam until you are thoroughly familiar with fundamental networking concepts such as subnetting and routing, and with the ISA Server 2004 networking model.