Thoughts while at the SANSFire "Securing Windows" course in DC:

Microsoft Security is very sophisticated. Or, should I say, it is very complicated. Bruce Schneier says in "Secrets and Lies" that complexity is the enemy of security. If he is right, then Microsoft systems are heading in exactly the wrong direction.

The Active Directory concept is extremely ambitious. The goals of Active Directory are very appealing. It is a grand unifying object hierarchy. It is distributed in sophisticated ways.

The goal of Microsoft is to empower computer-ignorant people. It isn't just about empowering ignorant users. Actually, the software is designed so that guys who don't know very much about computers can actually be Microsoft system administrators.

People get out of the habit of trying to understand things. Software companies like Microsoft are in the business of hiding details. People who use this kind of software get used to not understanding.

One thing that often comes to mind when I study some complex man-made body of knowledge is that I am, at that moment, similar to a scholar of literature. I must immerse myself in the artificial world. The author is the creator of this world and is not my place to ask why things are what they are. I just accept and study and worship. Science is based on understanding. Science conflicts with religion. It is not in my nature to worship. I like science and engineering.

One interesting thing that happens with modern technology is that it is possible for systems to hide their own complexity. The usual word for this is "interface." Pianos present a uniform and simplified interface that provides exactly the control that the pianist needs without involving them unnecessarily in the in the mechanical internals. The hiding of complexity by using an interface actually adds additional complexity to the system. So that's the interesting part. Perception and technical reality diverge. Computers are simultaneously getting "simpler and simpler" and more and more complex. So which is the truth? Actually, both are true. Most people exist in one or the other world, either the world of the user or the world of the engineer. If you exist in the world of the user, than your reality is that things are getting easier and simpler every year. Engineers perceive the opposite to be true. I think that this is what "The Matrix" is about.

I am sitting in front of my laptop computer at the SANSFire conference in Washington DC. I am attending a course in Microsoft Windows Security. There are several other courses being taught here concurrently. The other courses are all more interesting to me than the course that I am attending. Actually, the course I'm in doesn't talk about real security. The course talks about operating system features. Microsoft Windows 2000 and later includes a lot of cute features that relate to security. However, as far as I can tell, they haven't done anything to improve the real security of computer systems.

I am here at SANSFire because I'm trying to survive. The proliferation of Microsoft is inevitable, so I must be educated in it in order to maintain an authoritative position in real-world information security. It seems that a lot of people react to this situation the same way that I have. It is the inevitability that drives them to act proactively. Microsoft will prevail in the end so we might as well stop fighting the good fight and accept it now, right? I have an analogy that illustrates how stupid I think this is. A young healthy boy could go for a walk in a graveyard. He knows that he will eventually end up there also. So he finds a freshly dug hole and jumps in and buries himself. This is obviously sad and unfortunate. For the same reason, it is sad and unfortunate that I am sitting in this room attending this course, accelerating the worldwide trend into the darkness of Microsoft's monopolistic vision.