Friday, October 23, 2009

Live Mesh

In response to Tim Hogg, the Program Manager for Live Mesh stating that "The solution is to add the affected login to the Administrators group, enabling the installation of updates that are waiting in the update queue", I felt this response was appropriate:

I'm sorry, but are you saying that, going against all good programming practice and security best practice, Microsoft is recommending that end users are elevated to Administrators so they can run Live Mesh?


I mean REALLY???

Tim, as a program manager in at Microsoft, you have access to all kinds of resources that we general plebian members of society don't have, yet you choose to stick with the "you must be an administrator to run Live Mesh" story against all manner of best practice evidence that this is an old, obsolete, insecure, unsafe and highly not recommended practice. Sure, I commend you for sticking up for your beliefs, but I certainly don't commend you for denying all the evidence to the contrary and insisting that we reduce the security of our networks to run Live Mesh.

And then, on top of that, Live Mesh installs perfectly alright as a Limited User. Now this, in addition to the fact that the Limited Users then need to be promoted to Administrators to properly run Live Mesh leaves me wondering how the Live Mesh team can be allowed to get away with these sorts of shortsighted and dangerous practices in 2009 inside Microsoft.

It seems that the general consensus here in this thread and with anyone who has any understanding at all of security is that what Live Mesh is doing, suggesting and requiring relates to software practices that should have died out well into last millennium and not still managed to exist almost a decade into this one!

One way around the insanity that is Live Mesh is to ensure that using GP (Server) and Applocker (Windows 7) you disable the ability for this application to be installed and/or run on your networks.  We discussed this option at the Windows 7 Launch Party at BIG last night with Jeff Alexander whilst talking about BitLocker and BitLocker To Go and security of USB keys and corporate data.
The Outspoken Wookie

No comments: