Former MS Security Strategist Joins Mozilla 248
Handset writes "Former Microsoft security strategist Window Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks. eweek.com reports that Snyder, who was responsible for security sign-off for Microsoft's Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla's security strategy and improve its communications with external hackers and bug finders."
I can't wait to see this thread... (Score:5, Insightful)
So... (Score:5, Insightful)
Re:As long as she replaces the useless Asa Dotzler (Score:3, Insightful)
Someday you might realize that you don't define a great security system by how much you have to patch gaping holes in it.
First Of All, Congrats (Score:5, Insightful)
So the security world used to be pretty hostile to MS, before, you know, XPSP2, MSRC got taken seriously, etc. Window showed up before all of that, and pretty much took our abuse year in, year out. And then...things got better.
She'll deny any direct cause and effect there, but she was _the_ interface between Microsoft and the various security cons for quite some time, and I think at least some of the reason we got certain concessions (like 24 hour response time out of MSRC) is that she was there to hear people say things like "I dunno, why should I warn MS, they're just gonna sit on it anyway."
Firefox is not without problems (understatement). I'm looking forward to seeing what Window can accomplish w/ Mozilla.
Re:First Of All, Congrats (Score:4, Insightful)
Yeah sure it did. Keep smoking the doobie.
At least.... (Score:3, Insightful)
Window is great, but MS security still miserable (Score:5, Insightful)
So the security world used to be pretty hostile to MS, before, you know, XPSP2, MSRC got taken seriously, etc.
Used to be? Maybe you see a different view of them when they hire you for security consulting and fly you out for their Blue Hat conferences and such. But from my outsider perspective, Microsoft is still a security disaster. Not only have we continued to see hundreds of serious vulnerabilities throughout 2006, but MS has in many cases made us wait weeks or months before patching widely exploited bugs. Heck, another actively exploited MS Office vulnerability [seclists.org] was just discovered in the wild. If we're lucky, MS will cough up a patch on September 12, otherwise they'll probably leave users vulnerable until the next "patch Tuesday" on October 10.
Meanwhile, Microsoft recently re-issued MS06-042 with a fix for a vulnerability introduced by their first attempted fix. And they openly admit [seclists.org] that they excluded eEye from the advisory credits because eEye embarrassed MS by making their incompetence public. MS is more interested in petty vendetas against researches than actually fixing the flaws.
Microsoft has made a few positive steps toward securing their products in that last couple of years, but I think most of their efforts and successes are more in the PR realm than anything with technical merit. They have spent so much money sponsoring conferences (their money does come with strings attached) and paying off security researches, that many people seem reluctant to criticize them.
OK, enough anti-MS ranting from me for now :). My main point in
replying is actually to agree with you about Window. She is extremely
smart and talented, and her defection to Mozilla is great news for a
product which really needs more security
attention. We had lunch last week to discuss Mozilla security and Window has some great ideas. Mozilla may already be much more secure than IE, but we should set a much higher bar than that! Best of luck at your new position, Window!
-Fyodor
Insecure.Org [insecure.org]
Re:As long as she replaces the useless Asa Dotzler (Score:1, Insightful)
There is such a thing as image. (Score:3, Insightful)
MS has an image problem when it comes to security, it is a problem of their own making, acknoledged by Mr Gates himself and experienced day in day out with their prodcuts by IT professionals.
Dig a bit deeper and you realize that security is still not properly realized in MS products. AD is a mess waiting to get worst for example.
I don't care how wonderful SP2 was, that is a drop in an ocean of incompetence and procastination.
I don't know what the Mozilla organization was thinking. Sometimes you have to take care of the PR situation as well as the technical side of things. Anybody that has worked recently around security in MS products will carry a credibility problem, specially in a highly visible position.
I am sure that this lady is bright, intelligent and all what his pals say lovingly about her, but she brings with her a credibility problem which becomes all too evident when one reads all the comments on this thread (which are mostly bad jokes, but that drive the same point home: we can't believe it).
Lets hope that this is a good move, but I think people should be excused for the healthy doses of skepticism.