Microsoft Opens Its Security Research Cookbooks 87
greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."
Microsoft Security Protocols (Score:5, Funny)
Chapter 1.
If someone knocks on the door, use the little peep hole.
Re: (Score:2)
"Heyyy.. Is thaatt a bug?? Give me a hug..."
Re:Microsoft Security Protocols (Score:5, Insightful)
Security is about the best tool for the job and it's not always the Open Source tool, with the "street cred". When you say you're an IT professional, do you by chance mean you work for a small business, supporting other small businesses, (with pirated copies of Windows)?
No one avenue is the correct choice for security. You should chose the complete set of tools from a variety of vendors, who offer total support. Good luck getting official support with tripwire on Debian.
Cisco are a proprietary vendor - are you telling me they have no quality solutions? I suppose you don't use Symantec or another vendors AV, on your client desktops? Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network. Maybe not a polite thing to do but clearly useful in some organisations.
And while we're on it, Domains... Active Directory is a security tool in itself. Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?
What utter garbage...
Re: (Score:1, Troll)
Maybe the best tool for the job is not the open source tool but it's never the tool made by MS.
>Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?
X. Look it up.
Re:Microsoft Security Protocols (Score:4, Informative)
Luck has nothing to do with it. Reading the extensive list of consultants [debian.org] categorised by country on the Debian site has everything to do with it.
MOD PARENT FUNNY Re:Microsoft Security Protocols (Score:3, Funny)
Quoted for hilarity. Up to that point I thought your post was actually serious. Haven't seen a punchline that good in ages.
Re: (Score:2)
Re: (Score:2, Insightful)
The giveaway is, of course, the fact that you talk about "official" support for tripwire on Debian. Who cares whether support is official or not? What really matters is whether it's useful, and "official" is neither a necessary nor a sufficient precondition for that. But to answer my earlier question, there *are* people who cares: middle managers, th
Re: (Score:1)
HAHAHAHAHAHHAHAHAHA
You've obviously never heard of a company called "Novell".
Simple example of how different they are:
Give a person read on VOLUME_A:\USERDATA\LOCATION\DEPARTMENT\SOMETHING\SHARE at the "SHARE" folder
and they can't even see ANYTHING except that.
Using AD (NTFS rather, but since its all one "suite" and the permissions are given to domain users) you're looking at SHARE_A, SHARE_B, SHARE_C, SHARE_D
Then in SHARE_A you can see USERDATA, DISTRIBUTION, SOFTWARE, ADMINSONL
Re: (Score:1)
Well, we use Symantec on two email machines we have. Even though the updates are current, these machines are constantly compromised. I understand that there is no such thing as perfect security, but the use of Windows and AV software doesn't seem to buy much except, perhaps, some time.
Re: (Score:1, Insightful)
Microsoft and security? Proprietary software and security? Talk about oxymorons. When I and other computer professionals think about security, we think about powerful, open source software, not closed source solutions like Microsoft's. Am I right guys?
That was actually the most fan-boyish post I have ever read on this site, in over seven years of reading, beyond any shadow of a doubt, ever. For real. I threw up a little in my mouth. No kidding.
Somewhere, even Richard Stallman is cringing.
Re: (Score:3, Funny)
BAMF! (Score:3, Funny)
An unidentified program wants to use your little peep hole.
The source and purpose of this little peep hole is unknown. Don't use the peep hole unless you have used it before or know where it's from.
CANCEL/ALLOW?
Re: (Score:1, Funny)
Would you like to:
1. Dispatch Microsoft Anti-Fun Squad. (In Soviet Russia, anti-fun squad make joke of you!)
2. Create a beowulf cluster of these
3. ???
4. Profit!
Re: (Score:2, Troll)
There is no Chapter 3.
Re: (Score:2, Redundant)
Declare Chapter 11.
Re: (Score:1)
???
Re: (Score:2)
Mod your critics as trolls on Slashdot.
Re: (Score:1)
Re: (Score:1)
The virtues of knowing what you are talking about (Score:1, Insightful)
It looks like someone has never read MS's TechNet anytime in the past 10+ years. MS has always been very open about these things, and between MSDN and TechNet, there's hardly anything I've needed to know which wasn't readily available.
Now if I were to actually have a valid complaint, I'd talk about how difficult it can sometimes be to search through that information. I've sometimes spent li
yeah but (Score:4, Funny)
That's just because they haven't found a way to launch chairs at people through the internet.
Re: (Score:2)
Re: (Score:1)
Patience... (Score:1)
Not now Kato you fool!!!!! (Score:4, Funny)
Microsoft Security Research: Do you know what kind of a bomb it was?
Clouseau: The exploding kind.
Now its public ? (Score:1)
Can we revisit the tag thing? (Score:1, Interesting)
Re:Can we revisit the tag thing? (Score:4, Funny)
- that there is a 35 character tag
- or that you took the time to count it
Re: (Score:2)
Next you'll be giving away the secrets of the all-mighty grep (hallowed be it's name) to the masses.
Shame on you.
A question for Mahatma Ghandi (Score:5, Funny)
Answer: I think it would be a good idea.
Small correction.. (Score:2, Informative)
Re: (Score:1)
Re: (Score:1)
Ahh...Slashdot! (Score:1, Insightful)
It does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.
Question is: Who is being sensational here?
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
A statement of intent and two example postings is "making an effort"?
You're being very generous to a company with a long history of abandoned promises and vapourware.
How about we wait and see how they perform for a few months instead of offering immediate praise?
depends on the meaning (Score:2, Offtopic)
That depends on what the meaning of is is.
But will they release source code... (Score:5, Insightful)
Microsoft likes to throw around the word "open" a lot these days, but most smart people in the industry remain skeptical. Take, for example, what open standards advocate Russell Ossendryver has to say about Microsoft's supposed open OOXML format [fanaticattack.com]: So how open is open? Unless the code is considered open under OSI standards or Free under FSF guidelines, it's really still just a pig with lipstick and a dress.
Re:But will they release source code... (Score:4, Interesting)
Re: (Score:1)
Re:But will they release source code... (Score:5, Insightful)
When I provide code for people, projects, or even companies who's software I use, I could really give a rats behind if its open source or not. Sure it would be NICE but hardly REQUIRED by me at least.
If you don't like what will be done with your free labour then don't provide it, no one is forcing you to. I like people who contribute and provide there free time, but I don't like it when those same people feel that since its so called FREE LABOUR that they can start imposing what can and should be done with there FREE LABOUR. It just doesn't work that way
Yes you are providing a service, yes it is welcome by the recipient and community, NO you shouldn't have a say in what way your contributions are disseminated because it was your choice to provide the service and no one else's.
I don't know about you but I provide my code because I want a better end product, not because I want it to be free in the open. If the code I provide will make my life easier then do with it as you will. Just because its not OPEN SOURCE like you say doesn't mean that it doesn't perform any good for the community of users for software X. Besides you wrote the stuff, unless you signed a legal waver to your code then nothing is stopping YOU from releasing it OPEN SOURCE style.
Re: (Score:2)
Personally, I'd love access to the source code so I can better determine how systems are interacting when something goes wrong with something we paid for, but it's not necessary.
Feedback like this can help open up other avenues for troubleshooting and understanding, and working with our TAM, I've had more than one instance where something we've seen has turned into a note in one of these KBs, or has caused part of a KB to not go public.
Too nuanced? (Score:5, Insightful)
I'll tell you why...because they assume that Windows administrators are idiots. Now, I've known some stupid Windows administrators in my day, but I wouldn't go so far as to think that most of them are idiots.
Re: (Score:3, Insightful)
If they say it, thousands of customers will implement it without understanding the things that might break by removing that setting.
Then they call Microsoft for help fixing it. (Oddly enough, you'd think that would actually drive them to do this, since it would guarantee more
Re: (Score:2)
Re: (Score:2)
Well, they should know. They've been selling them those MSC* classes, so they know what quality they can expect...
Re: (Score:2)
For as long as most people are stupid and ignorant it makes sense to target the largest market
So you have thousands of windows administrators that can only admin say 5-10% of a single machine (they can't figure out the rest).
Whereas a skilled admin should be able to admin hundred or so windows/linux desktops, or thousands of Linux/BSD servers.
Re: (Score:2)
Re: (Score:1)
Because you'd have to localize it in 50 different languages, and it's faster to post it once in a blog?
Re: (Score:1)
Blog tuesday! (Score:2)
Re: (Score:1)
Let ME guess. You didn't actually RTFA? Did you?
We expect to post every "patch Tuesday" with technical information about the vulnerabilities being fixed. .
So what... (Score:2, Insightful)
The real problem is twofold... first, denial; for so long Microsoft (as well as many other mainstream software companies) refused to admit that there was a problem and didn't spend any time or money on the problem. This
Wireshark (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
Microsoft Opens Its Security Research Cookbooks (Score:2)
Re: (Score:2)
Openness (Score:2)
Lemme fix that for you... (Score:1)
Microsoft defines all "research" as? (Score:2)
MS can fool you into spending your free time on its blogs.
Microsoft Security Research: the first book is free.
Microsoft Security and Patch Process (Score:1)
Step 1 - Say Open Source Software is insecure and mock Linux
Step 2 - Think about security hole
Step 3 - Promise fix will be done in next service pack
Step 4 - Mock Linux a bit more and claim open source is comunism
**** 5 Months later security fix
New Comments to this post are disabled..... (Score:1)
Jesus.
The reason we are insecure in the internet (Score:1)
Why... (Score:1)
Securitry Research (Score:1)