Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview With Microsoft's Chief of Security

Posted by timothy on from the reserve-judgment-then-reduce-with-whine dept.

Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."

6 of 245 comments (clear)

  1. The obvious full disclosure question by Wizard+of+OS · · Score: 2, Offtopic
    The question that will be asked by a zillion of people: what is your (personal) opinion on the full disclosure issue? Let me phrase that more specifical with an example: the latest security bug concerning the download of possibly malicious code by IE, when the download box shows a different file type. When this was originally posted on Bugtraq, the advisory was very limited in details, to quote one of his replys on this matter:

    Some details needed for reproducing and exploiting the flaw were left
    out of my posting because there is no good workaround or a patch
    available, and the flaw could be quite easily used maliciously. Using
    those details it would be relatively easy to create a worm that infects a
    system when a user "opens" a plain text file from an infected website,
    for instance. For the same reason there wasn't any test page URL included
    in my posting. That, and technical details will be published later.


    Unfortunately for those who oppose full disclosure, the issue was discussed on Bugtraq, which finally led to the details of the vulnerability. This means that the Microsoft-supported way of disclosing bugs (Do issue an advisory but do not publish any details that could be used in creating exploits) apparently didn't work out. Ofcourse, there was a (small) delay, but eventually everybody knew about it before the patch was released.

    My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public.

    --

    --
    If code was hard to write, it should be hard to read
  2. Mod me down please by Wizard+of+OS · · Score: 3, Offtopic

    Okay, wrong reply (Yes, I scanned the article and saw the words 'microsoft' 'security' 'ask' 'question' and 0 comments, started typing like a wildman to be the first to type an intelligent question ... and realised just a bit too late that it wasn't a call for questions).

    Please mod me down before to many people notice my dumbness :)

    --

    --
    If code was hard to write, it should be hard to read
    1. Re:Mod me down please by Wizard+of+OS · · Score: 2, Offtopic

      Now what did I ask? I'm actually being modded UP as 'insightfull'

      *sigh*

      --

      --
      If code was hard to write, it should be hard to read
    2. Re:Mod me down please by dagashi · · Score: 0, Offtopic

      jesus christ... talk about expert karma wh0ring.
      what is that? 15 karma points in 7 minutes?
      i've got a total of 16 and that's taken me 8 months damnit!"#%&/()/&%
      NOW MOD HIM DOWN

      --
      get xited
  3. Congratulations! by r_j_prahad · · Score: 2, Offtopic

    You're going to hit the 50 point karma cap with three off-topic posts in a row.

    Splendid, man, splendid.

    1. Re:Congratulations! by Spy+Hunter · · Score: 1, Offtopic
      Wow, it's a moderation frenzy!

      Gimme my points, I want some too!

      --
      main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}