Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

is it ALL white?

[BFedRec]

cause the oxymoronic nature of using MS and Security in the same vicinity... one would think it's just an all white blank sheet of paper.

Re:is it ALL white?

[Fruny]

one would think it's just an all white blank sheet of paper.
No, I believe it comes triple-thickness, extra soft unscented rolls.

Re:is it ALL white?

[Lost+Dragon]

No, no, silly. It's white text on a white background. That's part of their security layer.

they

[AnonymousCowheart]

they recently published the bug list too

No Problem

However, the document does open a window on how...

Sounds like somone needs to switch to Mozilla to avoid these annoying pop-ups! ;)

Microsoft is insecure? I never saw that coming!

[Qweezle]

My goodness, you would have never thought that the maker of such *cough* secure operating systems such as the rock-solid Windows 95, the one the kiddies love, Windows ME("Mommy it's made just for ME!"), and the interface that only a 3 year old Teletubbies addict could navigate through, Microsoft Windows XP!.

Seriously, though. If Microsoft was a car, every time you went over a speed bump the radiator would dislodge.


hit me with a rimshot scottie!

*Bah-dum swish!*

World Domination?

[SuperBanana]

to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data.

What about World Domination plans? Are those Highest Value data class? Or Really Highest Value?

I have a friend who now works for Apple, and they had training on the various classifications of stuff - I forget what any of the acronyms were, but they were pretty oddly named. I fully expected a bunch of troopers dressed in titanium and perfectly polished clear plastic(hopefully Ti in the, uh, right places) to come storming through the door to erase my brain after being told of such things.

Oh crap- maybe they DID!

Poor old closed-source paradigm

[FunWithHeadlines]

"MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code "

Poor Microsoft, still stuck in the old paradigm of closed-source software. Oh sure, it's been a profitable paradigm for them, but those days will gradually erode as the trend toward Free and Open Source continues over the years ahead. Meanwhile Microsoft is stuck spending mega-bucks and lots of time trying to protect themselves from having anyone actually...gasp...see the source code. Horrors!

ROFL!

Sounds about right

[SargeZT]

Microsoft hit the nail on the head this time! It's security is as strong as white paper.

Twisting a quote...

[psifishdot]

[A] successful attack will occur that could compromise the High Value and/or Highest Value data class.

Hey, even without all the security holes this would happen! Let me re-define some terms to my liking.
A successful attack: Linux on more machines.
High Value data class: Microsoft's stock price.
Highest Value data class: Bill's bank account.

See, if you twist a quote out of context, it can mean whatever you want!

It has to be said...

>MS's admission that 'there is a medium to high probability that within the next year,
>a successful attack will occur that could compromise the High Value and/or Highest Value data class.'
>According to the document, that includes things such as source code or human resources data."

Microsoft's source code has "highest value"?

Re:It has to be said...

Sorta the same way that the Diebold machine's code does.

Horrors indeed.

[Fruny]

Meanwhile Microsoft is stuck spending mega-bucks and lots of time trying to protect themselves from having anyone actually...gasp...see the source code. Horrors!

Have you considered that the masses should actually be protected from Microsoft's source code ? You wouldn't want your neighbours to become stark raving lunatics after having been confronted with the lovecraftian abomination that is Hungarian Notation, would you ?

Trust me my friend, there exist Code Man Was Not Mean to Read. Microsoft is dutifully protecting reality as we know it. We should be thankful.

What I want to know

[boatboy]

How can they afford the all the Licenses?

All about the cycles eh?

[BWJones]

.....and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process.

Hrmmmm. Kinda like their upgrade cycles. :-)

Easy

[Mistlefoot]

It's easy for them to afford 65,000 licences.

The sell them to themselves as a loss. Therefore using them as a tax deduction twice - once for the loss and once for the cost......and if the loss is great enough they might even make a profit!

No Patch Policy

[VirtuaKnight]

"Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network." Does this include the policy, "Do NOT patch MySQL servers, so we can get infected by the Blaster Worm again."

licensing costs

[b17bmbr]

damn, 300,000 desktops, 4200 servers. holy crap, they hvae to pay a ton in license fees. i wonder if they have looked to open source alternatives. well, maybe they bought software assurance.

65K Smart Cards

[Nom+du+Keyboard]

deployment of 65,000 smart cards

You'll be getting a letter from Direct TV's lawyers Monday morning.

Re:get real this is your life

[jeisc]

Cheers from paris france!
To base security on secrecy is a losing game.
All secrets become public one day or another.
Supposedly god knows it all.
So all who know god have the secret.
In the corporations you have those with access to the secret
and the others those who do not have the access.
Upper and lower classes of employees,
the elite and their mass controlled by their needs,
And implementing a clever behavoir, understanding these needs.
Being successfull in business requires fulfilling these needs,
first in the entreprise and next with their clients small and large.

We must understand,
that we live no longer in the united states,
nor in france,
nor in dollar land ,
nor in gi joe's land,
today we live in sm\bill's ms land.
So this publishing of ms source code,
would put all the worlod an even chance.

Publishing the code source for microsoft would be
a sure way to see how much unix code is still under the hood in ms,
is ibm thinking of asking a search and compare on the kernal code source .
#compare (
"unix-os-source-tree" ,
" linux-os-source-tree,
bsd-os-source-tree,
ibm-os-source-tree,
sun-os-source-tree,
mac-os-source-tree,
ms-os-source-tree"
)
> sco-trial.txt;


sorry for wasting the bandwidth!