Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Invites Security Questions

Posted by Zonk on from the what's-a-bug? dept.

daria42 writes "Microsoft is inviting ZDNet readers to submit security-related questions online to a team of Microsoft security gurus. Microsoft's Ben English and his team will take questions online until the 30th of May. A selection of questions and answers will be published by ZDNet starting from the 6th of June. Submit your questions starting now!"

7 of 259 comments (clear)

  1. Unbiased? by nizo · · Score: 5, Interesting

    If the Microsoft team gets to pick which questions are answered, I doubt this will be akin to Achilles waving his naked foot right under Paris' nose, since questions like, "Why is Microsoft's security better than Linux security?" are more likely to get answered than questions like, "When did Microsoft hire a team of security gurus?"

    --
    I Am My Own Worst Enemy
  2. What's considered a security bug? by Anonymous Coward · · Score: 5, Interesting

    This is pretty much the most basic question possible, but what do you consider to be the range of behaviors that qualify as security bugs?

    For example: do you consider features that require the user to do something insecure (like run as a local administrator) in order for that feature to work a bug? Do you consider system defaults that can cause the user to perform an action they didn't intend to do (such as launching a hostile executable) a security bug?

    If you answered "Yes" to these questions, do you consider ActiveX web browser plugin support and hiding file extensions to be security bugs? How soon will a patch be available to fix these bugs? How does the timeframe from "discovery of bug" to "fix for bug" compare to your competitors average time-to-fix for security bugs?

    Simple enough, really.

  3. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  4. Re:What I asked by dwlovell · · Score: 4, Interesting

    They are trying. Clearly the previous OS's didn't make it easy to not run as admin, but it is possible in XP, 2000 and 2003, despite a few jumps and hoops.

    See Aaron Margosis' blog on msdn.

    A choice quote:
    "My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y'all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They "su", do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as "User", and your customers need to see you doing it. If you run into issues, don't add yourself back to the admins group - file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, "You're not setting a very good example. I am disappointed.""

    So when Longhorn is released we can see if they made good on this idea, but until then, they openly agree with you and are working towards making it the standard to not run as root.

    -David

  5. I asked by RealAlaskan · · Score: 4, Interesting
    Gates recently declared security to be ``Job One''.

    Why wasn't it a high priority from the begining, and why haven't we seen any meaningful results?

    The first part of that question is legitimate, and not flame bait.
    The second part we can almost say that about: it would at least give them the chance to boast.

    I predict we won't see an answer to either part.

    --
    See what I've been reading.
  6. My question... by cperciva · · Score: 4, Interesting
    On March 2nd, I reported to the Microsoft Security Response Center a serious flaw in the implementation of Hyper-Threading on recent Intel processors requiring operating system patches. On May 13th, FreeBSD issued a patch, and several other operating systems have followed suit since then.

    When will Microsoft issue a patch or advisory concerning this?

    Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
    --
    Tarsnap: Online backups for the truly paranoid
  7. Re:/. em by pg110404 · · Score: 4, Interesting

    We should show them the /. effect and send nothing but linux security questions

    And it would be just as much a waste of effort. The current design of windows is so flawed when it comes to security if microsoft actually listened to their customers, would have to revamp their entire security model in the OS breaking just about everything in windows. Microsoft is in a very tight spot right now with their design of windows and anything more than lipservice on their part would mean making a very hard decision to change the OS so fundamentally that it is not compatible with its predecessors and is something they cannot afford to do. As it stands, the security or lack of security in windows will remain for quite some time. There are tricks they can use to minimize the damage once security has been breached. For example, Upgrade the active/x layer to allow a 'read-only' mode for a given process wherein the first thing the web browser does when it starts up is to neuter itself. Whether you run IE as administrator or not, it's a safe bet that more harm than good can be done letting it run silently. By having IE issue a call to a one-way demotion of privileges, along with a 'this application is trying to do this. Enter your administrator password to override for this one time occasion', would vastly improve but not solve the security problems. With this simple trick, spyware infested web sites would have a much harder time installing their wares without you knowing about it. Again, it wouldn't solve that security problem, but it would greatly improve it.

    Then again, maybe, yeah. We SHOULD ask them how to secure our linux boxes better. At least I'd get a kick out of the reaction from the microsoft soldiers.