Slashdot Mirror
Microsoft Opens Its Security Research Cookbooks
greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."
It does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.
Question is: Who is being sensational here?
Microsoft likes to throw around the word "open" a lot these days, but most smart people in the industry remain skeptical. Take, for example, what open standards advocate Russell Ossendryver has to say about Microsoft's supposed open OOXML format: So how open is open? Unless the code is considered open under OSI standards or Free under FSF guidelines, it's really still just a pig with lipstick and a dress.
I'll tell you why...because they assume that Windows administrators are idiots. Now, I've known some stupid Windows administrators in my day, but I wouldn't go so far as to think that most of them are idiots.
My blog
Microsoft isn't the only one researching vulnerabilities in their products, and in fact, if it wasn't for the effort of a lot of third-party researchers uncovering vulnerabilities, Microsoft probably wouldn't make the effort that they are just now showing us and exposing to public scrutiny.
The real problem is twofold... first, denial; for so long Microsoft (as well as many other mainstream software companies) refused to admit that there was a problem and didn't spend any time or money on the problem. This is a mindset that still needs to be addressed and was never present in open-source software development. Second, the time-to-acknowledgment has to come down. Microsoft is not making vulnerabilities that they discover public knowledge in a timely fashion to allow people who use their products to address these vulnerabilities through work-arounds and other techniques, and in fact, their approach to patch development is prioritized using marketing, not security awareness, as the primary driver behind which vulnerabilities are addressed and when.
No, you're not. This comment reads like a total troll for "big-ups".
Security is about the best tool for the job and it's not always the Open Source tool, with the "street cred". When you say you're an IT professional, do you by chance mean you work for a small business, supporting other small businesses, (with pirated copies of Windows)?
No one avenue is the correct choice for security. You should chose the complete set of tools from a variety of vendors, who offer total support. Good luck getting official support with tripwire on Debian.
Cisco are a proprietary vendor - are you telling me they have no quality solutions? I suppose you don't use Symantec or another vendors AV, on your client desktops? Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network. Maybe not a polite thing to do but clearly useful in some organisations.
And while we're on it, Domains... Active Directory is a security tool in itself. Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?
What utter garbage...
Somewhere, even Richard Stallman is cringing.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Except that creative spelling and the ever-dreadful "convert now or fall forever" attitude will never yield anything meaningful.
The twitter monologues. Click on my homepage and be amazed.
It looks like someone has never read MS's TechNet anytime in the past 10+ years. MS has always been very open about these things, and between MSDN and TechNet, there's hardly anything I've needed to know which wasn't readily available.
Now if I were to actually have a valid complaint, I'd talk about how difficult it can sometimes be to search through that information. I've sometimes spent literally hours reading through search results, and it never seems like refining the search improves the results. But, MS has something in beta right now which is supposed to improve that- I haven't used it yet, however, so can't say how good it is.
You're an idiot. What you're advocating is not security so much as covering your own arse - "nobody ever got fired for buying IBM^WMicrosoft^WCisco", basically.
The giveaway is, of course, the fact that you talk about "official" support for tripwire on Debian. Who cares whether support is official or not? What really matters is whether it's useful, and "official" is neither a necessary nor a sufficient precondition for that. But to answer my earlier question, there *are* people who cares: middle managers, those that are not directly in charge of actually getting things done but that still have someone above them they have to report to. For people like that (like you?), it's indeed true: nobody ever got fired for buying Cisco and an "official" support package, even when Debian and tripwire would've sufficed.
After all, if Cisco's solution fails, you can always say that Cisco was a trustworthy brand and that you paid for your superduper platinum support package and all that, and you won't get fired. If Debian+tripwire fail? Bad luck: you've got no scapegoat left to blame, so it'll be you who takes the heat.
Smart middle managers realise this, of course, so the question is - are you lying, or are you just stupid?