Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens Its Security Research Cookbooks

Posted by ryuzaki0 on from the now-cook-me-up-some-pie dept.

greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."

23 of 87 comments (clear)

  1. Microsoft Security Protocols by andy314159pi · · Score: 5, Funny

    Microsoft Opens Its Security Research Cookbooks

    Chapter 1.

    If someone knocks on the door, use the little peep hole.
    1. Re:Microsoft Security Protocols by RuBLed · · Score: 2, Funny

      in cases where there is no peep hole, get the tower shield provided to you during the orientation...

    2. Re:Microsoft Security Protocols by Anonymous Coward · · Score: 5, Insightful

      No, you're not. This comment reads like a total troll for "big-ups".

      Security is about the best tool for the job and it's not always the Open Source tool, with the "street cred". When you say you're an IT professional, do you by chance mean you work for a small business, supporting other small businesses, (with pirated copies of Windows)?

      No one avenue is the correct choice for security. You should chose the complete set of tools from a variety of vendors, who offer total support. Good luck getting official support with tripwire on Debian.

      Cisco are a proprietary vendor - are you telling me they have no quality solutions? I suppose you don't use Symantec or another vendors AV, on your client desktops? Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network. Maybe not a polite thing to do but clearly useful in some organisations.

      And while we're on it, Domains... Active Directory is a security tool in itself. Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?

      What utter garbage...

    3. Re:Microsoft Security Protocols by uglyduckling · · Score: 3, Informative

      Good luck getting official support with tripwire on Debian.

      Luck has nothing to do with it. Reading the extensive list of consultants categorised by country on the Debian site has everything to do with it.

    4. Re:Microsoft Security Protocols by Anonymous Coward · · Score: 2, Insightful

      You're an idiot. What you're advocating is not security so much as covering your own arse - "nobody ever got fired for buying IBM^WMicrosoft^WCisco", basically.

      The giveaway is, of course, the fact that you talk about "official" support for tripwire on Debian. Who cares whether support is official or not? What really matters is whether it's useful, and "official" is neither a necessary nor a sufficient precondition for that. But to answer my earlier question, there *are* people who cares: middle managers, those that are not directly in charge of actually getting things done but that still have someone above them they have to report to. For people like that (like you?), it's indeed true: nobody ever got fired for buying Cisco and an "official" support package, even when Debian and tripwire would've sufficed.

      After all, if Cisco's solution fails, you can always say that Cisco was a trustworthy brand and that you paid for your superduper platinum support package and all that, and you won't get fired. If Debian+tripwire fail? Bad luck: you've got no scapegoat left to blame, so it'll be you who takes the heat.

      Smart middle managers realise this, of course, so the question is - are you lying, or are you just stupid?

  2. yeah but by User+956 · · Score: 4, Funny

    It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

    That's just because they haven't found a way to launch chairs at people through the internet.

    --
    The theory of relativity doesn't work right in Arkansas.
  3. Not now Kato you fool!!!!! by Picass0 · · Score: 3, Funny


    Microsoft Security Research: Do you know what kind of a bomb it was?
    Clouseau: The exploding kind.

  4. BAMF! by Torodung · · Score: 2, Funny

    Chapter 2!

    An unidentified program wants to use your little peep hole.

    The source and purpose of this little peep hole is unknown. Don't use the peep hole unless you have used it before or know where it's from.

    CANCEL/ALLOW?

  5. A question for Mahatma Ghandi by knorthern+knight · · Score: 5, Funny

    Question: Mr. Ghandi, what do you think of Microsoft security?

    Answer: I think it would be a good idea.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  6. Re:Ahh...Slashdot! by robo_mojo · · Score: 2, Insightful

    t does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.
    That depends on what your definition of "is" is.
  7. But will they release source code... by christian.einfeldt · · Score: 4, Insightful
    ...in exchange for all of the help that they get? Probably not. Seeing that most developers want their free labor to at least result in open source code, I can't imagine that this effort is going to be all that popular with the best developers.

    Microsoft likes to throw around the word "open" a lot these days, but most smart people in the industry remain skeptical. Take, for example, what open standards advocate Russell Ossendryver has to say about Microsoft's supposed open OOXML format:

    The legacy binary formats remain closed. If a file is one which was converted from an older format of Microsoft Office by DIS29500 and allowed to wrap the old file in xml, it remains unreadable for everyone else. OOXML is still a closed spec tied into to many proprietary formats.
    So how open is open? Unless the code is considered open under OSI standards or Free under FSF guidelines, it's really still just a pig with lipstick and a dress.
    1. Re:But will they release source code... by El+Royo · · Score: 4, Interesting

      There are different types of open. Your point is hardly at all related to the article. Just revealing some of their process will no doubt be very useful to developers who also develop code that needs to be secured. Also, providing more details on vulnerabilities might be useful to people who are protecting corporate networks. Obviously, what you meant is that this effort won't be popular with the best developers with a chip on their shoulders.

      --
      Author of Enyo: Up and Running from O'Reilly Media
    2. Re:But will they release source code... by nrgy · · Score: 5, Insightful

      Ugh I hate to defend Microsoft but I have to be one to disagree with you.

      When I provide code for people, projects, or even companies who's software I use, I could really give a rats behind if its open source or not. Sure it would be NICE but hardly REQUIRED by me at least.

      If you don't like what will be done with your free labour then don't provide it, no one is forcing you to. I like people who contribute and provide there free time, but I don't like it when those same people feel that since its so called FREE LABOUR that they can start imposing what can and should be done with there FREE LABOUR. It just doesn't work that way

      Yes you are providing a service, yes it is welcome by the recipient and community, NO you shouldn't have a say in what way your contributions are disseminated because it was your choice to provide the service and no one else's.

      I don't know about you but I provide my code because I want a better end product, not because I want it to be free in the open. If the code I provide will make my life easier then do with it as you will. Just because its not OPEN SOURCE like you say doesn't mean that it doesn't perform any good for the community of users for software X. Besides you wrote the stuff, unless you signed a legal waver to your code then nothing is stopping YOU from releasing it OPEN SOURCE style.

  8. Too nuanced? by morgan_greywolf · · Score: 5, Insightful

    There is actually another mitigating factor present here that we didn't include in the bulletin because we could not authoritatively say that it was true in every case. The vulnerable code path only executes if your machine has a primary DNS suffix. Most of the time, only domain-joined machines have a primary DNS suffix. So it would have been great to say in the bulletin: "Machines not joined to a domain are safe" but that is not 100% accurate so we did not include that. Technically, an administrator could manually set a primary DNS suffix on a non-domain-joined machine. Okay...

    We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced. How, exactly, is this 'too nuanced'? Why not just say "if your machine doesn't have a primary DNS suffix, you are not vulnerable"?

    I'll tell you why...because they assume that Windows administrators are idiots. Now, I've known some stupid Windows administrators in my day, but I wouldn't go so far as to think that most of them are idiots.

    --
    My blog
    1. Re:Too nuanced? by TheSkyIsPurple · · Score: 2, Insightful

      I can kinda understand it though... I've had to fight off more than my share of "We should do this because Microsoft says so" from the technical management (who don't have the time to take a nuanced understanding of the issue at hand)

      If they say it, thousands of customers will implement it without understanding the things that might break by removing that setting.
      Then they call Microsoft for help fixing it. (Oddly enough, you'd think that would actually drive them to do this, since it would guarantee more partner hours to burn off)

      (Yes, we have a parallel dev and test environment before things go production, but there is no way that blackbox testing for the scope we deal with is going to catch all of even the most glaring of issues. You have to actually know what's going on, and understand how things interact. Wanna disable the DHCP client on your statically assigned server? careful... might screw up DNS a couple weeks from now when things start expiring.)

  9. So what... by krycheq · · Score: 2, Insightful

    Microsoft isn't the only one researching vulnerabilities in their products, and in fact, if it wasn't for the effort of a lot of third-party researchers uncovering vulnerabilities, Microsoft probably wouldn't make the effort that they are just now showing us and exposing to public scrutiny.

    The real problem is twofold... first, denial; for so long Microsoft (as well as many other mainstream software companies) refused to admit that there was a problem and didn't spend any time or money on the problem. This is a mindset that still needs to be addressed and was never present in open-source software development. Second, the time-to-acknowledgment has to come down. Microsoft is not making vulnerabilities that they discover public knowledge in a timely fashion to allow people who use their products to address these vulnerabilities through work-arounds and other techniques, and in fact, their approach to patch development is prioritized using marketing, not security awareness, as the primary driver behind which vulnerabilities are addressed and when.

  10. Wireshark by cibyr · · Score: 3, Interesting

    Anyone else find it interesting that they had screenshots from Wireshark (previously known as Ethereal) on the page?

    --
    It's not exactly rocket surgery.
    1. Re:Wireshark by daveb · · Score: 2, Informative

      It's actually a network monitor screenshot (netmon) not wireshark. They look similar but they aren't the same thing. I prefer wireshark myself, but I know a couple of people who have converted to netmon for sniffing wireless on vista

  11. Re:Can we revisit the tag thing? by corychristison · · Score: 3, Funny

    I dunno what's worse:
    - that there is a 35 character tag
    - or that you took the time to count it

  12. Re:Ahh...Slashdot! by ozmanjusri · · Score: 2, Insightful
    it definitely is the case that Microsoft *is* making an effort...not just looking like.

    A statement of intent and two example postings is "making an effort"?

    You're being very generous to a company with a long history of abandoned promises and vapourware.

    How about we wait and see how they perform for a few months instead of offering immediate praise?

    --
    "I've got more toys than Teruhisa Kitahara."
  13. Re:Efforts and real change. by willyhill · · Score: 2, Insightful

    Except that creative spelling and the ever-dreadful "convert now or fall forever" attitude will never yield anything meaningful.

    --
    The twitter monologues. Click on my homepage and be amazed.
  14. Small correction.. by Sam+the+Nemesis · · Score: 2, Informative

    Not being anal, but it is Gandhi and not Ghandi

  15. MOD PARENT FUNNY Re:Microsoft Security Protocols by asuffield · · Score: 2, Funny

    Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network.


    Quoted for hilarity. Up to that point I thought your post was actually serious. Haven't seen a punchline that good in ages.