10 Years of Trustworthy Computing at Microsoft
Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines: Oh, you are joining a desktop company? ...
10 Reasons to migrate off Windows XP
I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the ...
Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security
A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things: Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards. Office 365 is the first and only major ...
Cybersecurity–More than a good headline
A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.
This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be ...
Is Security Research Ethical? By Roger Halbheer, on May 22nd, 2008 Shoaib’s blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? – Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View. Not surprisingly Bruce says “yes” and Marcus says “no”. If you read through their points, you might even agree partly with each of them:
- Bruce Schneier: Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible–and more and less legal–ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent.
- Marcus Ranum: Trust model? What’s that? The so-called vulnerability “researchers” are already sharpening their knives for the coming feast. If we were really interested in making software more secure, we’d be trying to get the software development environments to facilitate the development of safer code–fix entire categories of bugs at the point of maximum leverage.
But to me, this is the wrong question: It is not so much about security research. To me it is about two things:
- Once you find a security vulnerability, what do you do with it? Do you do responsible or irresponsible disclosure?
- And then, what does the vendor do with it? Does the company act on it? And does it provide security updates for free over the support lifecycle of a product? The following quote from Marcus scars me: The vulnerability game has given vendors a fantastic new way to lock in customers–if you stop buying maintenance and get off the upgrade hamster wheel, you’re guaranteed to get reamed by some hack-robot within six months of your software getting out of date.
That’s really bad if vendors make money selling security updates…
Roger
Related posts:
- Security Pros ignoring their own message
Leave a Reply
|
|
|
