I just read this article E-crime unit arrests suspected phishing gang, which shows that we are making progress in fighting cybercrime. Very good news
Roger
You know my opinion on collaboration between countries, on public-private-partnerships as well as on collaboration between companies.
Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we release a security update.
Additionally, we know form our data (see the Security Intelligence Report) that PDF is the most exploited file format. Therefore I think it is a great signal that Adobe will join the MAPP program to tighten our joint collaboration.
It is another clear signal that we are up for action to address the security challenges in the ecosystem.
Roger
This is always a fairly emotional theme. What is better to protect the ecosystem? Public or private disclosure? Should somebody paying for vulnerabilities or not? Is a vulnerability auction ethical or not?
I know that there are numerous views on that and I do not want to debate them here and now. What I just want to do here, is to show Microsoft’s position:
Since a long time Microsoft is working with the researcher community in close collaboration and my understanding is that the researcher community is fairly impressed with what we do, once they get the opportunity to look behind the scenes. One of the outcomes of this outreach is Bluehat – a Microsoft internal event where the researcher talk to our developers. A very and interesting and insightful get together.
When it comes to handling vulnerabilities, I guess you know Microsoft Security Response Center – the group within Microsoft chartered with handling security vulnerabilities. The policies behind working with the researcher community is two-fold:
For me, the joint goal between researcher and vendors has to be to protect the ecosystem against the criminals. And with ecosystem I mean not only the big enterprises, having security teams which are able to work on detailed vulnerability information but small and medium businesses as well as the consumer like my mom and dad as well. Therefore we think that the point above help to meet the requirements.
What are your thoughts on that?
Roger
After my overall announcement that we grow the community in Off to See the World, and Stuart Aston joining as the CSA in the UK, it is a great pleasure to see Magnus Lindkvist coming back. Magnus was the CSA in Sweden a few years back and accepted the offer now to come back and re-join the community.
Welcome back Magnus!
Watch out, there are more to come 
Roger
As you have seen in my post Off to see the World, we are hiring Chief Security Advisors all over the place. The first one was announced last week: Stuart Aston was announced to take over the Chief Security Advisor in the UK.
Have a good start!
Roger
And everybody tells me how secure they are….. So,according to this article Secunia: Apple makes the most vulnerable software in the market today, apple hast most vulns, then Oracle and then us (and then the rest). And you know, the interesting thing is that the comparison is not “apples with apples” as we tend to have somewhat more products out in the market than all of them together (at least this would be my guess)…
Roger
Even though it might be obvious, compliance is not only about protecting data but identities as well – and more. Jon Collins, Freeform Dynamics, whom I value high, wrote a good article: Doing the right thing on ID management isn’t enough… – you should read it!
Roger
The Department of Homeland Security published a report on A Roadmap for Cybersecurity Research, I was definitely impressed!
All the themes, which are important to me are in their list :
It is great to see that this goes in the right direction! The key will be, when the research will deliver results.
Roger
You know that I am not a big fan of blocking social networks within enterprises for different reasons. I just read an article on this subject based on a study by Trend Micro. One of the conclusions in the article is:
Trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats.
False sense of security…
Roger
I just wanted to remind you: The support for Windows XP SP2 ends today. I hope that this does not catch you by surprise. If you need all the information about which kind of support ends when for which product, please consult out Lifecycle page. If you have a Premier Support contract with us, your Technical Account Manager should inform you as well.
But what does that really mean? You can find this information on the Windows website: What does it mean if my version of Windows is no longer supported?
Roger