Forgot your password?
typodupeerror

Microsoft Opens Its Security Research Cookbooks 87

Posted by Soulskill
from the now-cook-me-up-some-pie dept.
greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."
This discussion has been archived. No new comments can be posted.

Microsoft Opens Its Security Research Cookbooks

Comments Filter:
  • by andy314159pi (787550) on Thursday December 27, 2007 @10:37PM (#21836134) Journal

    Microsoft Opens Its Security Research Cookbooks

    Chapter 1.

    If someone knocks on the door, use the little peep hole.
    • Re: (Score:3, Funny)

      by RuBLed (995686)
      in cases where there is no peep hole, get the tower shield provided to you during the orientation...
    • BAMF! (Score:3, Funny)

      by Torodung (31985)
      Chapter 2!

      An unidentified program wants to use your little peep hole.

      The source and purpose of this little peep hole is unknown. Don't use the peep hole unless you have used it before or know where it's from.

      CANCEL/ALLOW?
    • by Anonymous Coward

      It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

      It looks like someone has never read MS's TechNet anytime in the past 10+ years. MS has always been very open about these things, and between MSDN and TechNet, there's hardly anything I've needed to know which wasn't readily available.

      Now if I were to actually have a valid complaint, I'd talk about how difficult it can sometimes be to search through that information. I've sometimes spent li

  • yeah but (Score:4, Funny)

    by User 956 (568564) on Thursday December 27, 2007 @10:41PM (#21836162) Homepage
    It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

    That's just because they haven't found a way to launch chairs at people through the internet.
  • by Picass0 (147474) on Thursday December 27, 2007 @10:54PM (#21836234) Homepage Journal

    Microsoft Security Research: Do you know what kind of a bomb it was?
    Clouseau: The exploding kind.
  • Don't give out new ideas.
  • by Anonymous Coward
    Why is it that people feel the need to put in 35 character long tags? Isn't that defeating the purpose of it all?
  • by knorthern knight (513660) on Thursday December 27, 2007 @11:06PM (#21836308)
    Question: Mr. Ghandi, what do you think of Microsoft security?

    Answer: I think it would be a good idea.
  • Ahh...Slashdot! (Score:1, Insightful)

    by bogaboga (793279)

    It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

    It does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.

    Question is: Who is being sensational here?

    • Re: (Score:2, Insightful)

      by robo_mojo (997193)

      t does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.
      That depends on what your definition of "is" is.
    • Re: (Score:3, Insightful)

      by ozmanjusri (601766)
      it definitely is the case that Microsoft *is* making an effort...not just looking like.

      A statement of intent and two example postings is "making an effort"?

      You're being very generous to a company with a long history of abandoned promises and vapourware.

      How about we wait and see how they perform for a few months instead of offering immediate praise?

  • It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

    That depends on what the meaning of is is.
  • ...in exchange for all of the help that they get? Probably not. Seeing that most developers want their free labor to at least result in open source code, I can't imagine that this effort is going to be all that popular with the best developers.

    Microsoft likes to throw around the word "open" a lot these days, but most smart people in the industry remain skeptical. Take, for example, what open standards advocate Russell Ossendryver has to say about Microsoft's supposed open OOXML format [fanaticattack.com]:

    The legacy binary formats remain closed. If a file is one which was converted from an older format of Microsoft Office by DIS29500 and allowed to wrap the old file in xml, it remains unreadable for everyone else. OOXML is still a closed spec tied into to many proprietary formats.
    So how open is open? Unless the code is considered open under OSI standards or Free under FSF guidelines, it's really still just a pig with lipstick and a dress.
    • by El Royo (907295) on Thursday December 27, 2007 @11:39PM (#21836474) Homepage
      There are different types of open. Your point is hardly at all related to the article. Just revealing some of their process will no doubt be very useful to developers who also develop code that needs to be secured. Also, providing more details on vulnerabilities might be useful to people who are protecting corporate networks. Obviously, what you meant is that this effort won't be popular with the best developers with a chip on their shoulders.
    • by rhenley (1194451)

      it's really still just a pig with lipstick and a dress
      That's a funny way to spell Steve Ballmer...
    • by nrgy (835451) on Thursday December 27, 2007 @11:51PM (#21836520) Homepage
      Ugh I hate to defend Microsoft but I have to be one to disagree with you.

      When I provide code for people, projects, or even companies who's software I use, I could really give a rats behind if its open source or not. Sure it would be NICE but hardly REQUIRED by me at least.

      If you don't like what will be done with your free labour then don't provide it, no one is forcing you to. I like people who contribute and provide there free time, but I don't like it when those same people feel that since its so called FREE LABOUR that they can start imposing what can and should be done with there FREE LABOUR. It just doesn't work that way

      Yes you are providing a service, yes it is welcome by the recipient and community, NO you shouldn't have a say in what way your contributions are disseminated because it was your choice to provide the service and no one else's.

      I don't know about you but I provide my code because I want a better end product, not because I want it to be free in the open. If the code I provide will make my life easier then do with it as you will. Just because its not OPEN SOURCE like you say doesn't mean that it doesn't perform any good for the community of users for software X. Besides you wrote the stuff, unless you signed a legal waver to your code then nothing is stopping YOU from releasing it OPEN SOURCE style.
    • We're not all developers out here.

      Personally, I'd love access to the source code so I can better determine how systems are interacting when something goes wrong with something we paid for, but it's not necessary.

      Feedback like this can help open up other avenues for troubleshooting and understanding, and working with our TAM, I've had more than one instance where something we've seen has turned into a note in one of these KBs, or has caused part of a KB to not go public.
  • Too nuanced? (Score:5, Insightful)

    by morgan_greywolf (835522) on Thursday December 27, 2007 @11:27PM (#21836410) Homepage Journal

    There is actually another mitigating factor present here that we didn't include in the bulletin because we could not authoritatively say that it was true in every case. The vulnerable code path only executes if your machine has a primary DNS suffix. Most of the time, only domain-joined machines have a primary DNS suffix. So it would have been great to say in the bulletin: "Machines not joined to a domain are safe" but that is not 100% accurate so we did not include that. Technically, an administrator could manually set a primary DNS suffix on a non-domain-joined machine.
    Okay...

    We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced.
    How, exactly, is this 'too nuanced'? Why not just say "if your machine doesn't have a primary DNS suffix, you are not vulnerable"?

    I'll tell you why...because they assume that Windows administrators are idiots. Now, I've known some stupid Windows administrators in my day, but I wouldn't go so far as to think that most of them are idiots.

    • Re: (Score:3, Insightful)

      I can kinda understand it though... I've had to fight off more than my share of "We should do this because Microsoft says so" from the technical management (who don't have the time to take a nuanced understanding of the issue at hand)

      If they say it, thousands of customers will implement it without understanding the things that might break by removing that setting.
      Then they call Microsoft for help fixing it. (Oddly enough, you'd think that would actually drive them to do this, since it would guarantee more
      • by emurphy42 (631808)

        you'd think that would actually drive them to do this, since it would guarantee more partner hours to burn off
        You're assuming they aren't already churning out as many partner hours as they have the manpower to handle.
    • because they assume that Windows administrators are idiots

      Well, they should know. They've been selling them those MSC* classes, so they know what quality they can expect...
    • by TheLink (130905)
      It is a fair assumption, most of them aren't very smart (and why should they need to be?) and are usually ignorant.

      For as long as most people are stupid and ignorant it makes sense to target the largest market ;). Works for politicians, works for Microsoft.

      So you have thousands of windows administrators that can only admin say 5-10% of a single machine (they can't figure out the rest).

      Whereas a skilled admin should be able to admin hundred or so windows/linux desktops, or thousands of Linux/BSD servers.
    • by rolfc (842110)

      Most of the time, only domain-joined machines have a primary DNS suffix

      I tend to set a primary DNS suffix on all my machines, windows as well as linux, seem to me that the only domains that count at Microsoft is Windows-domains. I am not surprised that they tend to break all kind of things.
    • by Krishnoid (984597)
      Why not just say "if your machine doesn't have a primary DNS suffix, you are not vulnerable"?

      Because you'd have to localize it in 50 different languages, and it's faster to post it once in a blog?

    • by dilipm (1189981)
      Well said on this one. I work for a Storage Major as a Support Specialist. Yesterday i had a client ask me what a "OU" (Organizational Unit) was in the Active Directory, when i asked her to change some security credentials on the OU for your CDP solution to work. Guess what her email Signature Reads "Storage Architect - Windows" :-( People like these are the ones that come around here bashing Microsoft. While Microsoft in itself is no hero in security the advancements in terms of security they made has bee
  • Let me guess, the blog only gets updated on the second tuesday of every month [wikipedia.org]?
    • by caferace (442)
      Let me guess, the blog only gets updated on the second tuesday of every month?, Hahahahhahahaa. Not.

      Let ME guess. You didn't actually RTFA? Did you?

      We expect to post every "patch Tuesday" with technical information about the vulnerabilities being fixed. .

  • So what... (Score:2, Insightful)

    by krycheq (836359)
    Microsoft isn't the only one researching vulnerabilities in their products, and in fact, if it wasn't for the effort of a lot of third-party researchers uncovering vulnerabilities, Microsoft probably wouldn't make the effort that they are just now showing us and exposing to public scrutiny.

    The real problem is twofold... first, denial; for so long Microsoft (as well as many other mainstream software companies) refused to admit that there was a problem and didn't spend any time or money on the problem. This
  • Wireshark (Score:3, Interesting)

    by cibyr (898667) on Friday December 28, 2007 @12:05AM (#21836586) Journal
    Anyone else find it interesting that they had screenshots from Wireshark (previously known as Ethereal) on the page?
    • Re: (Score:3, Informative)

      by daveb (4522)
      It's actually a network monitor screenshot (netmon) not wireshark. They look similar but they aren't the same thing. I prefer wireshark myself, but I know a couple of people who have converted to netmon for sniffing wireless on vista
  • Aren't Easy-Bake Ovens fun!
    • I'd be wary of EZ-Bake ovens that work akin to "push a few buttons and sometimes it just randomly blows up". Outside of KOL, that is.
  • It makes me so glad that anyone can read the source code for the OS I use. I don't know how I would get by if one company was the only trusted agent to decide whether some issue was too "nuanced" for me to know about. I don't know how people get through the day running that stuff.
  • "It looks like Microsoft is making an effort to appear more 'open' in the area of security research and communication."
  • Marketing.
    MS can fool you into spending your free time on its blogs.
    Microsoft Security Research: the first book is free.
  • Security hole discovered:
    Step 1 - Say Open Source Software is insecure and mock Linux
    Step 2 - Think about security hole
    Step 3 - Promise fix will be done in next service pack
    Step 4 - Mock Linux a bit more and claim open source is comunism
    **** 5 Months later security fix
  • What a COMMUNITY! I log into the new MS R&D Blog and I cannot read the comments nor can I post.

    Jesus.
  • Because most connections are in the clear and unencrypted. If you encrypt, you would be much more secure. Period.
  • Why does MS's "Security Cookbook" look like an 8-Ball with a little window in the bottom?
  • Thank God that there is someone on our side in this, the little peoples, who don't have all the money, it make me feel good that freedom is working.

Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun

Working...