how-to block ads
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Microsoft MVP SecuritySummit thread Microsoft is hosting a handful of Security MVPs for a mini Security Summit in Redmond this week, and I figured we needed a thread to talk about it. I hope the others that are going will check in (though we're all staying at the same hotel: we ought to run into each other now and then).
Unlike the Global MVP Summit in the spring (thread here), which had ~2000 participants, this one is much smaller, maybe 50 or 60. This is limited to security topics and MVPs, and from the rough agenda I've seen, it should be interesting.
I think there is nearly no chance that we'll see Bill Gates (bummer), but our host will be Mike Nash, the VP of the Security Business & Technology Unit.
Microsoft always takes good care of us: we're having dinner at the Space Needle on Tuesday night. It doesn't start until tomorrow, but I'm sure that some of us will post our experiences. I expect that Blake ( Link Logger  ) will post pics again.
Off to the airport...
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
|  
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: Microsoft MVP SecuritySummit thread I'm here 
My experience so far is, great Mexican dinner with lots of handsome bodyguards all to myself again (for tonight anyway);)
AND picked up two new victims of browser hijacks on the trip up that have my email addy for help in removing the scum
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | 
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Microsoft MVP SecuritySummit thread said by CalamityJane :I'm here My experience so far is, great Mexican dinner with lots of handsome bodyguards all to myself again (for tonight anyway);) AND picked up two new victims of browser hijacks on the trip up that have my email addy for help in removing the scum Just be careful next time when you yell out I am an expert hijacker. We don't want you making Christmas decorations with Martha. 
»forum.gladiator-antivirus.com/up···2277.jpg
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: Microsoft MVP SecuritySummit thread Yeah, you gotta watch that lingo in airports for sure!  | |
| 
MapleLeaf
Premium
join:2001-09-04
Burnaby, BC | Have a great trip, guys, and come back with interesting stories for all of us
--
Remember, I'm pulling for you - we are all in this together... | |
| 
hpguru
Curb Your Dogma
Premium
join:2002-04-12 | You guys better put duct tape over your mouths to protect you from security threats.
--
How long till your job gets exported to Shanghai??? | |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| OK, we're here: shuttles ran from the hotel to the Microsoft Conference Center, and we're gathering in the St. Helens room. There are maybe 50 MVPs snarfing down breakfast and going through our swag bags (a nice portfolio, a USB flash drive, some books) and meeting each other. There may be more Microsofties than there are MVPs.
First thing will be the keynote from Mike Nash, a VP of security, and many of us have worn "Mike Nash Blue" shirts - apparently it's some kind of thing he's known for, so many of us have played along with this little joke.
We're having sessions on spam/phishing/sender ID (about the latter I intend to ask some questions about "licensing"), network access security, spyware ( CalamityJane is looking forward to that one!) and IE.
Tonight we're going to dinner at the Space Needle, and I brought my binoculars. It's been a very nice crowd so far.
And CalamityJane looks great today
Off to the opening session...
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | 
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ | Re: Microsoft MVP SecuritySummit thread "And CalamityJane looks great today" Letch!!!:D | |
| | 
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Ooooh, Space Needle!
Did Blake make it? Do we get night shots over Seattle from the Space Needle? Will Mt. St. Helens blow while you're up there? . . . Film at 11!
And, one question I forgot to ask on the MVP summit: Does MS subsequently put up any of the presentations or Q&A sessions afterwards somewhere on their website?
--
Regards, Joseph V. Morris | |
| | | 
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Re: Microsoft MVP SecuritySummit thread I am here and have my camera with and I should have gotten pictures of the fight we just had over spam mail during a presentation by Manav Mishra, it was great. Microsoft is working on it, but they did take some heat over limitations, but those limitations are in very difficult areas. They did bring a number of team members from their anti-spammer group as they did want to hear what was said and they got it. Workgroups to follow on this topic, which boxing qloves will handed out in.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
| | | |
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Re: Microsoft MVP SecuritySummit thread Blake,
You guys just hang in there and say what you feel needs to be said, as you see it. That'll work just fine. We sort of look on those of you (from BBR/DSLR) as being our reps in this Conclave and we know you'll do what you can to the best of your abilities.
It's fun to hear about the freebies, the dinners, and (eventually) the parties, but I think we all know that you're all working hard on these issues. That will do quite nicely.
And if Mt. St. Helens blows, well . . .
--
Regards, Joseph V. Morris | |
| | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
1 edit | Weather forecast from the North West. Extreme warm front will be moving out from Redmond at 1pm local time as the topic of discussion will be IE. Body armour will be available as this one will be lively for sure.
Anything that anyone wants brought up besides the obvious?
Edit -> after 45 years Blake is still learning English as his first language...
Blake | |
| | Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| Re: Weather Forecast - IE warm front said by Link Logger :... after 45 years Blake is still learning English as his first language ... Good thing Babelfish has that Canadianese to English translation option ... | |
| | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| Re: Weather Forecast - IE warm front said by Reverend Ike :
... after 45 years Blake is still learning English as his first language
Either that or it was the 6:30am start here today, as typically I don't do mornings...
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Just got back from an extended lunch: though I'm a Security MVP, I have been recruited by the print/imaging group as a "secondary competence", so they took me to lunch. I also write printer software, so it was nice to touch base.
I have been taking tons of notes, and I hope to write a ton of stuff much later tonight on what we covered. Most of what we've heard has been very good, though I might have a snotty thing or two to say about the Sender-ID licensing debacle.
Microsoft put all of the Powerpoint slides on the 128MB USB flashdrive, so I'll have material to reference
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Well, our time at the Space Needle was great. Two busses took us and our Microsoft hosts there, and we spent an hour on the observation deck up at the top: it was very clear, though I never managed to make it outside to really revel in it.
After an hour we headed back down to dinner, and we had assigned seating. They alternated "MVP" with "Microsoftie", and I sat next to the guy who gave a talk about their vulnerability assessment software. Great group of people.
So I'll try to recap the day. We covered a lot of material, and I wish to be clear that I am not pretending to be the stenographer: I made more notes on things I am interested in, and I certainly will leave things out.
We started out with a talk from Mike Nash, a corporate VP of security, and pretty much at the top of the food chain for this entire group. It wasn't so much technical as it was giving the overview of how Microsoft "gets it" about security. It's fair to take exception with particular products, technologies, or initiatives, but I believe that it's hard to make the case that Microsoft has not gotten religion about security.
Mike recounted a fun story: about two years go, he and a camera crew went to the Pike Place Market - a place in downtown Seattle - to ask people what they thought about computer security: I thought of it like doing "Jaywalking".
So this was about 9 months after 9/11, and the cops noticed them at work and approached them.
Cop: What are you doing?
Mike: We're doing a video about security
Cop: No you're not
So they had to pack up and go elsewhere. It was funny to hear the reactions from two years ago on how people trust their computers, and the best answer was "I don't worry about it, I have a Mac"
Throughout this post, keep in mind that Microsoft is dealing with an enormous range, from "home users" to "enterprise users": it should not be such a surprise that running 200,000 systems (as one of our MVPs does) brings up issues that home and small business users don't even dream about.
After the Blaster worm, he ended up being the official corporate punching bag, with customers giving him 30-minute rants for 12 hours at a time for several months. I am sure I would not have wanted his job then, and this reinforced something we got at the Global Summit in April: Blaster was a watershed event at Microsoft, doing more than anything else to get them with the program.
One of the real-world issues they have heard about it the firewall before XP/SP2: many have thought that the firewall sucked, having too little configuration granularity, and he relayed a story that exhibited how much of a mess this was.
In the old days, users connecting to the Microsoft network via VPN were required to have the firewall enabled, but those inside the network had to have it disabled so you could get to local resources (fileserver, printers, etc.).
This means that if you're at home and want to print your email, these were your steps:
* enable firewall
* connect VPN
* open email in outlook
* disconnect VPN
* disable firewall
* print to local printer
* enable firewall
* reconnect VPN
* do more email stuff
This is the kind of lousy real-world user experience that helped inform them on how to do a better job.
Again, Mike was not so much giving tech details as a bigger roadmap, and it was a pretty good message.
Next was a session on Phishing/SPAM/Sender-ID, though we didn't end up getting anything about Phishing (that was covered in a later session). I think we all know how lousy the spam problem is, and he covered the steps that Hotmail is taking to combat spam and how this is being leveraged elsewhere.
There are five broad approaches to cutting down spam:
1) Heuristics: rules of thumb
2) Rules-based: specific keywords ("Make money fast!")
3) Machine learning: Bayesian filtering
4) Signature-based: like A/V, look for known spam
5) Community based: I vote that msg X is spam, it's filtered for you
Hotmail's "SmartScreen" is a combination of several of the above and ends up dumping an astonishing amount of spam every day.
They have a very large number of Hotmail users that have volunteered to help rate email: periodically, they are shown one of their own emails and asked "is this spam?", and the results help inform the global filters.
This really does require large amounts of input, because not everybody calls spam the same thing. That periodic email you get from Amazon.com (that you signed up for!) is not "spam" just because you changed your mind in the same way that "We offer Vi@gra for less" is spam.
Where this gets interesting is in Outlook 2003: the spam filters there will use the SmartScreen filters to help make it better. It will (with permission!) update the filters periodically, and it's gotten really rave reviews.
The user can maintain personal white and black lists, as well as choose to reject (say) email from .ru (Russia) or those with Cyrillic (Russian) character encoding. It really comprehensive.
Then the discussion of Sender-ID, which is filtering for mailservers and domains. The oversimplified description: if I own unixwiz.net, I can publish - in DNS - the list of IP addresses that are allowed to send email as that domain.
When your mailserver receives email purporting to be from unixwiz.net, it can see if the source IP is on the approved list. There are three cases:
1) unixwiz.net publishes SPF data, IP matches
2) unixwiz.net publishes SPF data, IP does not match
3) unixwiz.net doesn't have any SPF data
Case #1 means "it really is coming from unixwiz.net", and though it doesn't mean "not spam", it does increase accountability in that you can more easily know that the sender is who he says he is.
Case #2 is the easy one: it's spoofed, and should be dumped.
Case #3 means we simply don't know anything about the sender, so we have to go through all the usual checks.
There is a bit more to it than this, of course, but that wasn't where it got heated. It was on licensing.
Microsoft is offering a royalty-free license for this technology, but the terms are such that it requires nearly everybody to get individual licenses with Microsoft. The open-source people have soundly rejected this, and I am pretty much in that camp.
I happen to not be an open-source nutcase (who will find fault with anything Microsoft does), I believe in intellectual property, and generally like Microsoft, but I think they have made an enormous mistake here.
If they are trying to protect some legitimate interest, where not doing so would cost them something big, then I'd be OK with it, but so far nobody has been able to say what interest is being protected. There still may be one (so I have a slightly open mind), but in my book and in that of many, it's just "the same old proprietary Microsoft."
I cannot believe how embarrassingly lame and stupid this is. Oh well, they didn't ask me.
Anyway, the next segment was on the SCW (Security Configuration Wizard) found in Win2003 server SP1, and though I don't do that much with big enterprises, it was well received. The ability to rollback a security policy that (presumably) didn't work got a lot of kind words.
Then vulnerability assessment tools, and it started with the MBSA (Microsoft Baseline Security Analyzer). This runs on your machine and looks for "stuff" that is insecure: missing patches, empty admin password, etc. I am chagrined to say that I have never run it, but CalamityJane raves about it.
One of the problems people run into is that different tools give different answers for what patches are required: Windows Update and MBSA don't agree, so who do you believe? They agreed that this was a mess, and things are in the work to make this problem go away. It's encouraging.
Then we broke for lunch, and I left the conference center to join the printing/imaging team, which was unrelated to any of my Security work.
I missed the first hour of the presentation on IE, but the ~10 minutes I saw seemed like PR and was not that interesting.
Then the session I was looking forward to: Network Access Protection. Enterprise users take note!
The idea is that a network administrator ought to have the right to know the state of every machine on his network, and NAP supports this.
Oversimplified description: if a computer on a network is "unhealthy" (A/V out of date, missing patches, bad security configuration, etc.), it gets a restricted view of the network, with access only to a few machines that let it get fixed (update A/V, get patches, etc.). Only when the machine is healthy is it given full access.
This will be particularly helpful for laptops: the idiot VP of sales gets infected while on the road, but he doesn't get to infect the rest of the company when he goes back to the office.
But this is all about "mechanism", not "policy", so the Microsoft platform only lets the IT admin set the rules for the local network. It seems to me that getting the rules tuned not quite right means that every second Tuesday of the month, everybody gets locked out one the new patches arrived (e.g., everybody is out of date at the same time).
Part of this are available now with RAS and wireless, but it won't be until Longhorn until this is supported in the big picture.
The guy who was supposed to give this presentation was sick, so we got a business-y guy as a fill-in who had never seen the slides before. I was prepared to be disappointed, but he did an outstanding job. Was completely up to speed on the big picture, never BS'd or spun, just a great save.
More info at »www.microsoft.com/nap
The last presentation was on Spyware, and CalamityJane was totally in her element. The speaker was fantastic even though Microsoft's big picture is not nearly as compelling as we'd like it to be.
He talked about what makes spyware "spyware", and he did a very good job of showing that it's not always so clear-cut how to define things.
If software is changing your computer settings, is it "spyware"? What if it's a tweak-tool that you downloaded so you can fool with your desktop?
If software is secretly monitoring what a user does, is it "spyware"? What if it's parental-control software installed by Mom to watch the kids?
If software makes a modem call to establish an internet connection, is it "spyware"? What if it's "your ISP software" (as opposed to a porn dialer).
The definition they used was "Programs that perform certain behaviors without appropriate user consent", and he really presented this whole thing well.
Clearly spyware is really bad news, and their crash-reporting data suggests that one third of XP crashes are linked to spyware, and some non-trivial percentage of all support calls are due to this. I'm sure that the OEMs (Dell, HP, etc.) are singing a similar song.
Where the song was not so happy was how to deal with current issues. There are sticky legal issues about Microsoft uninstalling software that might be desired ("Microsoft out to crush iWon.com"), and it really didn't look like there was much beyond XP/SP2.
I believe that XP/SP2 is a huge win, but it's not helping get rid of CoolWebSearch: More than one person whined and begged for help and tools on this. Thankfully, our very own queen of spyware was able to corner some key people and get a useful dialog going. I'm encouraged that she'll get somewhere.
This ended the official part of the day, so we chatted a while with the sponsors of the MVP program, and then headed out to dinner.
They had a lovely open bar, and I ran into the hottie from the Security Response Center (Terri) that I shared dinner with at the Global MVP Summit in April - this was a pleasant surprise. I told her "I called you a hottie on BroadbandReports", and she said "and like 1000 people didn't send me that"
It was a good, but very long, day, and I'm about ready to crash. We are on the bus tomorrow at 7:15 for another day, and I hope to report again in the evening.
Good night.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| Ok so here are a couple of pictures (unedited) from today as it was a long busy day (7am - 10pm). NOTE I'm using an CoolPics 990 and I will be the first to say the flash is weak. There are at least three DSLReport folks in these pics, can you spot/name them all?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
| | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| Lets try a little rotation at least.
Blake | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| There are Security MVPs from all over the world here, and most of them despite the jet lag were slugging it out with the rest of us. And once again Microsoft proved they know how to chuck a great little party.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| This is a geek festival and the conversation is pretty hard hitting as pretty well everyone here has earned their battle scars and don't pull punches when letting Microsoft know what is working and what isn't. Want to get this crowd frothing at the mouth, try to dazzle them with marketing fluff and they will happily shred any marketing guys. You talk tech and know your stuff or die a horrible death.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| So on the bus trip to and from the Space Needle I decided to do a little war driving/busing and get an idea as to how 'open' Seattle was for wireless. I must admit they are certainly better then Calgary as very few wireless systems were in default configuration, not to say they were all locked down, but I would suspect that a system where the SSID has been changed and is still yet open, is meant to be open. Tip of the hat to Seattle as they are doing a heck of a lot better then Calgary for example when it comes to wireless awareness.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
| | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Microsoft MVP SecuritySummit thread Wear your tinfoil hats when you have din din in the Speakeasy up in that SpaceNeedle..last time I have a late breakfest there..not only got dizzy I lost track of my stool coming back from the powder room.:)
Wireless net to cover downtown Seattle
»seattlepi.nwsource.com/business/···y10.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ | |
| | | 
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| Re: Microsoft MVP SecuritySummit thread said by Name Game : I lost track of my stool coming back from the powder room.:) No wonder you looked "flushed"
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
| | | | B
Premium,MVM
join:2000-10-28
| Re: Microsoft MVP SecuritySummit thread said by John2g : said by Name Game : I lost track of my stool coming back from the powder room.:) Please tell us that doesn't mean what it sounds like...
-- B
--
In a realm outside causality and function | |
| | | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | Re: Microsoft MVP SecuritySummit thread said by B : said by John2g : said by Name Game : I lost track of my stool coming back from the powder room.:) Please tell us that doesn't mean what it sounds like... -- B It was just a hair ball " Out of the box " .. but I finally found my bearing rattling around in the SP2 level. They need better IFRAME supports in that tower. Next thing you know it will be natural for everyone to be blowing in the wind.
That first step is a doozie.
--
Gladiator Security Forum http://www.gladiator-antivirus.com/
Missing Kids
http://www.missingkids.com/ | |
| | | | |
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA | Look, if you guys wanna say that NG is typically anal-retentive, then why not just come out and say it?
--
Regards, Joseph V. Morris | |
| | | | | |
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| Re: Microsoft MVP SecuritySummit thread said by jvmorris :Look, if you guys wanna say that NG is typically anal-retentive, then why not just come out and say it? It
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
| | | | | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | Re: Microsoft MVP SecuritySummit thread said by John2g : said by jvmorris :Look, if you guys wanna say that NG is typically anal-retentive, then why not just come out and say it? It I resemble that remark
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ | |
| | | | | | | | | | | | |
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| Re: Microsoft MVP SecuritySummit thread said by dp : I just love John's unique sense of humor, this place wouldn't be the same without him Of course, some of his remarks take a lot of deep thought to sink in. Keeps us all sharp. I agree and love John's humor too. It just kind of grabs you at times and at others...really makes you cock your head and think "did he really say that?". | |
| | | | | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Just trying to keep Security very Slurryous..we have a great bunch of folks representing us there at the Summit..they work hard..deserve the break..and I can not think of a better mix to have the wisdom and the tenacity to make their voices heard..they do us all proud.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ | |
| | 
WFO
Premium
join:2001-08-27
San Ramon, CA
| said by CalamityJane :Well,I had some great one-on-one chats afterwards with a few MS execs about the "spyware" (hijack) issues and they are not only interested as in *Yeah*, but not only yeah.....but *HELL yeah!* CJ forgot to mention that she had her bull whip in hand and only got the "hell yeahs!!!" with each crack of the whip. LOL.;) | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: Microsoft MVP SecuritySummit thread said by WFO : CJ forgot to mention that she had her bull whip in hand and only got the "hell yeahs!!!" with each crack of the whip. LOL.;) You can bet on that, but they have already deployed - so I didn't really need a bullwhip this trip....just hollered a lot. They are already on it and I'm just giving them info as fast as I can from OUR perspective
Meanwhile, Steve has continued this thread there (small technical error). Go here to follow it
»SecSummit notes for Wednesday
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | 
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs: | Re: Microsoft MVP SecuritySummit thread Gotta love that shirt Steve was wearin. | |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ | What a neat thread. Not only the information but the photos. Thanks, guys, for sharing with us all. | |
| | |
See 9 replies to this post | |
| | |
|
·