Stephen Toulouse - Tour around Microsoft's Security Response Center
- Posted: Jan 07, 2005 at 5:15 PM
- 169,990 Views
- 13 Comments
Download
How do I download the videos?
- To download, right click the file type you would like and pick “Save target as…” or “Save link as…”
Why should I download videos from Channel9?
- It's an easy way to save the videos you like locally.
- You can save the videos in order to watch them offline.
- If all you want is to hear the audio, you can download the MP3!
Which version should I choose?
- If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available).
- If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file.
- If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file.
- If you just want to hear the audio of the video, choose the MP3 file.
Right click “Save as…”
- Mid Quality WMV (Lo-band, Mobile)
- WMV (WMV Video)
Who are the people on the front lines when a security problem gets disclosed? The Security Response Center. Here you get to meet those folks.
By the way, what's the proper way to let the world know about a security problem you've found? Send an email to secure@microsoft.com. This team will answer your questions and work with you.
This team also prepares all the bulletins you see on the Microsoft.com/Security site and they continue to highly recommend updating your Windows XP machine to Service Pack 2. Oh, have you tried the new anti-spyware beta that Microsoft just released?
By the way, what's the proper way to let the world know about a security problem you've found? Send an email to secure@microsoft.com. This team will answer your questions and work with you.
This team also prepares all the bulletins you see on the Microsoft.com/Security site and they continue to highly recommend updating your Windows XP machine to Service Pack 2. Oh, have you tried the new anti-spyware beta that Microsoft just released?
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
Follow the Discussion
Half-Life 2. Nifty.
Here are some from EEYE.
http://www.eeye.com/html/research/upcoming/index.html
and past ones...
http://www.eeye.com/html/research/advisories/index.html
Microsoft are extremely slow to release fixes/patches after being alerted to serious flaws. Why is this?
Extremely slow compared to what?
I saw one vulnerability on that eeye site that was several months "overdue", and they listed only one other outstanding.
Where do they get off claiming that 30 days is a standard time to expect a fix? They have no idea how long a fix could take. The problem could be really deep, or require extensive regression testing to prevent other problems created by the one "fix".
So, it comes back to the old question: Speed, Cost, Reliability. Pick two.
MS has made tremendous strides in being responsive to security concerns. No code is perfect, and they're doing a good job of patching the holes, in a reasonable time.
BTW - another great vid, guys. My 12 year old is starting to get into C9. Loves the vids and wishes she could have a 9guy.
Robert Scoble
c/o Microsoft
One Microsoft Way
Redmond, WA 98052
She's excited to get one and will send a card on Monday.
Anyway, I meant to say earlier that this is the best kind of video - visiting an entire team, walking the halls, meeting everyone. Keep these coming!
Request: The hardware teams. MS keyboard and mouse.
Which makes me think, where did the wireless broadband team go? I hope they were absorbed into other departments.
Just send me your name and address via email at rscoble@microsoft.com and I'll get two out. Thanks!
Hardware team is coming up soon!
Whoaa there wilba. I was only asking a question, not launching an inquisition.
Compared to time. Those two you saw weren't the only two in the past. There used be be many that were over 260days from being notified of the problem. Wouldn't a malious hacker find out how to exploit a system in 260+ days? I think so.
I don't know how long it would take EEYE to remove the advisory to fixed status, once the patch came out, so maybe they're a little slow.
Other software vendors have pulled it off in time. Of course we don't know if they were the same complexity. When you release an OS, when do you stop testing it for bugs? Some exploits effect all versions of MS OS's and MS has had plenty of time to look for bugs in the older OS's.
Don't get lazy because one OS might not be supported anymore. If Win2K was builtt/based on the NT kernal and that kernal has a fault, should we look into that, even though that original kernal is not supported anymore?
You can think what you like, All I'm saying is don't fob of the important issues that someone raises here. Microsoft/Channel nine has come to ask US, what we think, and that exactly what I'm doing!
PS: If software was perfect, I wouldn't have a job.
Jorgie
Nice tool
A slang term for a computer enthusiast. Among professional programmers, the term hacker implies an amateur or a programmer who lacks formal training. Depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has co-opted the term to refer to individuals who gain unauthorised access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.
http://http://www.google.com/search?hl=en&lr=&oi=defmore&q=define:Hacker">http://www.google.com/search?hl=en&lr=&oi=defmore&q=define:Hacker">http://http://www.google.com/search?hl=en&lr=&oi=defmore&q=define:Hacker
bleh...
Hackers hijack Microsoft DRM - ZDNet UK News at http://news.zdnet.co.uk/communications/networks/0,39020345,39183787,00.htm
We do not "get off" on claiming that 30 days is a standard time to expect a fix. We actually think that 60 days is the timeframe for producing a fix. That is why on our upcoming advisories page we only start listing vulnerability patches as being overdue after the 60 day mark, not 30 as you incorrectly state.
If you want to get specific about it though Microsoft is actually apart of an industry group whom wrote a specificion on vulnerability reporting and vendor handling of reported vulnerabilities. Within that standard Microsoft and other companies in the industry agree that:
"The appropriate timeframe will vary from case to case, but it is important to set a target. By convention, thirty (30) calendar days (measured from the date the Vendors acknowledges receipt of the VSR to deliver of the fix) has been established as a good starting point for the discussions, as it often provides an appropriate balance between timeliness and thoroughness." [1]
So as you can see the 60 day window that eEye uses is actually *longer* than the general industry guidelines as set by Microsoft and other security companies.
Reasonable amount of time? Should take them a year to fix vulnerabilities? If you believe that then the secretly encoded brainwashing images within channel 9 productions is finally starting to pay off.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
[1] - http://www.oisafety.org/
Remove this comment
Remove this thread
close