Stephen Toulouse - Tour around Microsoft's Security Response Center

Posted By: The Channel 9 Team | Jan 7th, 2005 @ 5:15 PM | 168,921 Views | 13 Comments
Who are the people on the front lines when a security problem gets disclosed? The Security Response Center. Here you get to meet those folks.

By the way, what's the proper way to let the world know about a security problem you've found? Send an email to secure@microsoft.com. This team will answer your questions and work with you.

This team also prepares all the bulletins you see on the Microsoft.com/Security site and they continue to highly recommend updating your Windows XP machine to Service Pack 2. Oh, have you tried the new anti-spyware beta that Microsoft just released?
Media Downloads:
Rating:
0
0
#Jan 8th, 2005 @ 1:32 AM
nektar
nektar
Any news on the recent and still unpatch Windows holes? I heard that two out of the 3 also affect XP SP2.
#Jan 8th, 2005 @ 2:53 AM
dnrfan
dnrfan
It's .NET
nektar wrote:
Any news on the recent and still unpatch Windows holes? I heard that two out of the 3 also affect XP SP2.

Here are some from EEYE.

http://www.eeye.com/html/research/upcoming/index.html

and past ones...

http://www.eeye.com/html/research/advisories/index.html

Microsoft are extremely slow to release fixes/patches after being alerted to serious flaws.  Why is this?
#Jan 8th, 2005 @ 6:55 AM
KosherCoder
KosherCoder
dnrfan wrote:

Microsoft are extremely slow to release fixes/patches after being alerted to serious flaws.  Why is this?


Extremely slow compared to what?

I saw one vulnerability on that eeye site that was several months "overdue", and they listed only one other outstanding.

Where do they get off claiming that 30 days is a standard time to expect a fix? They have no idea how long a fix could take. The problem could be really deep, or require extensive regression testing to prevent other problems created by the one "fix".

So, it comes back to the old question: Speed, Cost, Reliability. Pick two.

MS has made tremendous strides in being responsive to security concerns. No code is perfect, and they're doing a good job of patching the holes, in a reasonable time.

BTW - another great vid, guys. My 12 year old is starting to get into C9. Loves the vids and wishes she could have a 9guy. Wink
#Jan 8th, 2005 @ 10:10 AM
scobleizer
scobleizer
I'm the video guy
Kosher, have her send me a postcard and I'll send her a 9Guy.

Robert Scoble
c/o Microsoft
One Microsoft Way
Redmond, WA 98052
#Jan 8th, 2005 @ 4:01 PM
KosherCoder
KosherCoder
Thanks, Scoble. I didn't want to be greedy and ask for two for the same house, not that mine is here yet. I've sent 2 postcards and two emails and the 9guy still doesn't want to come to Philly. At first I thought maybe he had a bad experience here before and doesn't want to come, but now I'm beginning to suspect my mailman. Wink

She's excited to get one and will send a card on Monday.

Anyway, I meant to say earlier that this is the best kind of video - visiting an entire team, walking the halls, meeting everyone. Keep these coming!

Request: The hardware teams. MS keyboard and mouse.
Which makes me think, where did the wireless broadband team go? I hope they were absorbed into other departments.
#Jan 8th, 2005 @ 4:35 PM
scobleizer
scobleizer
I'm the video guy

Just send me your name and address via email at rscoble@microsoft.com and I'll get two out. Thanks!

Hardware team is coming up soon!

#Jan 8th, 2005 @ 5:43 PM
dnrfan
dnrfan
It's .NET
KosherCoder wrote:
Extremely slow compared to what?
I saw one vulnerability on that eeye site that was several months "overdue", and they listed only one other outstanding.

Whoaa there wilba.  I was only asking a question, not launching an inquisition.

Compared to time.  Those two you saw weren't the only two in the past.  There used be be many that were over 260days from being notified of the problem.  Wouldn't a malious hacker find out how to exploit a system in 260+ days?  I think so.

I don't know how long it would take EEYE to remove the advisory to fixed status, once the patch came out, so maybe they're a little slow.

KosherCoder wrote:
Where do they get off claiming that 30 days is a standard time to expect a fix? They have no idea how long a fix could take.

Other software vendors have pulled it off in time.  Of course we don't know if they were the same complexity.  When you release an OS, when do you stop testing it for bugs?  Some exploits effect all versions of MS OS's and MS has had plenty of time to look for bugs in the older OS's.

Don't get lazy because one OS might not be supported anymore.  If Win2K was builtt/based on the NT kernal and that kernal has a fault, should we look into that, even though that original kernal is not supported anymore?

You can think what you like, All I'm saying is don't fob of the important issues that someone raises here.  Microsoft/Channel nine has come to ask US, what we think, and that exactly what I'm doing!

PS:  If software was perfect, I wouldn't have a job.


#Jan 9th, 2005 @ 5:27 PM
Jorgie
Jorgie
Jorgie
We all know they are in a catch 22. If they release too soon and there is even a small problem the get slammed. If they do the necessary regression testing, it takes time and they get slammed. Nice.

Jorgie
Microsoft Communities