Visiting Microsoft HQ to talk security: what should I ask?

I’m off to America! Some tin-pot little IT start-up called Microsoft has invited me to visit their headquarters in Redmond, Washington (pictured) to find out what they’re doing about security, and in particular their Trustworthy Computing initiatives.

Now if you’re a crusty old network administrator like me, you may think that “Microsoft” and “security” in the same sentence is an oxymoron. A decade ago I was building Linux-based firewalls and, like so many people doing the same, I referred to Windows-based computers as “the targets”. And certainly the vast majority of the world’s malware is targeted at Windows.

But I’ve always though that the simplistic “Windows is bad, m’kay” was a bit, well, simplistic. Information security isn’t just about the technology, it’s also about people. Human factors are also the weakest link. And over the years I’ve found that people who throw around those tired platform-wars slogans usually aren’t up to date when it comes to the things they love to hate.

So, I’m off to Redmond later this month to spend three days with some of Microsoft’s engineers and developers, including briefing sessions with senior executives from Microsoft’s Trustworthy Computing Group.

There’s a lot to cover here, so what should I be looking at, do you think? The security of Windows Server, or Windows 7, or of Microsoft’s cloud services? Privacy issues? The fight against foreign governments, criminals and child abusers? Viruses and malware? Identity and authentication? What? You tell me!

What are some of the hard questions I should be asking?

Some of what I do will end up in a special edition of the Patch Monday podcast, and I’m also doing a “Letter from Redmond” for Crikey‘s “Letter from…” column. And I’ll be looking for more writing opportunities.

Dear Editors and Producers, is there anything you’d like me to research and write about? Please let me know if you’d like me to pitch some stories.

I’ll be flying out of Sydney on Monday 24 May, and will be in Redmond from Tuesday to Thursday that week, Seattle time. And yes, Microsoft is paying for the airfares, meals and accommodation, so there’s your journalistic disclosure.

[Photo: Microsoft’s Redmond Campus, looking east, courtesy Microsoft Inc.]

12 Replies to “Visiting Microsoft HQ to talk security: what should I ask?”

  1. Sounds like you’ll have fun!

    I’m curious about the nature of Microsoft’s increasing level of partnership with Facebook, particularly the moves to incorporate document sharing etc. How do they aim to address concerns about data security in light of Facebook’s more open/less private user data arrangement?

  2. @Paris: Interesting point. Security is always a trade-off with convenience. If you lock your front door to reduce the risk of burglary, the trade-off is the inconvenience of having to remember your keys and to fiddle with locks before you can enter. However the idea that security is a trade-off against privacy — that to be secure the systems administrators have to be able to see all your data — is starting to fade. In its place, we’re hearing more about good security working hand in hand with privacy. In part, this has been fuelled by the change in the threat landscape, where personally identifiable information (PII) is the attackers’ goal.

    Facebook, by it’s very nature and purpose, encourages people to be open with their personal information. As a result, it becomes much, much easier for people to build a personal profile which can be used to target an attack. Their newest features make it even worse, by encouraging people to log into other sites using their Facebook credentials. And while this can be secure if done properly, it takes a trained eye to know when the dialog box you’re being presented with is genuine or not.

  3. Ask them how Microsoft Security Essentials….

    (which is free) compares to the security solutions of commercially available products such as MacAfee, Trend Micro and the like and why it is that security essentials isn’t installed by default with Windows installations and Microsoft Internet Explorer.

    My understanding was that Microsoft intended this to be the case but that there was fierce opposition from those who profit from selling security solutions.

    How good is Microsoft Security Essentials ?

  4. Flights have been booked. I fly out of Sydney at lunchtime on Monday 24 May, taking a Qantas Airbus A380-800 to Los Angleles, then changing to an Alaska Airlines Boeing 737-400 to Seattle.

    @Bob Bain: That question is perhaps better put to neutral assessors, not the people who make the product. But certainly what’s called “end-point security”, that is, the security of the individual users’ machines is something I’ll be looking at. I have a particular interest in how small and SOHO businesses deal with this because they don’t have dedicated IT staff.

  5. I have noticed more Program Installers, Driver Installers etc. trying to send packets to Verisign (or the relevant Digital Certificate Issuer) ever since the File Security warning was implemented in to Windows XP (and Vista after reading link below).
    This link kind of explains it

    Just what ramifications does this kind of procedure have for open source software in the future? They will be forced to buy a Digital Certificate or face having their program crippled within the OS?
    Will there be a future Windows OS that will not accept a software package unless it has been Signed?
    Will this procedure also be enforced upon any Open Source OS’s?

    I haven’t had time to completely research this phenomenon properly, i read about your trip to Redmond and this was one of the things that stood out to me the most.

  6. Short and sharp – given Microsoft’s impending (and delayed) launch of their Mobile 7 platform, what sort of attention have they focused on platform and data security? Given their track record of security with Windows (which is much to do with its popularity rather than obvious weaknesses, to be fair), have they found a need to focus any extra attention on securing their mobile platform from attacks? Are they confident the ‘usual measures’ are enough? Or are have they designed a ‘social communication’ platform that they don’t see as a rewarding target for hackers?

  7. The question has been asked, am I looking at enterprise security, or SME, or consumer-level or what? The short answer is, all of the above. I’ll be spending three full days at Redmond, and will be meeting people from all over. I hope to be able to post the schedule next week some time.

  8. I have noticed that a majority (excluding Rocky Heckman) of their security team in Australia are sales rather then knowledge focused.

    Is this because a majority of Australian corporates are less mature than the USA?

    I am aware that there are several advanced people from Australia (independent of Microsoft) who have presented at their BlueHat event.

  9. @Kim: I didn’t post anything here, but I did produce media items.

    The event was more about giving journalists background material than breaking stories.

Comments are closed.