Mad, Beautiful Ideas
Microsoft Opens it's Security Window
By on December 28th 2007

Microsoft has decided to post a new blog from their security vulnerability research and assessment team. It’s new, so there isn’t much there yet, but this is a huge step for Microsoft on the road to full disclosure.

Full disclosure is vitally important to security. Last August, Bruce Schneier had the opportunity to hound the TSA about it, and Bruce would know. He’s a cryptologist and a security expert.

In Cryptography, it’s commonly accepted that an encryption algorithm that isn’t available for public consumption and consideration isn’t worth using. If it wasn’t for full disclosure in cryptographic algorithms, we wouldn’t be aware of a potential NSA backdoor in a current encryption algorithm. If not for full disclosure, we wouldn’t have reason to know that blowfish and AES are as secure as they are, and that the people testing the algorithms certainly have all the necessary information to test them.

Microsoft’s new blog isn’t quite full disclosure, but it gives us a glimpse into their thinking, how they work, and what they discover. For a company with a history of silently fixing holes, and not acknowledging their security shortcomings, this is an important step.

In addition, it gives us some insight into the tools Microsoft is using internally. For instance, in their post on insecure smb2 signing, Microsoft reveals to us that they’re using Open Source Software internally. The images reveal that Microsoft clearly uses wireshark (formerly Ethereal) in house for their protocol analysis.

And why not? Wireshark is an excellent protocol analyzer, particularly when running in on stored data captures (live captures are potentially dangerous), not only do the images belie their use of Free Software, but the fact that the traffic dump posted is clearly generated by libpcap is another sign.

I’ve commented before about Microsoft becoming more open, and while I’d always like to see them go further, this is a great step. But guys, give a shout-out to the software you’re using when you demonstrate it like that. I’ve no doubt there will be more tools mentioned in passing over the life of your blog, and people really may be interested.