Tag: Microsoft

  • Microsoft SIR and Vulnerability Statistics

    Microsoft SIR and Vulnerability Statistics

    [I wrote this for my day job back in February, 2017, but it never got posted. Including it here for reference.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can…

  • Perlroth and the History of Microsoft Vulns

    While reading “This Is How They Tell Me The World Ends“, early in the book I ran across a single line that made me double-take. I took a note to revisit it after a complete read since it was so early in the book. For those familiar with my blogs, I tend to write about…

  • That Vulnerability is “Theoretical”!

    [This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability…

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science…

  • An Analysis of Google’s Project Zero and Alleged Vendor Bias

    [This was originally published on RiskBasedSecurity.com.] Google announced a new initiative called Project Zero. The basic premise of the project was that Google invests heavily in their own security and had for quite some time been also tasking their researchers part time work on improving the security of other high-profile products. Project Zero is Google’s…

  • Microsoft’s latest plea for CVD is as much propaganda as sincere.

    [This was originally published on the OSVDB blog.] Earlier today, Chris Betz, senior director of the Microsoft Security Response Center (MSRC), posted a blog calling for “better coordinated vulnerability disclosure“. Before I begin a rebuttal of sorts, let me be absolutely clear. The entire OSVDB team is very impressed with Microsoft’s transition over the last…

  • Advisories != Vulnerabilities, and How It Affects Statistics

    [This was originally published on the OSVDB blog.] I’ve written about the various problems with generating vulnerability statistics in the past. There are countless factors that contribute to, or skew vulnerability stats. This is an ongoing problem for many reasons. First, important numbers are thrown around in the media and taken as gospel, creating varying…

  • Rebuttal: Microsoft, Unhackable and Ridiculous

    [This was originally posted on attrition.org. This is a rebuttal piece to Microsoft: We’re not vulnerable to DDoS attacks (2011-07-06) by Ms. Smith. More to the point, this is intended for John Howie, senior director in the Online Services Security & Compliance (OSSC) group at Microsoft.] Microsoft: We’re not vulnerable to DDoS attacks Microsoft’s John Howie claims…

  • Microsoft, Aurora and Something About Forest and Trees?

    [This was originally published on the OSVDB blog.] Perhaps it is the fine tequila this evening, but I really don’t get how our industry can latch on to the recent ‘Aurora’ incident and try to take Microsoft to task about it. The amount of news on this has been overwhelming, and I will try to…

  • Microsoft LifeCam – sucks the life out of me

    It wasn’t my choice, but I was handed a Microsoft “LifeCam” today, as the original recipient didn’t want it. Figured I’d try to use it to make a Guinea Pig cam after seeing a nice setup and live streaming a few nights ago. The software it comes with makes me want to vomit. Insert the…