Select the directory option from the above "Directory" header!

Security: Opinions

Opinions

  • Security saps system performance

    The tremendous benefits of computing in the Internet Age have come at a price. Viruses, worms, Trojan horses, DDoS attacks, spyware, phishing -- the list of network-based threats seems to grow longer every day. In response, IT managers pile security countermeasures onto servers and workstations, malware authors find ways around them, and the cycle continues.

  • Best of open source in security

    In areas such as CRM software and portals, open source gained a foothold because users were willing to compromise -- less could be more, because the price was right. In security, open source rushed in because commercial vendors fell down on the job. As security problems in the enterprise outstripped the capabilities of commercial solutions, a number of talented security researchers stepped into the breach via the open source model.

  • Here's why .pdf spam went pffft

    It's no secret that spammers have informal communications channels and freely share tricks of the trade on the Internet. But what happened in August is enough to make you suspect they have an organized trade union -- or even a government -- that allows what would otherwise be a scattered collection of freelance vermin to operate in surprising unison.

  • Understanding federated identity

    Federated identity management is a relatively new concept that is an extension of identity management, which is a centralized, automated approach to regulating access to enterprise resources by employees and other authorized individuals.

  • Security-oriented architectures?

    SOA is one of those buzzword acronyms that mean so many things to so many people, it's hard to pin down what it is. Nevertheless, many large enterprises are integrating applications and building applications using XML, Web services and rudimentary service-oriented architectures. But what about security?

  • Old apps, new vulnerabilities

    One of the best security defenses you can have is a fully patched computer. Not just the OS, but all applications -- large and small -- should be completely up to date. But making sure you have the latest patches isn't enough. You have to check and see if the older, vulnerable versions of the software you patched aren't still installed and available. Unfortunately, many well-known applications, when patched, do not remove the older versions. Malicious Web sites can often choose which version your client runs, so while you think you're safe with the latest patches, the older versions of your software can be called, instead, to execute a known vulnerability you had long ago stopped worrying about.

  • Microsoft 'silently' restores root certs users ax

    Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked. And in Windows Vista you just can't kill them, period.

  • Virtual servers: More or less secure?

    Virtualization is quickly being adopted in many different industries. As virtual machines move from testing and development roles into production, security becomes ever more important. Virtual servers are no less secure than regular servers, and may provide additional security by compartmentalizing applications.

  • IIS versus Apache: Re-examining the statistics

    As a Microsoft employee, I try to avoid writing on areas that blatantly promote Microsoft. However, I think this question is generic enough to involve Microsoft in the discussion: Can IP addresses ever be used for statistical analysis of malicious Web sites?

  • Converged security pays dividends

    Security convergence -- integrating building- and IT-access systems --- is supposed to make life easier for everyone: IT, building security staff and employees coming into the office each day.

  • Built-in encryption is key to ending data leaks

    It hasn't happened to me so far (fingers crossed), but I imagine there are very few things more disturbing than having your personal information put at risk because someone lost or misplaced a tape cartridge or a laptop.

  • Should vendors close all security holes?

    In the past I have argued that vendors should close all known security holes. This week a reader wrote me with a somewhat interesting argument that I'm still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?

  • DNS attack puts in perspective

    A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

  • Trust isn't security

    In Lancaster, last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

  • New Vista firewall fails on outbound security

    Microsoft has touted Windows Vista as giving significant security improvements over Windows XP, and it offers the Windows Firewall, with its new two-way filtering feature, as one reason for that better security.