[SecurityRatty] tag: eyed

AT&T, Starbucks Make Rollout Start Official

Fri, 25 Apr 2008 06:02:47 +0000

Although a San Antonio PR guy spotted the AT&T trucks at a Starbucks last week, this press release makes it official: AT&T and Starbucks co-announced today that San Antonio--AT&T's corporate HQ town--is the first city to be unwired with AT&T's flavor of Wi-Fi in Starbucks stores. Other markets will follow this year, although, as before, there's no list of markets nor a time table beyond the notion that "it will continue through 2008."

The companies also said that AT&T high-speed DSL and fiber customers will gain free access at 7,000 Starbucks starting May 1, but as other eagle-eyed readers have noted, that option is already available on any T-Mobile login page that anyone's written me about or I've seen. The difference will be that a separate SSID called ATTWiFi will be available as an option for network selection, presenting a different gateway page.

Microsoft SDL Process in detail

Wed, 09 Apr 2008 15:13:00 +0000

Hello all – Dave here…

I am currently at RSA and decided to take a few moments to blog about some updates to the Security Development Lifecycle. Admittedly, I have been “radio silent” on the blog for awhile – for those that know me, that’s usually a warning signal that I am cooking something up…

Anyway, back when we first started this blog we promised that you would see more about the particulars of the SDL – and I think we have done a reasonably good job. Michael Howard has written some pretty interesting pieces on a wide variety of subjects; bug post-mortems, philosophical notes and the like. Adam Shostack did a fabulous job on the threat modeling series; Eric Bidstrup took a deeper look at the perceived vs. real benefits of the Common Criteria and I have penned a moderately well received screed or two from time to time.

However, one of the common requests (complaints?) that I have heard is that we have been short on the real “guts” of the SDL – that is to say, a point by point examination of how to apply the SDL. I would argue that Michael and Steve’s book on the SDL is a good primer on how to get started. I think Jeremy Dallman added more momentum with his “Crawling toward SDL” post, giving some practical advice on how to approach the issue of secure software development from scratch.

Despite these efforts I have heard that people still want more detail – some folks are curious about how an organization the size of Microsoft programmatically drives culture change; others are looking for guidance that can be repurposed for their own organizations and finally, some folks are convinced that we are deliberately holding back some security “secret sauce” for some reason. Go figure.

With that, let me cut to the chase. Today, we have made the Microsoft Security Development Lifecycle, version 3.2 available for your perusal on MSDN. This has been in the works for quite awhile and has involved a ton of folks in SEC and TWC putting in a lot of hours and resources into getting this published (props to Ziv Fass and Jed Pickel!).

As you can probably guess, this is not an exact duplication of the SDL for a number of reasons – but it’s pretty darn close. Given that caveat, allow me to illustrate a few points about this guidance...

First, we have gone through and removed Microsoft specific jargon, references to internal resources on our intranet, and things that would likely make zero sense to an audience outside of Microsoft (the scrub work was one of the primary inhibitors to publishing previous versions of the guidance).
Second, this is a generalized representation of how the SDL is applied at Microsoft for the development of rich client and server applications – while many of the principles apply to the creation of web applications, I would caution you to view this in the correct context. While Bryan Sullivan has written about web development in the past we’ll have more on SDL and web application development in the future.
Third, for all intents and purposes the SDL is considered the “minimum bar” for security and privacy at Microsoft for those products with meaningful security risk; there are a number of teams that choose to invest more time and resources as necessary to meet product team goals that may exceed the SDL. We salute that behavior. : )

Finally, in reference to the third point above, I am compelled to say the following. (LEGAL DISCLAIMER ALERT – those with weak constitutions should avert their eyes):

The following documentation on the Microsoft Security Development Lifecycle, version 3.2 is for illustrative purposes only. This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented herein. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, OR STATEMENTS ABOUT APPLICABILITY OR FITNESS OF PURPOSE FOR ANY ORGANIZATION ABOUT THE INFORMATION IN THIS DOCUMENT.

For the morbidly curious: Yes, I wrote that; yes, it passes legal muster; no, I am not a lawyer, nor do I play one on TV. : )

So there you have it – Microsoft SDL 3.2.

There are a few sharp eyed souls that read the blog and will wonder about our publishing schedule for updates – it’s no secret that we examine the SDL every six months and either add new requirements to meet emerging threats or deprecate old guidance. It has been described by some as analogous to “changing tires on a moving vehicle.” Let me say now that we will NOT be publishing new SDL guidance on a six month schedule for the foreseeable future – we’ll settle on a reasonable publication frequency and hopefully accelerate over time.

I welcome your thoughts and comments...

Links for 2008-02-08 [del.icio.us]

Fri, 08 Feb 2008 21:00:00 +0000

Toner scheme busted by sharp eyed Xerox employees

Tue, 05 Feb 2008 21:00:00 +0000

A former Xerox customer service agent on Tuesday pleaded guilty to mail fraud for stealing and selling cartridges stolen from his former employer online.

Oracle to Buy BEA Systems for $8.5 Billion

Wed, 16 Jan 2008 11:00:30 +0000

After three months of wrangling over prices, Oracle Corp. will acquire BEA Systems in a $8.5 billion deal.

This means that Oracle will now have an event processing platform, the Oracle WebLogic Event Server to compliment their product line.

Reference: Oracle Strikes Deal to Buy BEA Systems for $8.5 Billion (Wall Street Journal)

By JOHN FLOWERS
January 16, 2008 8:14 a.m.

Oracle Corp. said it will acquire BEA Systems in a $8.5 billion deal three months after BEA slapped away an Oracle takeover offer as too low.

Oracle would pay $19.38 for each BEA share, a 24% premium to Tuesday’s close price of $15.58.

Oracle made an unsolicited $6.7 billion, or $17 a share, takeover proposal in October, but the company let it expire weeks later after BEA said the bid was unacceptable. At the same time, BEA added it was looking to start negotiations with interested parties willing to pay at least $21 a share.

“The addition of BEA products and technology will significantly enhance and extend Oracle’s Fusion middleware software suite,” said Oracle Chief Executive Larry Ellison. “Middleware” is a general term for any programming that serves to mediate between two separate and often already existing programs.

BEA Chairman and CEO Alfred Chuang called the deal the culmination of a “diligent and thoughtful process” to maximize stockholder value. The company’s largest shareholder, billionaire Carl Icahn, had called for an auction to sell the business-management-software firm.

BEA is one of the few independent, midsize software companies left in Silicon Valley as the technology industry consolidates. Oracle has for years eyed BEA as an acquisition target.

BEA has been battling Oracle, International Business Machines Corp. and others in the market for middleware. BEA, with a product called WebLogic, pioneered one category of middleware called application servers that are used to build Web services.

Oracle expects the buyout to boost earnings by one cent to two cents a share, excluding items, in the first year after the deal closes. That is slated to happen by midyear.

Shares of Oracle fell in premarket trading to $20.80 after closing Tuesday at $21.31.

The Trouble with Horsies

Sun, 11 Mar 2007 21:00:00 +0000

I was sitting in the living room of my best friends' (G and his wife N) house the other night. They're a happening bohemian couple who live in the swinging, cool part of town, and they invited me over for a drink and "to have a talk" with me. The conversation started out light-hearted until they broached the subject of fixing me up on a date. I was a bit hesitant and asked whether the intended lady was of fair stature and worthy intellectual capacity. At this, N's eyes started tearing up and she covered her mouth with her hand. G gave me a flinty-eyed stare. "Uriel," he said, "if I were you, I would not look a gift horse in the mouth." My suspicion was further raised by the intended's inauspicious name: "Brumhilda". I was reminded of the advice my maternal grandfather gave me: "Don't look a gift horse in the mouth, but make sure it's not full of Greeks." ...