BillCan's Place

Life at Microsoft

Blogs

Feedback Requested

  • Comments 15
  • Likes

There is a debate raging inside Microsoft, and I'd like to get some feedback from our customers.  Currently, Microsoft makes a great deal of guidance available to its customers via its web site.  Some of this content can be downloaded anonymously, but some of it requires authentication (and therefore registering for credentials on the site).  This is similar to other companies (Cisco comes to mind immediately), but there is some question whether we should be requiring authentication for any content.  We are especially whether security content should require registration/authentication, especially given that the security people who would gain the most from the security guidance we provide are the same people who are the most paranoid about privacy and security, etc. (Hey, I'm the same way!)

So, the question is: if there was valuable security advisory material available for free on a trusted website, would you register and create credentials in order to obtain that content?  What if you had to get (or use) a Microsoft Passport account: would that change your mind?

Please respond either in the comments to this post or via the contact link, and thanks in advance for your help!

Comments
  • Yes, I'd love free Microsoft security advisories. Wait a second ... don't you already provide those?

    My question is, what sort of material are we discussing here? Are you talking about posting highly-detailed security notices that could possibly be used to write exploits? If so, then it makes a good deal of sense to require some form of registration and/or authentication to access such material. Otherwise, I'd have to say that I dislike registration requests. Put all of your content in the open, free to all, no registration required ... UNLESS there is a compelling reason to protect it, like the hypothetical case I mentioned above.

    FWIW, I detest the registration requirements on Cisco's website. Please don't model yourself after them, whatever you choose to do.

  • We are talking about things like hardening guides, identity management guidance, etc., not detailed security bulletins that could be used to write exploits.

    Good point though, and thanks for the feedback!

  • Bill,

    i would register using password or any other means - but i wouldn't like it.

    each time i have to 'log in' to some website i'm asking myself: 'what can they possibly gain by forcing me to log in?'.

    in most cases - nothing. as of that, the whole procedure is just an annoyance and nothing more.

    iow: no authentication, please. :)

    WM_MY0.02$
    thomas woelfer

  • On the subject of registration in general:

    If I perceive the registration to be part of my MSDN subscription, I'd be fine with it, but if I perceive it as a new, separate registration I'd be *extremely* unlikely to register for it.

    I have far too many passwords and accounts already, far more than I can manage, and I view each and every one as a potential attack surface.

    On the subject of registering for security bulletins:

    Do you honestly believe that requiring people to register is going to keep your "highly-detailed security notices" out of the hands of hackers and crackers? Surely you jest. Marking the information as "secret and highly valuable" will only increase the speed with which it spreads through the hacker/cracker community. "Security through obscurity" was a laughable concept in 1990. Today it's not laughable it's professionally negligent.

    -Don

  • Hmm, many times I'm showing other people information from the Microsoft website (primarily MSDN), and I'd hate to be 'slowed' down by being forced to authenticate. Just think of all the conferences, user group talks, and presentations where this happens. Now, I understand that setting up an account is fairly painless... But it's always a hurdle that causes me to *sigh* when I can't get to it when I'm not on my normal dev machine.

  • I love the current freedom of information MS provides - it is easily spidered by google etc, and is therefore quick and simple to find and reference.

    I see no reason why you should care who is reading what, and that is all a Passport login adds. (Excluding controlling access to sensitive info, but you've covered that.)

    So generally I prefer it being open like now, so please keep it that way, and don't start putting walls up between you and your customers.

  • First off, requiring a passport account would not do a single thing to keep hackers away from any sensitive information if it were to be published. However, since that's not what's being discussed, I think that the information under discussion should be made freely available. I hate registering to view stuff. I register using false information now after getting sales calls from companies after viewing their documentation. Although, most of the time I just don't register and skip out on viewing the documentation.

  • I am against it for one big reason, the search of msft site sucks.

    so far I rely on google to get those information from sites like msdn, not surprisingly, many M$ employees are doing the same thing.

  • I'd be happy to... in order to get more access to MSDN subscription perks. Otherwise, I'd just create a fake account like I often do at most websites, using a disposable email account from www.spamgourmet.com.

  • Despite having a passport already I don't believe creating a barrier to guidelines is a good idea, both from a user's point of view and from the /. point of view.

  • Nothing should require authentication, you can always ask for it, but always have an opt out. More than anything else it's a pain to waste time registering for a site when I'm in a pinch and need the information. Plus with BugMeNot and services like that the info you're getting is prob. never real anyway.

  • Most websites use authentication to cut down on anonymous bandwidth. I'm sure Micrsoft doens't have to worry about that.

  • NO SOUL SUCKING REGISTRATION.

    New York Times, Washington post, you know how often most people avoid those sites because they require registration. I absolutely refuse to go to those sites. First thing I think of when I see registration is tracking for advertising. We have all deleted those add tracking cookies, we have despised and detested it. What makes Microsoft’s site so successful is it is free and it is open. How many times have you gone to a website you heard about a product you through would be cool, you see you can download a free trial, you click the link to try it out and BAM you must register, you sit there and think well I guess I wasn't really that interested after all. Good study, put 2 similar products out there make them readily accessible, have one force you to register to download and the other just let you download. See which one gets accessed more frequently.

    First off if I have to register on Microsoft’s site to get information on security I will be going out to 3rd party sites to find the information. If I do register I will just register falsely as others have stated. Go in and look it up, VSIP and some of the others that force you to register to download. I know that Harry Balls and Fuk Yu are registered downloaders because I remember registering them. So what good does it do you? Now you ask why is registration such a big deal, because we do not know what you are going to do with this information. Trustworthy computing doesn’t mean collecting MORE personal information on your viewers or readers and tracking them, it means producing software safe and secure and being open and honest with your communication to your users.

    Look at this from my point of view. I know damn well anyone with a large system access at Microsoft now can completely assume my identity empty my bank accounts and make my life a living hell. I have registered every single version of windows since 3.1, I have a Passport, I have registered MSDN Subscription, I have registered Flight Simulator from back when it ran on DOS, I even use Microsoft Money and have for years. Money 2005 does everything against MSN, which MSN sucks btw I would much prefer Money without tying it into MSN which is actually why I am thinking of dropping money. So anyway you have all my account numbers along with all my personal information and you know ever address I have lived at from early 90’s on and every phone number I have had including work phone numbers. So I put a lot of trust in Microsoft with all this information you already have and so do a lot of other customers. If the freaking marketing guys who want me to do another damn registration on another MS product , in order to look at information on how to keep the information I already trusted you with safe then do me a favor, tell those guys to piss off.

    Well, open and honest communication, I have already trusted MS with my personal information more than once. Why do you need it again with information that will help me be safe. I mean hell why not put a registration up everytime there is a security patch in windows. Because millions of people wouldn't ever install the patch because they just simply want to get thier job done as quickly as possible. However the hacker would download it under a false registration just to reverse engineer it.

  • Oh yeah, and an old saying that seems quite appropriate in this case.

    A lock only keeps an honest person out.

  • If registration it was part of an IT professional-facing portal tied somehow to the MCP program (making that program worth something beyond marketing), then yes. If this portal could help me personalize and coagulate the raft of technical information available, then yes.

    What benefit is it to me to be forced to register for content that's publicly applicable? By that logic I'd have to authenticate to use Google.