Jeff's InfoSec Blog

Thoughts about information security, privacy, and regulatory compliance. Brought to you by Jeff Newfeld, the product unit manager for security solutions in Microsoft's Core Infrastructure Solutions group.

April, 2005

  • Internet fraud -- who's fault is it?

    Awareness is our biggest challenge, but we've been doing a lot to make this happen. At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune. I like this...
  • DNS Poisoning attacks... will this never end?

    TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here . The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests...
  • Regulatory Compliance: Yet another regulation to follow

    The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments. The regs are pretty good -- a 12-point checklist of areas that need to...
  • Vulnerability analysis using search tools

    Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.
  • Child Exploitation Tracking System developed by Microsoft

    This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide. Link.
  • How do we fight spyware when no one can agree what it is?

    Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss...
  • Strong Passwords = Weak Security

    An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company). I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users...
  • What is Spyware (again)

    More progress being made on the anti-spyware front: http://www.eweek.com/article2/0,1759,1788844,00.asp . Industry players are banding together to try and define this. I'm not sure that this is a good idea -- while I agree that the term "spyware" has...
  • New day, new blog

    I am switching from MSN Spaces to TechNet over the next couple of weeks. Until I get my old stuff migrated over, if you're interested you can see my old posts here .
  • First open O/S, now open BIOS?

    Sorry, I just can't get behind this: Battle brews over unlocking PC secrets . The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's...