Today was my last "normal" day at Microsoft. (That's with a grain of salt - an exceptional company has few normal days). Tomorrow I just have the exit interview early and then I will be unemployed for a few days. I wonder when I am officially not an employee...

Today the plans for what I am doing before I leave changed, again, but not as drastically as last time. It turns out that I am going to TechEd Japan after all. I will be delivering the "Is That App Really Safe" and "Baking Security Into The Development...

Some of Microsoft's amazing Most Valuable Professionals (MVP) made me a blog on a new site they call msinfluentials.com . I can't thank Susan , Nick , Vlad , Chad , and Wayne enough. You guys are truly special and exemplify all the best things about the...

I have unfortunately been prevented from speaking at TechEd in New Zealand, Australia, and Japan; the final events I was planning to speak at before I leave Microsoft on September 1. I cannot express how terrible I feel about this. The hope was that these...

Last week a new security problem was announced in the Intel Centrino wireless drivers. It appears to affect the 2200BG and 2915ABG wireless hardware. These are extremely common components that are shipped in many laptops. You would do well to check whether...

Blake Handler sent me a link to his blog post about free Windows software a couple of days ago. It is a very cool list that shows a lot of free things published by Microsoft. Check it out at: http://bhandler.spaces.live.com/blog/cns!70F64BC910C9F7F3!1231...

This is an excerpt from a mail I sent out internally today: The sands of time seem finally to have run their course. On September 1 I will not only celebrate the 5-year anniversary of my time here at Microsoft but also my departure from the company. On...

A while ago I once again got frustrated by LMCompatibilityLevel and the amount of confusion that is out there about it. There was also an intriguing thing in the SAMBA documentation that they (incorrectly) called "NTLM2 Session Response" that needed figured...

I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation...

In a very interesting twist Microsoft today announced the acquisition of Winternals and Sysinternals . This is really interesting news and I am glad to see Mark Russinovich and Bryce Cogswell getting to have more of an impact on the Windows product.

Just in case your are of the vulnerability counting type, you may be interested in an analysis posted by my friend Jeff Jones in his blog. Jeff has done some pretty amazingly detailed analysis of the number of vulnerabilities in each of several products...

Many of the attendees from the recently concluded Security Summit series in the U.S. have been asking for the slides. Since we will be doing web casts of the presentations we are not making the slides availble. What many people want though are simply...

I couldn't tell you how many times I have either had the question "how do I turn off User Account Control" or heard the statement "boy, I sure hate all those annoying user account control popups in Vista." Yeah, security sucks, it gets in the way of doing...

As my family keeps reminding me, I'm not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested...

Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the "Chief Information Security Officer" and the "Chief IT Security Officer." Yes, they had two separate functions for this, one to secure information...

At an event in Germany today the issue came up how to access the free security support in your region. For a couple of years now Microsoft has offered no-charge support for security issues. However, the number is different in different regions. To find...

Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. "Hacker" was not the first term they ruined, but it is still the one that irks me the most. The primary definition of "Hacker...

Unfortunately, it seems that people are getting the impression that I hate hardening guides. A few people told me that after I delivered the "Security Myths" presentation at Microsoft's Federal Security Summit West last week. It is really not the case...

Today I got a question that reminded me that I have not written a whole lot about how to manage the accounts used by system administrators. The question was whether I could think of any reasons why you would share an administrative account between several...

Yesterday I had a fascinating meeting where we discussed a number of theoretical concepts, including how we think about risk. Risk, of course, should be the driver in everything we do in information security, and risk management should be the discipline...

Just a quick note to let you know why your comments to my blog no longer show up automatically. It turns out that someone decided my blog was a good place to post ads for online pharmacies, gambling, and all that other stuff that we apparently do not...

About a year ago Steve Riley and I built a presentation based on a set of security myths we put into the book . It was one of the most popular presentations we have ever made, and we kept coming up with more myths every time we delivered it, or talked...

The schedule for Spring 2006 is in full swing. Just in case anyone is interested in meeting up with me somewhere in the world (or has some new gig they think I should go to) I thought it makes sense to post my schedule here. February 6 and 7 - Albuquerque...

It is interesting how some of the best security features in Windows receive either no attention, or get criticized for the strangest reasons. Case in point: Windows Firewall is one of the best firewalls out there, and yet much of the talk about it are...

Today I received a message that purports to be from Discover regarding a 5% cashback program on gas purchases on that card. (For the non-American readers, Discover is a credit card widely used in the U.S.). The e-mail had a couple of links to click, both...