I met David for the first time a couple of years ago when I was excited about Certificate Auto-Enrollment and tracked him down as someone who could give me for of the nitty-gritty details. We've had many conversations since then and I continue to enjoy the opportunity to work with him. I remember it being "the year of PKI" for several of the years during the 1990s, when it never really came to fruition. But, quietly and steadily, work to integrate Certificate services with Windows Server, and...

Last week at the RSA conference, I had the excellent opportunity to talk to a lot of people about security (in general) as well as about security enhancements in Windows Vista. One of the interesting discussions I had centered around UAC and it's security value. I *think* the conversation started when someone asked me about the new Apple ad that tries to poke fun at the Vista UAC elevation dialog (though I didn't see that one until this weekend), but the the conversation made me realize that their...

I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which had no vulns fixed in that time period. As a teaser, here is one of the 4 charts from the post: I plan to update this monthly throughout the year, and will include newer products when they are...

With such an eye-catching headline of Symantec CEO says no Vista for me , how could I not read it? My hat is off to you Joris, for having the most popular security story of the day! WARNING: This post is chock-full of exaggerated incredulity and hyperbole! (Though not necessarily as much as most recent Symantec marketing messages...) Let me give you an exciting excerpt from the expert opinion of John Thompson of Symantec. I continue to get a chuckle whenever I read almost anything from this...

For my avid readers (ha!), I've just launched another blog - Security by Numbers - which will be hosted on CSOOnline , the CSO Magazine web site. The link is: http://blogs.csoonline.com/blog/jeff_jones . I will still do my technical, in-depth (and long) posts here, but will post additional content over there that is aimed more at the CSO audience. My first post is up over there, A focus on security metrics , and I am working on a second one this weekend called (working title): " Exactly How Biased...

Yesterday, Eric S. Raymond (ESR) publicly dumped Red Hat Fedora and made the switch to Ubuntu: Eric S. Raymond Gives Up on Fedora , burning bridges left and right behind him. In Eric's words: Over the last five years, I've watched Red Hat/Fedora throw away what was at one time a near-unassailable lead in technical prowess, market share and community prestige. The blunders have been legion on both technical and political levels. They have included, but were not limited to: Chronic governance...

Greeting from the RSA Conference 2007 in San Francisco! I went over to see the keynotes this morning and I must say that I really enjoyed the kick-off number, "Under Pressure", that they put on. Unfortunately, I don't have that on video or I'd run it for you. I am going to try and find out if they taped it though, as it was very cool. Just after that, things kicked off with Bill gates and Craig Mundie giving the first keynote. The most interesting bits I gleaned were that: Interoperability...

Yesterday was a typical first RSA day for me, in that I think I saw and talked with about 100 people I've worked with over the course of my career. On the show floor, I personally did not see much evidence of a "a lot of the big boys" as has been reported - except for Oracle, who is also giving a keynote, so naturally has a presence. On the other hand, I have seen dozens of small companies that I've never heard of previously who all seem to have started up and gotten funding in the security field...

I went to some really good sessions yesterday, among them "the Buzz on Fuzzing" by Hugh Thompson, who had a great definition for what fuzz testing is, which I caught on video and will be posting as an update whenever I have some free time. I did not catch his excellent description of his first experience with fuzz testing Coke machines on the video, and if can't get him to tell the story for me again today, I may just resort to describing it in text ;-0 Mike Howard and I are presenting today on...

UPDATE: Brian Seitz posted an audio cast of a short interview with Mike Howard and myself after our session this morning. Here is the link on the Microsoft RSA site: Interview at RSA, Mike Howard & Jeff Jones Mike Howard and I got together this morning to put the finishing touches on our session presentation (in the Crypto Lounge) and finished going over all the details about 20 minutes before our session was to start. So, we trek over to our room to find a large crowd of folks waiting...