Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Browse by Tags

Related Posts
  • Blog Post: More on the necessity of antivirus software

    A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four...
  • Blog Post: iPods spread disease?

    Well well. Looks like a few new iPod owners are getting infected when they attach their players to their computers. I'll quote the first paragraph from Apple's web site: We recently discovered that a small number - less than 1% - of the Video iPods available for purchase after September 12, 2006...
  • Blog Post: Mandatory integrity control in Windows Vista

    One of my favorite new security features in Windows Vista is Mandatory Integrity Control (MIC). It’s a classical computer science concept from the 1970s that’s finally getting its first commercial implementation—and of this I’m quite proud. While discretionary access control lists (DACLs) are useful...
  • Blog Post: August article: 802.1X on wired networks considered harmful

    Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described is in fact true -- I've seen it myself now. So...
  • Blog Post: Lousy security

    Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit, i love griping about). Here I have in mind lousy computer security. And lest you think I'm proceeding to engage in naval-gazing introspection, no -- I'm not going to write about our own products. ...
  • Blog Post: What's your data worth? More importantly, to whom?

    This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to...
  • Blog Post: Autorun: good for you?

    Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start. Groovy! No, if you're a security...
  • Blog Post: Security in Windows Vista 64-bit

    By now, many of you have heard us speak about or have read our writings on the improved security capabilities of Windows Vista. As I've said at a number of events now, the research I've done into these capabilities has convinced me that enterprises should seriously consider Vista upgrades. This OS is...
  • Blog Post: Ah, the joys of speaking about pre-release software!

    Two weeks ago I delivered my Windows Vista System Integrity presentation at the TechEds in New Zealand (Auckland) and Australia (Sydney). It was largely the same as the presention at TechEds in America and India, but updated to reflect changes made in the product between the time I wrote the presentation...
  • Blog Post: Did you know that you ALREADY have an e-mail policy?

    An email access policy can be expressed in one of two ways: E-mail is mission critical to our business. Therefore, we permit employees to read and compose e-mail from any location in the world where employees can access the Internet, using either company-issued devices or public Internet terminals...
  • Blog Post: Throw away your digital picture frames

    Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I? Virus from China, the gift that keeps on giving An insidious computer virus recently discovered on digital photo frames has been identified as a powerful...
  • Blog Post: How to secure your wireless network

    I'm now a contributing editor for TechNet Magazine . Everyone with a TechNet subscription automatically receives it; if you don't have one, you can still get the magazine free . The magazine's published three issues so far: Winter 2005 , Spring 2005 , and November-December 2005 . You'll especially enjoy...
  • Blog Post: TechNet: Exploring the Windows Vista Firewall

    New article up... Back in the days of the paleocomputing era, no one ever thought about installing firewalls on individual computers. Who needed to? Hardly anyone had heard of the Internet, TCP/IP was nowhere in sight, and LAN protocols didn’t route beyond your building or campus. Important data lived...
  • Blog Post: New column -- Using IPsec for network protection

    I'm now writing semi-regular articles for TechNet. These are part of the security management series, and they're also linked from the security newsletter. The first column is a two-parter about IPsec. Part 1 describes the technology: how it operates, its various modes and methods, a bit on IKE...
  • Blog Post: Attacks against integrity

    I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions , and this year summarized an accidental integrity error that created...
  • Blog Post: Antivirus software -- who needs it?

    In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself...
  • Blog Post: Enabling Secure Anywhere Access in a Connected World

    A few times each year, Bill Gates or Steve Ballmer publish an executive memo. The first memo was Bill's essay on trustworthy computing , in July 2002. Today Bill has a new memo , one that is very important for all of us who strive to achieve a balance between being secure and, well, getting work done...
  • Blog Post: New column -- The case of the stolen laptop

    Seems like once a week I hear from someone worried about stolen laptops -- or, worse, just joined the ranks of laptop theft victimhood. The best way to stay out of that club is to keep the thing with you at all times, or leave it in your hotel room when you don’t want to carry it around. Yes, everyone...
  • Blog Post: BitLocker command line interface

    Last week at TechEd Europe I showed the BitLocker command-line interface. At other TechEds I've mentioned it but didn't show it. The CLI provides full control over BitLocker, including enabling it on any NTFS volume on the system (the Control Panel UI displays only the volume containing the operating...
  • Blog Post: Protect your data: everything else is just plumbing

    Take a few moments and indulge in a thought exercise with me. Consider your company’s complete collection of information processing assets—all the computers, the networks they’re connected to, the applications you use, and the data and information you manipulate. Which of those is the most valuable?...
  • Blog Post: Windows Integrity Mechanism: more than you ever wanted to know

    A while back, the technology in Vista called mandatory integrity control got a new name: Windows integrity mechanism. Recently the folks responsible for developing the technology have posted a good amount of documentation on it. Read the Windows Vista Integrity Mechanism Technical Reference for all the...
  • Blog Post: Configure your router to block DOS attempts

    Some time ago I had a discussion with a friend. He disagreed with my recommendations on how to configure a border router and the firewall behind it. I claimed that in the border router between you and your ISP, configure the six rules to block most denial of service traffic; in the firewall, configure...
  • Blog Post: Should your ISA Server be in your domain? Film at 11!

    So it would seem that a statement I made during TechEd US last week in Boston has mildly stirred a bit of controversy -- no surprise there, I guess, heh. One of my presentations gave an overview of what's new in ISA Server 2006 ( download your copy of the release candidate or try it out in some virtual...
  • Blog Post: Poll: do you use scheduled scans for malware?

    An  interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer. He raises a good point, and...
  • Blog Post: If you know the Conficker dude, we've got a prize for you

    Yesterday (12 February 2009) Microsoft announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators...