Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Browse by Tags

Related Posts
  • Blog Post: It's time to stop playing war games in the name of "security"

    Really interesting article. Military mindset no longer applicable in our line of work http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html My favorite bit: "Obviously, secrecy is important to business, as is the ability to trust messages to the military, but these two...
  • Blog Post: August article: 802.1X on wired networks considered harmful

    Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described is in fact true -- I've seen it myself now. So...
  • Blog Post: Lousy security

    Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit, i love griping about). Here I have in mind lousy computer security. And lest you think I'm proceeding to engage in naval-gazing introspection, no -- I'm not going to write about our own products. ...
  • Blog Post: What's your data worth? More importantly, to whom?

    This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to...
  • Blog Post: Return on security investment

    Soon I will begin a research project into quantifying and expressing return on security investment. From conversations I've had with many conference attendees, there's a need for developing a basic understanding of how to measure ROSI so that budget money for security magically becomes unlocked. I plan...
  • Blog Post: Why administrative passwords will never be like nuclear missile launchers

    During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human's arms, must each...
  • Blog Post: Airport security silliness

    So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal...
  • Blog Post: Who should do your security audits? Or, how do you organize the security department?

    An interesting question came up today. The group responsible for configuring and maintaining the firewalls at a customer also believes that they should be the only ones to audit their configurations. Others in the security department are uneasy with this, and prefer that someone else do the auditing...
  • Blog Post: New column - debunking security myths

    There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance...
  • Blog Post: It's me, and here's my proof: why identity and authentication must remain distinct

    My February Security Management column is posted: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain -- especially those concerning information security...