There were recently different articles about crime on SecondLife. What is interesting to me is that a lot of these started to express their surprise.In certain blogs I read statements like: SecondLife is so cool, how could somebody even think of this.

Well if time showed us something we have to learn, it is the fact that crime - especially organized crime - is wherever the money is. If you can commit fraud on SecondLife it will happen. Probably rather sooner than later. What is disgusting is that we started to see pedophiles on SecondLife - but again not surprising.

Is SecondLife to blame: Not as far as I can judge at the moment. If they collaborate with the police, they are fine but the key problem is more on the social side and the question might be asked whether law enforcement as well as our legislation is able to cope with the speed the criminals are looking for new ways for making money. It again shows that a collaboration within the different players (technology vendors, ISPs, operators, police) is the only way to build trust on the Internet.

Two articles you might want to read:

• http://theforcethat.blogspot.com/2006/11/second-life-crime.html
• http://www.zone-h.org/content/view/14781/31/

Roger

Before I actually start with content, let me briefly give you some background: I took the role of the Chief Security Advisor (CSA) in EMEA (Europe, Middle East and Africa) after having been 5 years the CSA in Switzerland. I went through all the nice challenges of Nimda, Code Red, Slammer, Blaster, Sasser and some more. February 1^st, I joined the EMEA organization to expand my function over the whole region. Now, in Switzerland we have kind of a unwritten agreement between the "classe politique" (the politicians) and the journalists: During the first 100 days the press does not aggressively talk about the politician. After 100 days the politician (especially ministers) give a press conference to report on his/her initial findings – I am not that important, therefore I just blog.

Looking at this, it would be my time to look back at the first period in this role – being an engineer, it is not too important that it took me 143 days J

The Chief Security Advisors in the countries Microsoft has offices have basically one important goal: Building trust! Building trust with our companies, governments, law enforcement, press, analysts, partners and last but definitely not least consumers. But trust not only in Microsoft. We work with the industry to help to gain trust in the information infrastructure as a whole. In EMEA alone, we are working with 15 CSAs and I am extremely proud being part of this great community.

Besides this community, there are a lot of people working with us to achieve this goal:

• Marketing to work especially on campaigns to educate consumers, parents, kids and small and medium business in how to safely work with computers on the Internet
• Legal and Corporate Affairs to train and support Law Enforcement
• PR to work with press to communicate with important external audiences what Microsoft is doing
• Security Support to help customers under attacks
• and a many, many more

The biggest highlights during this first phase were definitely the product launches with Windows Vista on the top. Windows Vista is the first product being engineered and developed with security in mind from the beginning and is a testament to our Security Development Lifecycle as research by my colleague Jeff Jones shows. Additionally we launched Forefront Client Security. Are we done now? No, definitely not. Products are by far not the end of the road but a fundamentally secure platform is key. Will we ever be secure? No – there is no such thing as 100% secure because threats and criminal behind them constantly evolve, but definitely Windows Vista is the most secure Operating System we shipped ever.

I am convinced that we have to work even harder to make sure we stay focused on the new challenges.

Therefore, let's talk about priorities as this is usually the core of a 100-day-press-conference:

Basically there are three things on my list. The first is 'earn the trust of my customers'. So is the second and so is the third. If I had more room available in this blog, you'd see the same thing all the way down it.

In order to do this, I will focus on different areas:

• Grow the CSA Community: It is obvious to all of us that the CSAs add a lot of value to Microsoft as well as to the security economy. Therefore we have to grow the community across the region.
• Support inter-governmental organizations in their efforts around Critical Infrastructure Protection: The UN is developing a framework for developing countries; the EU is running different programs that support their member states and for NATO the theme is at the core of their mission. As a lot of the critical infrastructure is built on Microsoft technology our involvement is quite natural. At country level many of our local CSAs contribute to an support their governments in this area.
• Law Enforcement: If you look at my recent post around the Digital Phishnet Conference in Berlin, I made it crystal clear: If we (being the industry) want to effectively fight crime on the Internet, we all have to be ready to share sensitive information and work together. This means collaboration between law enforcement, the vendors and the targeted companies. Microsoft already plays a leading role in this respect but we definitely have to work to improve collaboration even between competitors.
• Secure Development across the Industry: Years ago, when I did my first keynote on Trustworthy Computing, I stated that Trustworthy Computing is an industry initiative. The point I was making is that we all have a collective responsibility, not Microsoft in isolation – today great progress is being made. Where do the attacks move to? Up the stack! We are productizing your Security Development Lifecycle at the moment; We published books on our processes; We deliver our tools as part of Visual Studio; We do outreach with these processes even to competitors. Looking at the recent chatter around Safari, I do not blame Apple, not by far but basically it is nothing else then a "welcome to our world". The economy is different, the motivation of attackers to go after the platform with the biggest distribution is big. We definitely have to drive for an adoption across the software industry.
• Proactive Outreach: In a lot of countries we are already doing a lot of proactive outreach activities to raise the awareness and help with concrete solutions for consumers, SMBs, kids and parents. GetSafeOnline (UK), Deutschland sicher im Netz (Germany), Sicuramente Web (Italy), Turvallisesti Netissä (Finland), different "National Security Days" (Finland, Norway, Switzerland, Netherlands, …) and a lot, lot more. This has definitely to continue.

Besides these priorities, all the CSAs will further engage with the security community in the region and work with our customers of all sizes to help them to solve their business problems in a secure and safe way.

So, let's jointly work to "make the Internet a safer place"

Roger

Jeff just posted his next version of the Windows Vista Vulnerability report to his blog. He is now looking at the first six months of Windows Vista and how the vulnerabilities developed compared to Windows XP and some other Operating Systems.

Happy reading: http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report

Roger

I recently purchased a PC for my parents and then started to install it – well actually used the OEM installation to get it up and running with Windows Vista Home Premium. I was pretty surprised how easy it was to actually have a running system (I usually re-format the disk if I have to install a PC for myself). But then I had a deeper look at the installation base and was pretty surprised. There were a gazillion of products installed on the PC I never wanted.

So I started to think about security of this setup. If I am looking back to earlier versions of our Operating System, one of the key problems with the earlier versions was that we enabled everything we thought a user could ever use. Remember Code Red? It actually attacked our web server and spread incredibly fast – on File Servers, Print Servers, any other server (sometimes it even hits a web server)… IIS was installed by default and the users and the administrators were not even aware of having IIS on the box – and mostly did not update it at all. We changed heavily and went down the "Secure by Default" road.

Taking this back to the OEM installation above, we (being the industry) just do a big step back to the old days. Why do I have to have a dictionary, train schedule, etc. to be installed by default? Who is taking care of these applications and makes sure that they will be properly managed and updated? Why is a AV-solution forced on my PC (yes, I want one but I want to have choice)?

Personally I think OEM have to change the way a PC is set up. When I buy a box with Windows Vista on it, I would expect a screen that shows me all the tools that I could actually get during the setup. I will then pick and choose and the machine will be installed. We could finally argue about opt-in and opt-out. I hate those installers where I have to tell them between one and three times that I really do not want to have toolbar X installed on my computer (yes, I know, we have these kind of tools as well). I would expect the OEM to take their responsibility and ship a secure-by-default PC. Some of them even disable security functions…

Coming back to my story above: The first thing I had to do after the successful installation of the PC is to de-install all the non-wanted software and update mechanism for all the active components and printer drivers and …. At the end it still left a bad feeling as I am not sure whether I actually really de-installed everything and no vulnerable component I will never use is still on the box…

Roger

ITU just launched a pretty interesting portal: If you were ever looking for a standard in the security space (not only ITU standards) go and see this portal:

ICT Security Standards Roadmap

Roger