I am in the position of the Chief Security Advisor in Europe, Middle East and Africa since February 1^st. Since then I am blogging here (before that I ran together with Urs the Swiss Security Blog). The hits per post rose over the first 6-7 months but now started to slowly drop. However, looking at the ranking of all the Technet blogs, this one is slowly on the raise. Now, I think it is time to ask you:

• Are you "just" looking at the RSS Feed or do you actually read the posts? (I have the figures of direct browser hits, which does not yet mean that you really read it).
• Are the themes I am covering the ones you are interested in or would you expect something different? If yes, what?
• Is it worth the time you invest to read the posts?
• Are there not enough or too many posts?
• What else?

I am open to any kind of feedback. Please avoid being "politically correct", you might be open and candid. You can give me the feedback directly (roger.halbheer@microsoft.com) or as comments, which I would prefer as the others could read your feedback as well.

One feedback to you: You started to comment in the last few months, and I really love that. Go on with that, even if you disagree, this is what this blog is here for

Roger

I am still convinced that there is limited value in comparing vulnerabilities between different products. However, there are a few products which seem extremely emotional: The Operating System, Office, and the browser.

We already discussed pretty emotionally (I liked that actually) the Operating System part. Office came into the spotlight in the last few days as one source claimed a significant raise of vulns from 2006 to 2007, where I would like to understand the source of this data and the methodology as the bulletin remained at least flat. It is always easy to claim something and there are even journalists that take this up without any further investigation, which is bad enough…

Now, the browser. This is always a very emotional discussion as the browser is the window to the Internet and the world. Jeff Jones, a Microsoft employee, does regular analysis on the figures of vulnerabilities. As I stated in a previous blog post, I think it is important to internally understand the progress as well as the current state of the situation. He now published his next research on Firefox and IE. Read yourself: Internet Explorer and Firefox Vulnerability Analysis Report

Roger

A reader of my blog actually pointed me to that (thank you Shoaib) and asked me for a comment. Here is the article: PlayStation a hacker's dream. It is really an interesting thing: Gaming consoles today have quite some computing power, so why should the bad guys not use them to do some brute force? There is an interesting quote in the article: "Breese's presentation comes just weeks after Russian company Elcomsoft claimed to have accelerated password cracking by a factor of 25 by using the processors found on PC graphics cards."

I never thought about that up until today but it is pretty natural to use this processing power and leverage it. It could even get worse: What would happen if the criminals could compromise the online gaming part on the console and do some remote code execution. They could do some interesting grid computing (during the time your console is idle) and distribute the calculation and brute force attack into different consoles – an interesting approach ;-)

Roger

Well, slowly the year is coming to an end – 10% to go J. This is the time where everybody is looking back and – additionally – tries to look into the Crystal Ball to understand how 2008 could be.

Interestingly enough, I just had the discussion about the trends for 2008 this morning with a friend of mine and this afternoon a blog post by Symantec hit me with the title: A Look Ahead to Security Trends in 2008 which is an interesting read (pretty short, which is good).

I do not want to comment it (yet) as we are working on that as well at the moment but it seems that we are more or less on the same line. The only thing I am missing is that I think that social networks (like Xing, Facebook, Linkedin, …) have a high potential to be abused as a source for information for social engineering attacks.

What is everywhere in common is that we will see the criminals misuse the Internet to illegally (or immorally) make money

Roger

I just read a pretty good article that goes definitely into the direction I am trying to work with the different communities we are in touch. Even though technology is a key part of any security solution, the user is key and explaining the user the "why" is even more important.

Read yourself: Teach a Man to Fish

Roger