When I tweeted last week that I am on my way to Algeria, I got quite some reactions and questions that I shall report how it was. So, let me try to briefly summarize my impressions.

I was invited to speak at a conference on certification in Algiers. Well, initially I pushed back as I did not understand how you can have a good conference during two days on certifications like Common Criteria etc – and it is not my core competence anyway. After discussions with our Country Manager, I realized that we were talking about certificates and eID – which made me change my mind.

The government of Algeria decided to invest in eID technology to help them to move one step towards a digital economy. So, there is definitely a lot of great intention, motivation and energy behind this idea and behind this project. To help them to learn from the breadth of industry experts and from other countries, the government decided, together with ITU, to invite for this conference. The importance of the initiative can be seen by the presence of the senior government elites as well: Out of 35 ministers Algeria three were present to open the conference – this showed commitment. And all of them stressed the importance of such an initiative.

Looking at the different presentations I have seen (I was not present during the whole conference, so this might not completely reflect everything), there were two main streams: Speakers (mainly vendors and consultants) explaining the technology and how good it is and that you are then able to link an identity “securely” to a person. Others (and all the Microsoft speakers were in this category) laid out that it is at least as important to understand what you are going to do with the eID to make it successful. So, the applications which consume the identity are very important to make an eID-project successful – this is pretty obvious but often forgotten in these projects. We have seen very good examples from developed countries being successful as the government as a whole moved to eGovernment and – in certain areas– only to eGovernment. This is probably the most common denominator amongst the speakers who did not “just push technology”.

So, there was this warning but then there were presentations as well, like the one from Kim Cameron (one of our identity gurus) actually showing how you can make this happen.

Overall, this was a very good conference. To close here, I would like to give you an anecdote which happened to me: After my presentation I left the podium and then one of the organizers from the government approached me and said “you scared us”. Well I immediately mapped that to my statements on the threat landscape. So, I answered like “well, this was not my intention but I thought that the threats are important to understand as well”. She looked at me and then said “no, I did not mean the threats but you raised so many valid questions we do not have an answer to yet. This scared us”.

Looking at this, it means to me that I probably accomplished my goal. Not to scare the Algerian government but to make them ask the right questions and start to look for an answer to them. To help there – I am looking forward to going back to Algeria (hoping that the Visa process and immigration is faster next time ;-) )

Roger

Oh, wow – sometimes the power of social media, the blogs and the Internet can backfire. I guess in the meantime you have seen the claims by Prevx that approx. 80 Mio of PCs are affected by the Black Screen of Death problems supposedly caused by our November Security Updates. This caused (and still causes) a huge wave of reports about that and one could feel that there is a really big problem out there. On one of the blogs you see a collection of the articles about that: Latest Microsoft patches cause black screen of death, Microsoft looking into Windows 'black screen of death' problem.

Now, there are different worries for me: One is that the post by Prevx as well as the title of the above mentioned blog post state it as a fact that our Security Updates caused that. Additionally Prevx makes a statement about the supposed size of the problem – this statement is approximately as good a guess as you could do by taking any random number between 1 and 480’000’000 (the approx. hitrate on Microsoft Update). And finally – and this is the biggest concern to me – customers are now holding back the deployment of our Security Update because of this.

So, let’s get it straight: We have been looking into this problem (obviously). You can find the official statement quoted in the SeattlePI:

• Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers.
• Based on our investigation so far we can say that we're not seeing this as an issue from our support organization.
• The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles.
• As always, we encourage customers to review the security bulletin and related KB articles and test and deploy security updates.
• If customers do encounter an issue with security updates, we encourage them to contact our Customer Service and Support group for no-charge assistance. Customers can contact CSS using the information at http://support.microsoft.com/security.

If we add some additional meat to this: Up to now, we have no evidence at all to validate the concerns. Currently we do not have any support volumes to either support the claims or validate the presence of a growing concern. Additionally, our investigation has shown no evidence at all that our security updates nor the Malicious Software Removal Tool nor the non-security updates make the changes as claimed by the Previx reports.

Looking at that, you should now make your risk assessment and decide which source you want to trust. For me, the ultimate source for information you should build your assessment on is neither Twitter nor your brother’s sister in law’s father's brother (unless he works for Microsoft’s security) but our website.

UPDATED WITH MSRC BLOG POST: http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx 

Roger

Last week there was quite some discussion about “successful attacks” on Bitlocker. Those discussions are often quite interesting for me as they show sometimes that people are looking for one technical solution for all the problems.

Bitlocker has a clear threat model it wants to protect you from. This is mainly the loss of your computer. If it is running and the attacker is admin – well Bitlocker cannot protect you. To quote a blog post of our Windows Security Team: Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off).

So, if you want to read the whole post, it is definitely worth it: Windows BitLocker Claims

Roger

You know, there are people who blog late, there are people who blog very late and then there is me…

I actually missed that one even though I was triggered: Mid November there was the Get Safe Online Week 2009 in the UK. Usually they do really good stuff and this is the reason I usually blog on it.

As I said, this time I missed it. However, there is an awful lot of good content on their website, especially about Money Mules. I think that it is worth spending some time and looking at the video on Money Mules and their webpage on the same subject or directly:

Roger

Today we were adding 17 additional markets to our Microsoft Security Essentials offering. I am really excited about that as all these markets are in EMEA: Algeria, Bahrain, Egypt, India, Jordan, Kuwait, Lebanon, Morocco, Oman, Pakistan, Qatar, Romania, Russia, Saudi Arabia, South Africa, Tunisia, and the United Arab Emirates. Additionally we added Russian an Romanian as languages. This is really exciting stuff – and the tool is a anti-malware solution for free!

If you want to see all the countries we make it available, look here: http://www.bing.com/maps/explore/#/f5n3nlg6vryj0282

As you know, this is a professional, free anti-malware solution and I guess that requirement that you need a genuine copy of Windows is not a limitation for you as you do not run a pirated copy anyway – right?

Get it and download it and run it – it got great feedback!

Roger