I'm pulling my hair out (what I have left, anyhow) trying to find a good home/home office wireless router that includes all the features I need. Granted, I'm a bit of a power user, but I'm honestly a bit surprised I can't find what I want out there somewhere. You'd think someone would build it. My list of features and performance requirements includes:

• Gigabit WAN and LAN ports - and needs to have four LAN ports
• VPN capability that I can use cross-platform - an SSL VPN might be the best option, but whatever works well and lets me connect with Windows, Mac, etc. is what really matters to me
• Working, reliable and effective QOS - routers I have used in the past have either been terrible or mediocre at properly shaping and allocating traffic for VoIP and other services
• Reliable and full-featured administrative capabilities in firmware
• Quiet, reliable hardware
• IPv6 support
• Wireless-N

Until recently, I have been using a D-Link DIR-625 router, which has been stable and reliable. But it's a 100-megabit device and the QOS is marginal for VoIP traffic in my experience. Plus the firmware has not been updated recently and there is no VPN capability. It's rock-solid at what it does, though. I've only had to reset it a couple times since I have had it.

I've looked at the D-Link DIR-655 router, which is their currently-touted gigabit version of the 625 model. It's still on my list possible solutions, but with no VPN it doesn't meet all my needs, and D-Link doesn't seem to have one that includes all the features.

Yesterday I picked up a VPN router with gigabit and QOS made by Linksys, the WRVS4400N. It's not cheap and honestly I'm not sure why I allowed myself to buy a Linksys product after all the headaches I have had with them before. The net result of the past 12 hours of use is that I'm going to return it today. Between the slow reboots required with every other change I make and the lack of capabilities in the software (and some stuff that just doesn't work), it's already frustrating me. D-Link has seriously spoiled me in the Admin interface/firmware capabilities department, even without releasing any updates. Add to that the high-pitched whine the Linksys router makes and the heat it generates when plugged in and there's just no way. The whine is pretty awful, and gives me a serious headache within minutes if I am near it. Back to the store it goes.

So, I am left without a solution that meets all my needs. I may just have to pick up the D-Link DIR-655 and live without VPN and then find a separate VPN solution, but I don't want to if I don't have to. Any ideas anyone? Is there an option out there that will meet my needs and expectations?

• IPv6 information on Wikipedia
• IPv6 info from Microsoft
• Sean Siler's IPv6 blog

Got iTunes, or anything else Apple on your Windows computer? If so, when the Apple software checks for updates, you'll probably see an option (which is enabled by default) to install Safari - even if you don't already have it installed  on your computer. Safari is Apple's default web browser (and actually not a bad one at that). But since people are used to seeing - well - updates when the software checks for updates, you might not realize you're installing new software.

Just making sure you're paying attention here, is all.

Sure enough, when I check for updates on my Windows machine, where Safari has never been installed, I'm presented with the option to install it...

As Tom Krazit tells us... Just un-check the box if you don't want to install Safari. Simple as that.

"It seems that at some point people became conditioned to downloading anything that shows up from an official source, like Microsoft, Apple, AOL, Yahoo, or whoever. Remember, it's your PC; spend your installation capital wisely." (link)

It's always important to pay attention to what you're clicking on. Fact is, Apple's probably counting on the fact that a significant number of people will just click without thinking - And that's indicative of a whole slew of problems, with users, companies, you name it.

For my part, I made the educated decision to install it. I actually kind of like Safari on the Mac, so I'm interested din trying it on Windows.

Microsoft and Apple have announced that they are working together to  make Exchange Server and the iPhone mobile phone work well together. Apple will license Exchange ActiveSync for use on the iPhone, which will in Turn help assure the Exchange Server dominance in the marketplace stays they way it is. It's really as simple as that.

The fact is that Exchange is a pretty terrific server product for email, calendaring and a lot more. The iPhone is a pretty terrific mobile device. They don't integrate too terribly well today: You can sync your calendar and contacts via the USB connection to your computer, and you can get IMAP email from a properly-configured Exchange server (which works, but is not exactly optimal). But it's far from simple, far from seamless, and far from supportable in the enterprise.

One has to wonder what this means, either directly or indirectly, for the Windows Mobile world. I know the arguments: Different markets, different platforms, different purposes, etc. etc. etc... but with the iPhone SDK availability, that gap will be much narrower. And the fact of the matter is, Apple has the usability nailed with the iPhone. Sure, there's a few enhancements needed. But those are ones that can (and I'm certain will) be done.

ActiveSync will provide the ability (assuming Apple leverages all the features) to do push email, calendar and contact sync over the air, and task list sync.

Perhaps one of the more important potential benefits from ActiveSync integration with the iPhone is the ability to get enterprise-class security on the device, which to date is lacking and doesn't meet the needs or standards of most commercial IT departments. Exchange 2007 clients can be set up for enforced enterprise IT "policies" or controls, which would go a long way toward satisfying the security needs. In my mind, that's the biggest potential win. Without that, pushing email and syncing calendars and contacts is to risky an activity.

From Apple's press release come details of what they intend to provide - and it looks liek Cisco VPNs are in the package, as well:

Apple has licensed Exchange ActiveSync from Microsoft and is building it right into the iPhone, so that iPhone will connect out-of-the-box to Microsoft Exchange Servers 2003 and 2007 for secure over-the-air push email, contacts, calendars and global address lists. Built-in Exchange ActiveSync support also enables security features such as remote wipe, password policies and auto-discovery. The iPhone 2.0 software supports Cisco IPsec VPN to ensure the highest level of IP-based encryption available for transmission of sensitive corporate data, as well as the ability to authenticate using digital certificates or password-based, multi-factor authentication. The addition of WPA2 Enterprise with 802.1x authentication enables enterprise customers to deploy iPhone and iPod touch with the latest standards for protection of Wi-Fi networks.

The iPhone 2.0 software provides a configuration utility that allows IT administrators to easily and quickly set up many iPhones, including password policies, VPN setting, installing certificates, email server settings and more. Once the configuration is defined it can be easily and securely delivered via web link or email to the user. To install, all the user has to do is authenticate with a user ID or password, download the configuration and tap install. Once installed, the user will have access to all their corporate IT services.

Good move Apple. Good move Microsoft. Looking forward to this one!

Looks like Vista SP1 for the 64-bit version of the OS is now available publicly on Windows Update. No sign of the 32-bit version yet, but I'm glad to get it for this particular computer.

Knowledge Base article KB936330 is available, as is the release-notes publication at TechNet.

IBM Internet Security Systems' X-Force has released its annual report outlining the malicious software threat and trending landscape. In a nutshell, things are getting more complicated (landscape-wise) and the impact is becoming more technically complex. Read the report and you can directly glean as well as infer certain facts.

As malware becomes harder and harder to catch in real-time using currently-available technology (a trend that has become quite clear over the past year or more) and as the intent of the malicious software becomes more and more geared toward complete remote system control and access, the potential situation looks - I'll just say it - pretty darned bleak.

It's important to stay up-to-date if you're an IT or Security professional (or hard-core geek). Here are your links:

• The ars technica article: Annual IBM security report paints worrisome picture for 2008 (includes some good side-bar thoughts)
• The full IBM report download (PDF, about 3MB): IBM Internet Security Systems X-Force 2007 Trends Statistics

Quiz in the morning. :)

It's not like we didn't already know the malware (short for "malicious software") infection rate is increasing, but Google's security folks posted a technical paper and blog entry on Monday that illustrates the prevalence of "drive-by" malware distribution and just how big the problem has become.

Excerpt:

“During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware” … “In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing.”

Add to that the fact that a significant and growing amount of newer malware recompiles itself into new forms each time it redistributes, making it virtually undetectable by current means, and the situation potentially becomes even scarier.

The technical paper is a very interesting read and explains some of the distribution techniques and designs. It also points out one piece of browser technology that has resurfaced to plague the security world many, many times: the iFrame.

The problem is most deeply rooted in China, where 67% of all malware distribution servers are located, and 64.4% of all landing sites (sites that point to a distribution site) are located. The next closest offending country is the United States, which accounts for about 15% of the distribution and landing sites. So, one can easily see where a significant portion of the problem lies. With the increases in business and trade taking place in China now, one has to worry about the future if computer systems are in such bad shape. Clearly, something needs to change.

If you're a security person, an IT server admin, work with web applications, develop web apps, or are for any reason interested in scary figures (such as the fact that "38.1% of the Apache servers and 39.9% of servers with PHP scripting support reported a version with security vulnerabilities."), read the report. It's worth the time you'll spend.

Richard and I had a good conversation with Scott Kveton, OpenID personality extraordinaire, on the RunAs Radio podcast this week. Scott is chairman of the OpenID Foundation.

OpenID is a cool and upcoming technology and has seen significant attention in the past few weeks especially as Yahoo! became an OpenID provider, immediately followed by an announcement that Microsoft, Google, Yahoo!, IBM and Verisign had joined the board of the OpenID Foundation.

It's time to get on-board and know what OpenID is, how it might play with other technologies in the identity and access management space, and how you can learn more. That's what this show is all about.

Scott Kveton Shares His OpenID (MP3 link)
from the RunAs Radio podcast

Richard and Greg talk to Scott Kveton about OpenID. OpenID is a single sign-on solution that could very well make the classic username and password obsolete. This is a fast half hour - you'll find yourself wanting to listen again!

I somehow missed the release, but a little while back Microsoft released Windows Live OneCare v2.0, and in that release added support for 64-Bit Windows Vista. A few months ago (before OneCare v2) I had just bought a new laptop that came with the 64-bit Vista Ultimate edition pre-installed, and when I went to install the then-released version of OneCare, I was pretty disappointed that it would not work.

When I was in Costco the other day, I noticed a OneCare package on the shelf and picked it up to glance at the system requirements. Lo and behold, the packaging had changed and now indicated that 64-bit Vista was supported! When did they slip that in? I didn't see mention of it on the OneCare blog or anywhere else.

But hey, all I knew was it looked like I would be able to use it now, so I was looking forward to giving it a try.

Today I uninstalled my frustratingly cruddy other (to remain nameless) antivirus software and installed the OneCare suite. For about $40 a year I can protect three PCs and centrally manage two of them from the computer I designate as the "hub" machine. Nice.

OneCare v2 includes:

• Antivirus & Antispyware protection
• Online ID protection
• Bi-Directional Firewall
• Multi-PC management
• Printer sharing
• Data backup and restore capabilities
• Maintenance and cleanup tasks (defrag, clean up useless stuff, etc.)

It's an easy and quick install, and a good way to make sure you're protected. You can watch a product demo and download the free 90-day trial here.

On my Windows Vista Ultimate 64-bit laptop, one of today's many Microsoft patches keeps prompting to be installed over and over, even after it indicates it is successfully installed. The patch in question is related to Microsoft Knowledge Base article KB937287, and is a prerequisite to Vista SP1, which is set to be made available next month.

Update 937287 is a prerequisite package that contains updates to the Windows Vista installation software. The installation software is the component that handles the installation and the removal of software updates, language packs, optional Windows features, and service packs. Update 937287 is necessary to successfully install and to remove Windows Vista SP1 on all versions of Windows Vista. This update will be available on the Windows Update Web site soon after the release of update 935509 and before the release of Windows Vista SP1. 

I ran the installation for all of today's patches which applied to my computer (twelve of them in total) and this one kept hanging around. Each time I restarted the computer, Windows Update again prompted me to start the installation. Confusing and frustrating after the fourth or fifth time, to be sure (reminds me of a joke about the definition of "insanity" heh).

I was able to resolve this problem by downloading the individual 64-bit patch from the Microsoft Downloads site and installing it manually. Note that the linked download location is for 64-bit Vista OS users only. Once I did that, the prompts stopped and it shows up in the installation list as successfully installed on the machine. In fact, the list now shows all of the installation attempts as successful, with a separate line for each try. Only the first try now shows "failed." Strange.

It's interesting that the KB article points out that this update will be required in order to install Vista SP1 via Windows Update when it is released, but not if you chose to download and install the service pack manually (as it will contain the fix). Extra interesting is that for this update I was unable to install it via Windows Update, but was successful with the manual install.

At any rate, there have been a flurry of posts on a variety of forums and other sites today where people were having this problem. Some people were recommending grabbing a leaked version of SP1 Refresh 2 via non-MS sites (read: not a good idea) and installing that, but for those who wish to wait and make sure they get what MS releases when they release it, this option is probably better for you.

If it works, drop a comment. Actually, be sure to comment if it doesn't work for you, too. :)

Updating from IE6 to IE7 is a considerably good thing to do, but IT pros need to plan for these things in some cases for compatibility and other reasons, so awareness is important.

If you're an IT shop using Windows Software Update Services (WSUS), be aware that today marks the date that Microsoft planned to start automatically delivering Internet Explorer 7 to desktop machines as an automatic update on WSUS systems. Computers on WSUS-managed computers that have IE6 installed will be updated, either automatically or upon administrative approval, depending on your configuration.

So, if you don't want your IE software updated today, it's important to check that your WSUS system is set up to require administrative approval before updates are pushed to the machines on your network (this is the default setting, but I've seen it changed in many cases for "convenience").

From the Microsoft Knowledge Base article (KB946202):

If you have configured WSUS to "auto-approve" Update Rollup packages (this is not the default configuration), Windows Internet Explorer 7 will be automatically approved for installation after February 12, 2008 and consequently, you may want to take the actions below to manage how and when this update is installed. You will need to take action if:

• You use WSUS to manage updates in your organization.
• You have Windows XP Service Pack 2 (SP2)-based computers or Windows Server 2003 Service Pack 1 (SP1)-based computers that have Internet Explorer 6 installed.
• You do not want to upgrade Internet Explorer 6 machines to Windows Internet Explorer 7 at this time.
• You have configured WSUS to auto-approve Update Rollups for installation.

Important notes

• This does not apply to Windows Vista because Windows Internet Explorer 7 is a component of Windows Vista.
• The Internet Explorer Blocker Toolkit blocks only installation that occurs by using Windows Update and Automatic Update. The toolkit does not block distribution that occurs by using WSUS. This article concerns distribution that occurs by using WSUS. Internet Explorer 7 is already available in 23 languages by using Windows Update and Automatic Update. On February 12, 2008, Internet Explorer 7 will also be made available in Japanese by using Windows Update and Automatic Update

The KB article also includes instructions describing how to configure the WSUS server, if needed.

(reminded via Mary Jo Foley - All About Microsoft)

Got a Blackberry? Ever worried what you'd do if you lost it? Ever actually had to replace a lost one before? Lost or stolen, it's good to be able to find your handheld, especially if it has important data on it.

A couple years ago I was in Minnesota on a trip and went to play Frisbee^TM Golf with a friend. The course went through the woods and across a couple fields. When we got done, I realized my Blackberry phone was missing. Not good.

We used my friend's cell phone and started calling it. I got lucky that day. It was (thankfully) not on vibrate mode, and we eventually found it deep in the woods (where I had been forced to bushwhack in order to get to my flying disc). The battery was near dead.

Now it appears there's a better way. Berry Locator is a software program that will cause your Blackberry device to scream and flash - even when set on silent mode. When you lose your device (or if you can't find it in the house clutter) you just send it a specially-formed email and it wakes up and does its thing, letting you find it. Even better, if your BB has GPS capabilities, you send an email and it will reply via email with a map showing you the coordinate where the device is located. Plus, you can type text in the body of your email that will be displayed on the screen when it's activated, in case someone else finds (or otherwise has possession of) your Blackberry.

Combine that feature with a password, data encryption and the ability to nuke the device in a worst-case scenario (on a corporate BES system), and you're pretty good to go.

Cool capability, but it only works if you install it ahead of time. There's a free trial version, and when you decide to buy it, it's only five bucks.

• Berry Locator web page
• Direct OTA install download for Blackberry devices

Today came an announcement that represents a pretty big step in the identity space. Yahoo! announced they have rolled out beta support for OpenID v2.0 and that Yahoo! is now a provider of OpenIDs. In fact, anyone who has a Yahoo! account can quickly generate a Yahoo! or Flickr-branded OpenID to sign onto any web site that supports OpenID v2.0 for authentication. That's 248 million accounts at Yahoo! that can now potentially be leveraged across the Internet for sign-on.

OpenID is an important standard that came out of the open-source community, which will likely change the way we provide identifying information and gain access to secured web sites on the Internet. It allows its users to have a single identity that can be used across different sites on the Internet. It also allows users to have the proper level of control over how they identify themselves and who they want to trust with that process.

One significant key to success for OpenID as a standard is adoption by a set of trusted identity "providers" - or OpenID-issuing organizations that people are comfortable with when it comes to asserting their identity information. With Yahoo! a large number of regular, everyday people can use their existing accounts to perform OpenID logins on any site supporting the standard. In the future, the hope is that other consumer-trusted providers will see the value of brand recognition that goes along with being the OpenID provider for consumers. Yahoo has me as an OpenID client now, which means every time I log onto an OpenID-enabled site and use that ID, I am by default thinking on some level about Yahoo! -- Pretty smart. It's time for banks, other financial service providers, and similar industries to seriously start thinking this one through. It's coming, and now is the time to be on the bandwagon.

Where can you use your OpenID to log in? Lots of places. There's a list of web sites over at myopenid.com, a service provided by Portland company JanRain. The people at JanRain have created some great software and services around the OpenID standard that businesses can use to leverage OpenID, and that enable social networks around the standard. It's pretty cool stuff.

Here's some basic information about OpenID from the Yahoo! OpenID provider site:

What is OpenID?

In a nutshell, the OpenID technology makes life simpler by having only one username and password to remember.

Once you have enabled your Yahoo! account for OpenID access, you only need to remember your Yahoo! ID and password to use hundreds of websites... So bid farewell to password spreadsheets and stickies all over your desk!

When you are on a web site that supports OpenID login, simply look for a Yahoo! login button. Or if you see a text box with an OpenID icon, simply type in "yahoo.com". You will be sent to Yahoo! to verify your Yahoo! ID and password, and then you will be able to continue on.

You can find out even more at openid.net (the OpenID Foundation), and it's worth pointing out that you can also get an OpenID from a slew of other organizations - after all, it's all about making it your choice. The OpenID foundation keeps a list of providers on its wiki and at this link.

People just don't think, research or plug in their brains a lot of the time before speaking typing.

Such was the case the other day over at Kim Cameron's Identity Weblog, which was defaced recently via a  vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is their Identity Architect. So, he's in a public-facing security role at the company.

As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, it's applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it's BSD Unix, Apache, mySQL and PHP).

Kim's site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using - for example - Linux, Apache, mySQL and PHP -- the very platform that they did not take the time to discover (or even ask) had just been victimized.

You know what they say about assuming things? Yeah.

Security threats are real and exist on all platforms equally, not just IIS and Windows, not just in Windows applications. Bad programmers are bad programmers, and even when well-programmed, new threats arise all the time and need to be remediated once known. There's nothing about that fact that's Microsoft-specific, and to assume such is irresponsible.

I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.

I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.

Facts: Problems exist everywhere - Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I've managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don't have a solid application, you're screwed. It's a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass ... and leaving the front door standing open.

Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, "There’s a lot of ideology to get past in teaching people about security." So true.

Adam Shostack of Microsoft takes a critical look at threat modeling and changes to TM processes in a short series of posts on the MSDN Security Development Lifecycle (SDL) blog. It's a good read, especially when aligned with Larry Osterman's recent writings (which I mentioned recently) and those of others. If you're not a reader of the SDL blog and you're a security person or developer, I recommend it highly, by the way.

"In this first post of a series on threat modeling, I’m going to talk a lot about problems we had in the past. In the next posts, I’ll talk about what the process looks like today, and why we’ve made the changes we’ve made. I want to be really clear that I’m not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better."

Here's quick links to the blog articles by Adam. Those interested in secure development need to know and use a threat modeling process, and a critical view of said processes is important, so it's good to see this healthy example:

• The Trouble with Threat Modeling
• The New Threat Modeling Process
• Getting into the Flow With Threat Modeling

(also via Michael Howard's blog, which is a must-read security resource, too)

I've worked in the financial services software industry for years. For the last couple years I ran the security division of a major online-banking software and services provider. Security is paramount in that market. The responsibility that goes along with the role is huge, but it's a responsibility that's shared by everyone involved. Taking security seriously can't be something that happens after the work is done, and it can't just happen at some milestone point in a project. It needs to be an ingrained principle, part of the way things are done from beginning to end.

Threat modeling, loosely-described, is a design process by which you examine your software application design through the eyes of the bad guys, in order to determine what your design needs to take into consideration and how it should be built to protect against malicious threats. From the design phase you take your documented threat model into development and use it as a living document throughout the development lifecycle. Or at least that's how we did it.

Larry Osterman, who's worked at Microsoft pretty much forever, is a pro when it comes to threat modeling and secure coding. I haven't ever met Larry, but I've read his thoughts on the topic and they're solid. He's written before a couple times about this, and more recently (over the past month) he wrote and posted a series of excellent articles on his blog about threat modeling at Microsoft in the Windows division. If you're into this sort of thing, as I am, it's also very interesting to look back at his articles from the earlier years and to compare how they do things today. They've matured quite a bit.

I'll leave the narrative and examples to Larry, but let me add this by way of punctuation: Threat modeling takes some time and effort, but understand that security is a critical component of quality. Reputations (and therefore businesses) depend on it. It takes a very intentional process to properly understand the landscape and to look at all the threats and vectors of attack. It's not easy for people to shift gears. Most developers spend all their time thinking in terms of getting software to function according to customer requirements. Just as important is making sure it won't do what the bad guys want it to do. So, if you're ready to argue that you don't have time to do threat modeling, I have a solid argument (several of them really, which are backed up by real-world proof) that you can't afford not to. Threat modeling is risk management for the software industry.

And then there's the very-real side benefit of threat modeling. When your designers and developers sit down before building the product and really start to think about all aspects of quality in a formal, documented manner, you don't just get security improvements. They'll be seeing and thinking about general product improvements that you just won't get otherwise. I can't tell you how many times someone has come to me during a threat modeling process with a look of glee in their eyes, excited to tell me "hey this threat modeling stuff is pretty cool, and we even came up with some other stuff that isn't strictly security-related but will make it a much better product. I'm glad we did this."

The rule of the game is strategic thought, proper defense, quality first, and better software done faster that costs less. And it can happen if you let it.

If you're a software developer, tester or product manger and you don't know what threat modeling is and how it works, you're missing out on something that really should be required in this day and age. So here is what you should do:

1. Read Larry's articles, they're quite good.
2. Buy three books (you'll notice Michael Howard is an author on them all):
• The Security Development Lifecycle
• Writing Secure Code (2nd Edition)
• Threat Modeling
3. Be a leader and implement what you learn.

This one should be interesting to watch. There's a new blog at Microsoft's MSDN blogs system called hackers @ microsoft (http://blogs.msdn.com/hackers/), and the first (introductory) post is up. I hope to see some interesting security and general information here. Might be a good source of some useful insight. There are many things Microsoft is doing right these days, security-wise. More on that in another post some other time.

From the opening post on hackers @ microsoft:

"Welcome to a new blog from Microsoft.  The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com.  Microsoft employs some of the best hackers in the world and actively recruits them and develops them.  They work on all kinds of projects, whether it be in development, research, testing, management and of course security ... So yes, Microsoft does have hackers, and its time to introduce you to some of them and show you what it is, exactly that they do."

Cool. Subscribed.

(via betanews.com)

I just ran across Microsoft.com's strong password checker, which is a little web-based app that lets you type a password or passphrase in and it tells you the relative strength. It's pretty nice and worth bookmarking.

Why are strong passwords important? Simple - because the simpler it is, the easier it is for someone to "brute-force" attack. That's a term that means they take a program that uses common terms, words and phrases to try to figure out your password by trying it over and over until it works. Strong passwords are complex in the variety of character types, are longer in size and don't use dictionary or other predictable, common terms.

Links:

• Microsoft Strong Password Checker
• Creating Strong Passwords article (I agree with most of what they say but not all - Suggesting blank passwords?!?! Whaaat?!?!)

Recent security issues revealed by a group of security researchers, which will be showcased this week at the Blackhat conference in Las Vegas, are apparently dealt with via an update to the iPhone software released last night by Apple. You can read the change-log here.

Time to load up iTunes, all you iPhone users, and get your security fixes.

Also, looks like the Engadget guys seem to think Safari runs better in general and Boy Genius Report has a few non-security-related fixes/changes they have found.

Ouch, this news is a few days old but I am just catch