Blogging @ Work: Blue Hat and Threat Modeling
BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers.
The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers.
There are posts from Rain Forest Puppy, Halvar Flake and Ollie Whitehouse.
You may remember Rain Forest Puppy for his work advancing the discussion around responsible disclosure. Well, he blogs about “The New Security Disclosure Landscape” [http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx].
Reviewing an installed piece of software in your own closed environment, while conceptually subject to copyright and other intellectual property infringements, is benign enough within that exact context. However, reviewing someone else’s production web site (without their permission, of course) for security problems is essentially a criminal activity. What is the real difference between looking for a vulnerability in a web site to help make it more secure versus looking for a vulnerability in a web site for malicious purposes? In the initial stages, both approaches involve the same exact technical activity/process. The only difference is the attacker’s intent—and intent is just a subjective frame of mind of a person that can easily be (mis)interpreted in a court of law.
Halvar discusses the economics of attacking Vista and what that might mean for Microsoft and researchers in “Vista and Vigilance” [http://blogs.technet.com/bluehat/archive/2007/09/28/vista-and-vigilance.aspx]. Symantec researcher Ollie Whitehouse discusses “Microsoft, Mobile and Security” [http://blogs.technet.com/bluehat/archive/2007/09/27/microsoft-mobile-and-security.aspx].
There’s also posts from my co-workers Katie Moussouris and Mark Russinovich, and I posted “Pay No Attention to that Vuln Behind the Curtain.” [http://blogs.technet.com/bluehat/archive/2007/09/25/pay-no-attention-to-that-vuln-behind-the-curtain.aspx]
I’ve also kicked off a series at the SDL blog, “The Trouble With Threat Modeling” [http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx], and “The New Threat Modeling Process” [http://blogs.msdn.com/sdl/archive/2007/10/01/the-new-threat-modeling-process.aspx]. I’m actually really excited about the series, and some of the posts I have coming up. I hope you enjoy them.