Steve Lamb's Blog

It's a significant improvement over the last Community Technology Preview (CTP) - i.e. that which is available to MSDN & TechNet subscribers. It's not had the same level of testing hence it's not suitable for you to play with and we're getting really close to Release Candidate stage.

For those of you who are desparate for news and may have wondered about the performance of the CTPs I can assure you that the most recent version wizzes along compared to anything you've seen.

It's quite strange @ Microsoft at the moment as many of the technical people I work with in the UK seem obsessed with which build version of both Windows Vista and 2007 Office System they're running. We quote build numbers at each other all the time. This reminds me on the odd day that I wonder whether I'm really a true geek that in fact I'll never truely fit in "on the outside"!

I'm running build 5536 of Windows Vista - it's so much better than previous builds - 5520 was noticably better than before, 5536 is even better.

The Technical Refresh of 2007 Office System Beta 2 looks good too. 

If you're not a crypto geek then don't be scared - read on! If this makes as much sense as boiling icecream then please let me know and I'll explain it in simpler terms - just hit the "comment" button.

When you visit a website via HTTPS you're viewing HTTP content over Secure Socket Layer (SSL). This much is pretty well understood by most IT Pros I think.

The browser challenges the website to prove it's identity by presenting a certificate and performing an operation with the corresponding private key. The certificate contains the associated private key together with a series of attributes including usage information such as an expiration date and details of the issuer. The issuer is known as a Certification Authority. One of the roles of the issuer is to validate the physical identity of the subscriber (website in this case) with the digital identity of the certificate. The issuer digitally signs the certificate to assert it's authenticity and make it evident it's subsequently tampered with.

The Windows Operating Systems (XP, 2000, 2003, Windows Vista) ship with a series of "Trusted Roots" - also know as Root Certification Authorities" or "Self Signed Certificates". In order for your browser to trust the certificate presented by a website it must trust it's issuer - that's where the Trusted Roots come in.

By default every user of Windows will automatically trust the identity of any webserver via HTTPS assuming the associated certificate is within it's usage dates (and is otherwise valid) if it's signed by one of the Trusted Roots.

You can set up your own Certification Authority using the optional Windows Server components without any additional license charges. The challenge you'll face is that you have to distribute the Trusted Root to all clients. If you're working within an Active Directory Domain this is easy to achieve as your additional Trusted Roots can be automatically distributed. If you wish for clients outside your network boundary to trust your certificates then you have to convince them to install your associated Trusted Roots. Technically it's an easy process for the users to go through - just send them a very small file (containing the Trusted Root) and ask them to double click and answer the Operating System's question "do you wish to accept this trust?" - politically this may be more of a challenge as by doing so they'd trust ALL certificates issued by your Certification Authority.

If you provide a Root Certification Authority for third party customers and would like Windows Users to automatically trust them then you need to enrol in the Microsoft Root Certification Programme. Details of how to join the programme can be found here.

One of the wonders of this form of cryptography is that it's actually based on a well defined standard - X5.09 certificates and associated RFCs - therefore you can interoperate across most modern operating system platforms including LINUX, Mac and of course Microsoft Windows. The other platforms presumably have comparable Root Certification Programmes though I don't have experience of them.

Information Security is like painting the Golden Gate Bridge as it's a Perpetual task! Many people seem to believe that buying some product or security service that they can obviate their responsibility. In some cases products and services can help but they're very (very very) unlikely to help you unless security is a business consideration that is part of day to day business in process, procedure and technology.

Information Security shouldn't be an onerous task - it simply needs to be a pervasive consideration.

Thanks to Thomas Hawk for the amazing image. Thomas has many more fantastic pictures in his photo stream.

It's been a long time coming but Windows Vista is nearly ready for Prime Time.

Steve Horne's posted a machinima short film (2:30 minutes duration) that pokes fun at the time it's taken to design and build Windows Vista - it's titled "Hunting Vista". 

Steve's friend Richard Coleman used the game "The Sims" to produce the animation. Thanks go to "The Sims" for producing a wonderfully involving game and "YouTube" for hosting the film.

Just click on the image below to view the film itself:

Click on the image below to view Steve's previous short piece of machinima which shows in no uncertain terms why it's important to keep your software up to date!

I'm getting on really well with my new phone - the Orange M3100 I mentioned earlier this week. I won't bore you with the details.

One noteworthy point is that the device has support for WiFi - this was a deciding factor in my choice of device. Being able to browse with WPA authenticated access and even remote desktop into my home network is nice. The speed benefit of WiFi over GPRS makes the experience really good. The cost benefit of using WiFi instead of 3G helps too. The device switches traffic to the fastest available network out of WiFi, 3G and GPRS. All sounds good so far...

Being interested in security I've hit a snag that perhaps won't worry most people - there isn't a built in firewall on my phone. I know that there are several 3rd parties who provide personal firewalls for PDAs but the omission of built-in protection is disappointing. This limitation is not specific to the M3100 of course but rather to the platform itself.

The Windows Mobile platform includes a wealth of sophisticated security features including the facility for a remote administrator to erase it's data store if it's lost or stolen.

Given the extensive features for accessing and manipulating personally identifiable information (including email, diary and contacts) I suggest that a personal firewall should be installed BEFORE using WiFi.

James wrote a great introduction to Talking Microsoft and I'm glad to see that folk out there in IT Pro land are starting to talk about this new resource which takes you behind the scenes at Microsoft Ltd. Our aim is to connect you to the people that make decisions about the software and services we provide to you. 

In-Cider knowledge, Geek in Disguise are already sharing their views on Talking Microsoft.

Ideally we'd like your feedback and suggestions to enable us to interview people YOU find interesting and ask them the QUESTIONS that you'd ask if you were able to wander into their (open plan) office (area) as we can.

...and of course due to the wonders of the Internet I stumbled across an entirely different "Talking Microsoft" post...anyone remember Microsoft Barney?

Sick bags @ the ready - click on the image below and then hit the play icon on Dvorak's website just below the image - the play icon below won't play it. Thanks to Dvorak for his entertaining (depending upon your sense of humour) post.

Eileen beat me to it in posting about the upcoming Girl Geek Dinner. I was glad she mentioned it as I hadn't realised there was one coming up. I've thoroughly enjoyed joining previous Girl Geek Dinners as there are always so many interesting people there. Not all of them Girls! Gentlemen - if you'd like to go then you need to accompany a girl.

If you'd like to meet other people who are interested in innovative ways to use technology then I think you'd enjoy coming along to the 7th Girlie Geek Dinner which is taking place in London at 7pm on the 29th of August. Click here to add your name to the list of open minded folk who are meeting up for a chat and drinkie.

Abigail Sellen has kindly agreed to share her thoughts via an informal talk.

Abigail is a Senior Researcher in Microsoft's Cambridge Lab, working in Socio-Digital Systems, a new interdisciplinary group with a focus on the human perspective in computing.

As I've mentioned before I find the term "Geek Dinner" interesting as your stereotypical Geek would run a mile from the idea of going out for drinks with many people they'd never met before!

My Lovely Wife Jules will be joining us for her FIRST Geek Dinner - here's her picture so do say "Hi".

This must say more about me than I perhaps intend and I dare say it's not good!

Earlier this morning I happily received a brand new shiny phone with all kinds of bells and whistles including 3G and a touch screen. My new device is an Orange M3100. Paul's written a little about the device including some nice images of it on his blog. Jason Langridge also mentioned it on his blog.

The thing is that I've had to use a new SIM to upgrade to 3G from GPRS and this involves a switch over period of around two hours. It really shouldn't bother me as much as it does that after nearly four hours I still can't make or receive calls or data. The weird thing is that I'm going a little stir crazy. I use my phone for all kinds of things including my diary and I think this is probably the feature I'm most lost without.

Perhaps I rely upon technology too much. I went cold turkey last year whilst on holiday as I didn't use any electronics at all - after three days I found it rather liberating - prior to that I felt hopelessly disconnected. I didn't NEED connectivity whilst on holiday - I just felt weird without it!

Thanks to James for boldly inviting Microsoft Ltd's new Managing Director to be our guinea pig for the first in a series of interviews titled "Talking Microsoft".

We've been looking for interesting alternative ways to share information with you - the format for "Talking Microsoft" involves us interviewing people on your behalf - much like the highly successful Channel 9.

The approach is really simple as we used a low tech consumer DV camera together with the minimum of preparation with the aim of in this case sitting you in the MD's office.

The resulting video is eighteen mintues long. click to play (WMV format) or click to download (Zipped WMV).  And if you've got comments, or suggestions for future interviews please post them with the video. 

Note: The video was edited using Microsoft Movie Maker 2 as ships with Windows XP Service Pack 2.

Ron's comment asking "if it's all about risk why do we call it Information Risk Management" has certainly made me think...

It's all very well for "security thinkers" to tell you all about all kinds of weird and wonderful threats to your information and "security vendors" to tell you that their "UberAntiDoodarThreatNeutraliser" will rid you of them but where should you start? What practical steps can you take now to improve your security posture?

Whatever it is that makes you money the chances are that it relies upon decisions being made based on information. The mandate of Information Security of course is to ensure that accurate information is available as quickly as possible. As I typed the last line I nearly included "...to the right people" but of course that's part of the role of Information Security :-)

What information is valuable to your business? Many people question whether their business has information worth stealing. I've often heard "we just make widgets, we're not a bank or government, who'd bother attacking us?"

WHAT ARE INFORMATION ASSETS?

WHO you sell WHAT to and HOW much you charge is likely to be of interest to your competitors and those who may wish to enter the market. The names of the highly skilled people in your company are likely to be of interest to those who may wish to recruit them to work for a rival company.

The designs of existing products and plans for future products represent high value information assets.

Believe it or not both your old designs and any fault tracking databases including help desk calls can also be highly sought after information assets that could be used by a rival to help them avoid the same mistakes as you.

All of the items listed above represent possible information assets. You need to consider the impact of such information falling into the wrong hands and use this to write (or update) your information security policy which should define WHAT SHOULD HAPPEN and identify security controls to mitigate the threats of exposure. You also need to consider the impact of information assets not being available and write (or update) your business continuity plan accordingly.

Of course there are an ever growing number of legal requirements that you'll also have to comply to including HIPPA, SOX and possibly SB1386 each of which require you to implement effective corporate governance.

HOW DOES RISK PLAY A PART?

Our security policy should state the ways in which information SHOULD flow into and out of our organisation. The policy should include statements specifying the security controls to be used to mitigate the RISK of information exposure. Clearly it's only worth expending a certain amount of effort (time and / or money) to protect an asset relative to it's value and the risk of it being exposed. Keeping on top of the likely threats at a point in time and the level of effectiveness of current controls relative to the threats (and the current value of the assets) is what information security is all about.

I'll drill into each of these areas in further blog posts.

Full details of this month's security update can be found here.

It's a significant update as it includes updates to address nine critical vulnerabilities and three important vulnerabilities. Ten of the vulnerabilities are for Microsoft Windows, two are for Microsoft Office. It's interesting to note that the severity of the vulnerbility is greater for older versions of Microsoft Office.

The Microsoft Security Response Centre (MSRC) have posted an interesting entry about August's security update.

I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.

My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:

Here are my five tips for CIOs:

• Challenge everything. Those that work in technology often lack the “big picture” view hence forget to consider “how will this help the business” when purchasing, implementing and building solutions. Specifically in the area of information security you need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”
• Clear communication is paramount. At the end of the day the people that USE your information systems are the ones that need to make the important decisions over what information should be shared with whom. Empower EVERYONE to both make security decisions and accept the responsibility that goes with them.
• Few Information Security Policies make any sense. Effective policies are clear, concise and are communicated to everyone who they apply to. Policies should be reviewed frequently BY A REPRESENTATIVE group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.
• Security is often viewed as purely the enclave of specialists. This is not true. Effective security requires EVERYONE to buy in to accepting their responsibilities.
• There are no easy answers. Security is not easy. Nor is it impossible. It’s merely another risk decision. It requires a mandate from on high and must be positioned as enabling the business to do more with less risk.

The authors of the podcast (Rich and Dave) share their eclectic style and some rather specialist "music". It's an active and well respected user group that meets frequently and shares practical advice in a lively manner.

It seems weird promoting a podcast that features myself though the chaps asked me to share it with a wider audience and I've supported their user group meetings and was impressed by how much valuable information was shared between their members.

There's an interesting podcast (of approx 20 mins duration) hosted by Bill Hilf where Tim O'Reilly discusses where OpenSource is going and how Open Access to data is of principle importance. Tim talks about how the best applications are those that get better the more people us them - search engines, WIKIs and reviews on trading sites are good examples.

He quotes one of Robert Scoble's earliest posts whilst @ Microsoft where he mentioned a local restaurant that he liked and observed that it's website didn't show in a search engine query (Google I believe) - he said that by the following day it would show due to his readers visiting the site and thereby raising the site's profile in the search engine.

Interesting indeed.