[ISN] Chills at Microsoft's security huddle

From: InfoSec News (alerts@private)
Date: Mon Jul 24 2006 - 23:12:56 PDT


By Joris Evers
Staff Writer, CNET News.com
July 24, 2006

Microsoft likes to keep its friends close--and now that security
companies are its foes, it may well want to keep those even closer.

The software maker has traditionally held powwows with partners to
explore common ground. Security has been one area of activity: For
almost 10 years, it has quietly held annual meetings with top
researchers from antivirus companies such as McAfee and Symantec. This
year, however, Microsoft decided to merge a couple of security
get-togethers, as it found it was repeating itself over multiple

But that wasn't the big difference for the companies at the June
meeting. Microsoft, and its $34 billion war chest, is now a competitor
in the antivirus market. With its huge presence on desktops, the
software giant has a built-in advantage--and that is making some
collaborators nervous about sharing information. It's especially a
concern that Microsoft requires attendees to sign a document that
allows the company to use anything that anyone says at the event.

"Having been put into that situation, people will feel more inhibited
to say things," said Jimmy Kuo, a McAfee fellow and a veteran of the
Microsoft events. "They ask us to sign a nondisclosure agreement, and
if we say anything in those meetings that Microsoft is able to use,
they have the right to do so." The agreement was introduced in recent
years, he said.

Microsoft gathers the antivirus experts to discuss Windows security.  
The event is meant to give them ideas about what kinds of products
would be of most value to Windows users and to help Microsoft
strengthen its operating system. But now that the company is a
security rival, it might not want to reveal some Windows details.

The newly merged Microsoft Security Response and Safety Summit was
held late last month at the software maker's Redmond, Wash.,
headquarters. The two-day meeting was not publicized and attracted
about 150 representatives from about 80 security companies and
Internet service providers, said Mark Griesi, a senior business
development manager at Microsoft.

The event mostly provided a primer on security in Windows Vista, which
led to a discussion on how attendees' products might work with the
Windows XP successor. Microsoft has touted Vista, slated for broad
release in January, as its most secure operating system ever.

"The key messages for the folks was about the new technologies in
Vista, how they interact with those technologies, how to use that to
better protect the consumer," Griesi said. "There are a lot of great
things that they can use. We want to make sure that everybody is 100
percent aware of what is available."

But several of the attendees told CNET News.com that they had learned
little. "They talked mostly about Vista and security initiatives,"  
said Hiep Dang, director of threat research and engineering at Aluria
Software, an anti-spyware specialist that is a subsidiary of
EarthLink. "I was hoping they would go a lot more granular than they
did. A lot of the information they gave was information we probably
could have gotten online."

Another attendee agreed that previous meetings had provided many more
technical details. "This year they presented things that we already
know," said this antivirus researcher, who asked not to be named.

Going in for the kill

That individual expressed concern about the purpose of the event, in
light of the new rivalry. Perhaps Microsoft used the event to gather
information that could help its security products and beat out the
incumbents, the researcher suggested. "Is this brain-picking?" the
researcher asked. "Microsoft is slowly moving towards the kill."

The software maker is walking a fine line between being a partner and
a competitor to security companies. In late May, it introduced Windows
Live OneCare, a consumer security package. It is now preparing a
product to protect business PCs and servers, a move that will put it
head-to-head with industry stalwarts such as Symantec, McAfee and
Trend Micro.

It has been down similar roads in other areas. It is making a push
with systems management software, as well as in business intelligence
and content management, for example. It competes with incumbents in
those markets, but it wants to partner with them at the same time,
because it wants third-party products to work well with Microsoft

"The fact that we now offer security products does not change our
commitment to work collaboratively with all of our security partners,"  
Griesi said. "It's also important to note that while we encourage
members to engage, all feedback is voluntary and does not impact the
extent of information that Microsoft provides to partners."

Just last week, Microsoft said it was going to play nice and would
abide by self-imposed rules aimed at bolstering choice and
competition. The voluntary principles will come into play after court
requirements related to the U.S. antitrust case against Microsoft
expire next year.

The new Microsoft Security Response and Safety Summit is part of the
Microsoft Security Response Alliance, an effort announced in June that
aims to pull together various collaborative security initiatives at
the company. It is also preparing to launch a response portal this
week for its partners, Griesi said.

The software giant has been holding annual meetings with antivirus
researchers since 1997. Initially, the confab was called Microsoft
Macro Virus Initiative and later, the Microsoft Virus Initiative. On
top of that, Microsoft has held twice-yearly get-togethers with
Internet service providers since 2004, as part of its Global
Infrastructure Alliance for Internet Safety. The Microsoft Security
Response and Safety Summit brought together the antivirus and the ISP
strands for the first time.

"We had separate events, but actually 80 percent of what we talked
about was the same, so we decided to have one summit with different
tracks," Griesi said. "We really wanted to give our various partners a
chance to meet each other...The problems that ISPs and consumers face
are the ones that the anti-malware makers are trying to address."

The merger was a good step, McAfee's Kuo said. "For us to attack some
of these problems in a timely manner, we need to have close
relationships with some of the ISPs," he said.

Security, response, safety

The Microsoft event had three tracks: security, response and safety.  
The first included sessions on secure software development at
Microsoft, on the Windows Security Center (which tells users whether
their security software is up to date) and on Vista features such as
User Account Control (which enables restrictions on different users
rights to prevent malicious software from installing).

The response section included sessions on Vista networking security,
on trends in malicious software and on security in Internet Explorer
7, the next update to the Web browser. The safety track gave an
overview of new safety features in Vista and the Windows Live family.  
These features included parental control and Vista extensibility, as
well as Microsoft's phishing- and spam-fighting strategy.

One of the sessions was supposed to discuss WinFS, a new storage
system for Vista. "We got in and sat down," Dang said. "The talk was
over in five minutes, because Vista will be completely without WinFS."  
That same day Microsoft officially announced that WinFS will become
part of the SQL Server database and will no longer be part of Windows.

Another session discussed how malicious software could leave traces on
Vista PCs even after it is removed, McAfee's Kuo said. The trace is in
the form of a so-called symbolic link, a technology introduced in
Vista. These are designed to make it easier to locate items on a
computer, and are somewhat similar to current shortcuts in Windows XP
and to aliases in Mac OS systems.

"Symbolic links can clutter up your machine with lots and lots of
links that point nowhere" after the malicious software is removed, Kuo
said. Protective tools will probably end up doing the clean-up, he
said. It's a sign that on Vista systems, security software has more
work to do than on earlier versions of the operating system.

The goal of Microsoft's alliance program is to share information like
this and to protect customers at large, Griesi said. Likewise,
security companies like Aluria say they want to work with Microsoft
for the same reason. But some note that the software giant has a
history of pulverizing rivals. "Netscape is the renowned story," Dang

He did point out, though, that Microsoft hasn't always succeeded in
imposing itself on the markets it enters. One example, he said, is
Intuit, which is still a leader in accounting software, despite
Microsoft's attempts to take it on.

"I commend Microsoft for listening to security vendors," Dang added.  
"Ultimately, we are all on the same side, which is the good guys
versus the bad guys, and we're here to protect our customers.  
Microsoft playing in this is good for all parties--it keeps us on our
toes and makes our products a lot better."

Kuo gives Microsoft the benefit of the doubt as to why it may be
sharing fewer technical details than in previous years. It depends on
the development lifecycle, he said. Vista is almost fully baked, so
Microsoft hasn't got anything new to share. Two years ago, attendees
did get a significant amount of technical information, he added.

"At this point, there is really nothing for them to tell us that we
don't know," Kuo said. "The question will be what happens next year.  
How much discussion happens then? That will be how we measure the
significance of Microsoft entering the market and how that affects
these relationships."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 24 2006 - 23:27:02 PDT