Georgeo Pulikkathara's Microsoft Blog

Cool stuff. I’m here now in Berlin, Germany. We got in last night. Bryan Sullivan did a talk on SDL for Agile here. Got a little bit of jet lag, but our booth is setup and good go go. A hot little item that customer seem to love is the SDL laptop sticker. Mark Miller from TwC came by, and recommended we look at implementing Microsoft tag onto the sticker. Great idea. I like that it doesn’t look like a standard barcode. more to come over this week here at Microsoft TechEd Europe.

George

Whitepaper: How to Manually Integrate the SDL Process Template – In response to customer requests, the SDL Team has provided a basic 7-step process for manually integrating key elements of the SDL Process Template into an existing Visual Studio Team System project.

Microsoft SDL team releases two security verification tools as FREE DOWNLOADS – BinScope Binary Analyzer integrates directly into the Visual Studio 2008 IDE. MiniFuzz File Fuzzer is a Visual Studio 2008 add-in. Both tools provide easy integration with TFS 2008 and the SDL Process Template for VSTS 2008!

Jeremy talks about the Microsoft SDL Process  Template for VSTS that can help guide a developer through the development process. You need to check this out.

http://channel9.msdn.com/posts/LarryLarsen/Microsoft-Security-Development-Lifecycle-Templates/

http://msdn.microsoft.com/en-us/security/ee361993.aspx

The Microsoft Security Development Lifecycle (SDL) kit is now available for download. It’s about 700MB, so hope you have a fast Internet connection.

Saw this on The Business Insider at http://www.businessinsider.com/god-uses-bing-2009-9.

so who's going to be there at TechEd 2009 in Europe?

http://www.microsoft.com/europe/teched/

http://www.youtube.com/watch?v=iKvQLb2UKXg

Okay, so I'm back from my military tour, and will be digging through a few thousand emails, white papers, content reviews, and meeting with folks like David Ladd, Katie Moussouris, Bryan Sullivan, and others to get back up to speed on SDL. I've learned alot and seen a lot in Mosul, and as the US Army allows me to declassify and speaks on things I will. If you're on Facebook, look me up there. I've got some photos from Iraq up there.

Good to be back,

george

Still think security and privacy are no big deal for developers to worry about? Well then take a look at what AT&T testified to in front of the United States Congress early last week. AT&T write below...

"And if Google does combine its third-party cookie information, with user's search histories, with Gmail summaries, and with Google Analytics data, among other data sources, they would be a proper domestic intelligence agency."

//from www.blog.wired.com //

Online advertising networks -- particularly Google's -- are more dangerous than the fledgling plans and dreams of ISPs to install eavesdropping equipment inside their internet pipes to serve tailored ads to their customers, AT&T says.

At least that's what the company told Congress in a letter early this week, responding to four prominent House lawmakers who are bird-dogging ISPs about their online profiling practices. Those lawmakers asked 33 internet companies on Aug. 1 to explain some of their monitoring practices, Most have replied.

In its letter (.pdf), AT&T denies that it currently digs deep into the net habits of its users "for the purpose [of] developing a profile of a particular consumer's online behavior."* (AT&T is currently facing a class action lawsuit for allegedly helping the NSA spy on Americans' internet usage, but that's a different issue since the NSA does not run ads.)

However, it says it may bake this kind of surveillance into its tubes in  the future using so-called Deep Packet Inspection technology. The company rightly says could be also be used to detect copyright infringement, speed up packets of streaming video and detect child pornography.

But even if it did, that's nothing compared to Google, it says.

"If anything the largely invisible practices of ad-networks raise even greater privacy concerns than do the behavioral advertising techniques that ISPs could employ, such as deep-packet-inspection," AT&T wrote.

AT&T rightly points out that Google can know almost as much a snooping ISP could -- which, is the case for users who install Google's toolbar and don't know to opt out of Google's Web History program. And if Google does combine its third-party cookie information, with user's search histories, with Gmail summaries, and with Google Analytics data, among other data sources, they would be a proper domestic intelligence agency.

AT&T writes:

Advertising-network operators such as Google have evolved beyond merely tracking consumer web surfing activity on sites for which they have a direct ad-serving relationship. They now have the ability to observe a user's entire web browsing experience at a granular level, including all URLs visited, all searches, and actual page-views.

AT&T goes on to say then that because of Google's singular ability to gather online data that online advertising networks are substantially similar to ISPs monitoring their customers.

Google and Yahoo are perhaps the only two online empires that AT&T could realistically point towards to make that argument.

It's a clever argument, since online advertising cookies are nearly universally accepted and there are voluntary codes of conduct that most advertisers agree to in order to keep government regulators away.

And certainly any ISP thinking about looking at what its users are doing has got to be worried given that the House Energy and Commerce Committee is on a roll -- taking on ISPs that want to or have watched what their customers do online in order to serve them targeted ads. That roll is reportedly heading towards a long-fabled online privacy omnibus bill. Add to that, this month's unprecedented decision by the Federal Communications Commission to slap down Comcast for its secret and deceptive interference with file sharing traffic.

But the argument is also just wrong.

You pay your ISP to carry your traffic to and fro.

It can see everything you do online, unless you take extreme measures. It could know where you bank, the contents of your emails and chats, what sites you shop at, what you search about --regardless of search engine -- and everything you read or watch online.

Your ISP does not need to be peering into your traffic to decide whether to show you ads for hemorrhoid cream or sports bobble heads.

They just need to get that health information and that gallery of hockey's worst bobble heads to your browser quickly.

* Threat Level readers may enjoy this full sentence from the letter: "AT&T does not at this time engage in practices that allow it to track a consumer's search and browsing activities across multiple unrelated websites for the purpose [of] developing a profile of a particular consumer's online behavior."

//from www.blog.wired.com //

Be sure to check out Talhah Mir's blog on threat modeling.

http://blogs.msdn.com/threatmodeling/

Also check out the last post  from Talhah Mir on a post by Akshay Aggarwal on threatmodeling. Here's Akshay's post from his blog site.

http://blogs.msdn.com/akshay_aggarwal/archive/2008/06/11/application-security-development-lifecycle-5a-is-threat-modeling-right-for-you.aspx

Microsoft has invested considerable time and effort along with other software companies to ensure children and families are safe online. It's best to check out these resources now before you actually need them. Too name a few:

www.staysafe.org

http://pointsmartclicksafe.org

http://www.microsoft.com/protect

If you're a developer working for a ISV, you can help by providing better software security to ensure children's safety online.

Google Says Complete Privacy Does Not Exist.

Posted by samzenpus on Thursday July 31, @07:57AM
from the open-books dept.

schliz writes "In a submission to court, Google is arguing that in the modern world there can be no expectation of privacy. Google is being sued by a Pennsylvania couple after their home appeared on Google's Street View pages. The couple's house is on a private road clearly marked as private property." Here is our previous story about Google Street View privacy issues.

I believe this to be the difference between a socialist view and a free republic when ordinary citizens have rights to privacy and keep others from their Personally Identifiable Information(PII) data. Might does not make right. 

Every time someone uses Google search,  they are enabling this kind of behavior in Google and their employees. Microsoft has been around since 1975 and we've certainly made some mistakes in the past, but we've always been staunch supporters of customer privacy. Our efforts with the Microsoft Security Development Lifecycle(SDL) and our mandatory internal training on customer Privacy policies are aimed at safeguarding any data that comes to Microsoft through transactional means. While I was on the MSDN Webcasts team, we couldn't pull any customer data directly, and we couldn't store in on our laptops or our side the MS firewall. Doing so means severe disciplinary actions up to and including termination. While this impedes our ability to get to market quicker and conduct on the fly analytics, it's the right thing to do for our customers. You don't need PII data to determine what your customers want or to get metrics in terms of how many attending and where they are coming from. The PII data can be hid to protect our customers right to privacy.

Google has had issues with Google maps where they would show images of military bases from above, people’s backyard just because the technology is there. Just because you can the ability to do something doesn’t give you the right to do it. Microsoft is a more mature company, and we’ve come a long way from that way of thinking. I’m glad we have policies and procedures to safeguard our customers data. Google's statements about privacy doesn't exist in the modern world is a decision that's not theirs to make. They're looking for a easy way out, and customers will pay the ultimate price. Think about that the next time you do a Google search.

Try Microsoft Live Search next time.

I was at my Vice President's (Scott Charney) all hands meeting last month. Scott was talking about the need to discuss online safety and Green IT to IT Pros and developers. I was taking some notes and Maslow's Hierarchy of Needs pyramid came to mind.

I thought of what Scott was saying and realized that there was a order to what we need to communicate and drive awareness for. Before we can talk about data privacy to developers and IT Professionals, it was necessary to ensure that the customers platform and applications were secure. Only then can you even think of approaching data privacy.

If an ISV or a corporate development team is to consider data privacy as a requirement, then Security is mandatory. If you're a ISV or a independent software vendor, then you're going to have to answer the questions to your customers who are going to ask you the obvious question, "Am I safe online?".

Online Safety is comprised of Privacy and Security. Let's say you want to provide online safety to your customers who buy your software. You'll probably want to ensure that there is legislation/compliance in place to drive the online safety to protect the customer as well as independent software vendors to limit your liability when you've taken the time and due diligence to ensure your application development efforts coincide with the Microsoft Development Lifecycle.

The way we drive awareness and provide privacy and security for customers is by ensuring that independent software vendors are utilizing the Microsoft SDL in their software development efforts along with organization that expose customer data through online banking portals, or online account access.

This week I switched to Live Search after listening to Steve Ballmer's keynote speech at MGX FY09. I've used live search in the past, but have been disappointed with the results. So I've been using Google Search for the past few years. I tried Live search this Monday, and I have to say, it's as good as the Google search, and I'm finding what I'm looking for. Try it yourself and see.

Be sure to check out the cash back program that's offered through live search. I signed up for search and give and now donate every time I search.  I'm Giving To Catholic Charities Foundation Of The Archdiocese Of Seattle.