Port 25: The Open Source Community at Microsoft : Security, Interop

Project Quant

Peter Galli — Wed, 15 Apr 2009 22:54:00 GMT

I noticed today that my colleague Jeff Jones in the security group is launching a metric project that appears to be leveraging some of the good bits of open techniques.

I touched base with him briefly and he gave me a little more information about Project Quant, which is being undertaken along with Securosis, an independent security research firm.

Project Quant will be working on the metrics of patch management and is as much an experiment of a new research process as it is one of security metrics, said Securosis founder Rich Mogull in a blog post.

"For this project Jeff wanted to be involved, but also asked for an open, unbiased model that will be useful to community-at-large (in other words, he didn't ask for a sales tool). Rather than us developing something back at the metrics lab, Jeff asked us to lead an open community project with as much involvement from the different corners of the industry as possible," Mogull said.

While he also acknowledged that it is risky for Securosis to allow direct involvement of the sponsor, the company is hoping that the process works the way it thinks it will and which also happens to match Microsoft's project goals.

So, this is what's expected to happen: a project landing site has been set up at Securosis that will contain all material and research as it is developed; every piece of research will be posted for public comment and no comments will be filtered unless they are spam, totally off topic, or personal insults.

All significant contributors will also be acknowledged in the final report, although there will be no financial compensation for contributors and the project itself will retain ownership rights. All material will also be released under a Creative Commons license, with spreadsheets released in both Excel and open formats.

"In short, we are developing all research out in the open, soliciting community involvement at every stage, making all the materials public, acknowledging contributors, and eventually releasing the final results for free and public use. The end goal of the project is to deliver a metrics model for patch management response to help organizations assess their costs, optimize their process, and achieve their business goals. Let us know what you think, even if you think we're just full of it," Mogull said.

For his part, Jones told me that while he has been zealous in past reports about using repeatable methodologies, pointing to his source of public data, and outlining his assumptions step-by-step, he would like to take transparency one step further by developing models and methodologies first, in an open and transparent manner, so that everyone can agree on the pros and cons before the methodologies are applied.

"I think being completely open and transparent will help credibility since, similar to open source, everyone can scrutinize every step of the analysis ... creating open models and potentially getting community involvement just seems to be the right process," he says.

I plan to interview him at greater length in the next few weeks, so look for a follow-up blog then.

Web Sandbox Source Now Available Under Apache License 2.0

Peter Galli — Tue, 27 Jan 2009 02:48:00 GMT

Microsoft has released more source code under an OSI-approved license: this time it has made the source code for the Web Sandbox runtime available under the Apache 2.0 open source license.

The Web Sandbox project explores how to advance the web platform to improve security, isolation, quality of service and extensibility capabilities for web developers and website users.

More information on the licensing details, as well as comprehensive documentation for experimenting and integrating with the Web Sandbox, can be found here.

But, while developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development.

The Web Sandbox was created in response to limitations found in the current web platform, and is designed to explore potential solutions. Having a more secure and robust architecture as a foundational building block will help drive the next wave of Web innovation.

The Sandbox is a framework that works on most modern browsers that support the"ECMA-262, 3^rd Edition" (JavaScript) standard, and provides the same features in all modern web browsers. No browser add-ons or changes are required to leverage this technology. Beyond security, the Web Sandbox normalizes the different browsers and provides consistent W3C DOM support.

Since the initial release of Web Sandbox at PDC 2008, the team has received a lot of useful feedback from the web security community, and has also been collaborating with a number of customers, partners and the standards communities, all of whom want to adopt the technology when it is ready.

The goal? An open and interoperable standard that will help foster interoperability with complementary technologies like script frameworks and drive widespread adoption of the Web Sandbox.

This move is good news for Microsoft and the open source communities. But, it is important to note that while an Apache license is being used, the Web Sandbox project is not an Apache Software Foundation project and is not sponsored or endorsed by the ASF.

Microsoft does, however, already have an active relationship with the ASF. In fact, last year the company announced it had become a sponsor of the ASF so as to help enable the Foundation pay administrators and other support staff so that its developers can focus on writing great software.

Sam Ramji, the senior Director of Platform Strategy at Microsoft, also delivered a keynote address at ApacheCon in New Orleans last November.

Microsoft's Interoperability Technical Strategy Team already participates as a code contributor to the Apache Stonehenge incubator project; the company has also contributed a patch to ADOdb, a popular data access layer for PHP used by many applications and which is licensed under the LGPL and BSD; while Microsoft's Powerset team contributes to HBase, an open-source, column-oriented, distributed database written in Java.

Technical Analysis: OpenSSH on Linux using Windows/Kerberos for Authentication

jcannon — Fri, 06 Jun 2008 14:35:00 GMT

Abstract: Secure remote access to UNIX and Linux systems is generally accomplished through SSH. The most frequent implementation of that protocol is OpenSSH, originally written for the OpenBSD project but now ported to a wide variety of platforms. This paper will show how to use OpenSSH with the Kerberos portion of Active Directory to automate authentication.

Download OpenSSH on Linux using Windows/Kerberos for Authentication

Note: This paper represents testing and documentation in a lab environment. User Account Control (UAC) is an essential security component to Windows and Microsoft does not recommend turning off UAC in production environments.