A quick blog from the floor of the Hack in the box conference
Tony and Rob have just wrapped up their keynote here in Kuala Lumpur, and I wanted to make sure that the resources they talked about are listed here both for the benefit of the conference attendees who wanted to get to them and to everyone else who couldn’t be here today.
The talk spoke to how Microsoft’s Security Development Lifecycle (SDL) has influenced the development of IE 7. Specifically, and quite obviously if you’ve been reading this blog, IE 7 isn’t just about patching problems but about making deep architectural changes to provide defense in depth at every level of the browser.
Here are some of the resources that we mentioned for those interested in SDL or providing us feedback on our security plans:
- The Security Development Lifecycle (SDL)
- Book: Writing secure code
- Book: Threat modeling
- This blog (congratulations, you've found it :^)
- Send us feedback on security issues: secure@microsoft.com
Thanks to the organizers of the conference for having us. This keynote represents the first time the IE 7 team has given a talk at a software security conference and we hope it’s the first of many talks and opportunities we’ll have to engage with security researchers around the world.
-Christopher Vaughan
Edit: fixed formatting errors
Comments
Anonymous
January 01, 2003
"Proof read"Anonymous
January 01, 2003
What on earth happened with the RSS item for this post? Trust the IE team to pepper everything with font tags and make it all unreadable rolls eyes.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
@Josh street
Unreadable?
I think this blog looks great using Sage in Firefox.
Great work IE team. Wish I was an MSDN subscriber (wont pay $500-800 USD just to test free beta stuff though) so I could try both IE 7 and WinFS. I love Monad so far.
Windows Vista will probably be great with these extra apps.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Heheh would be horrible to read it in a fontsize=2. That is, I wouldn't be able to read it at all (almost blind without my glasses :P).
Oh well, lets hope it works better in the next post.Anonymous
January 01, 2003
I dont know what the fuss is about...looks fine in the IE7 RSS reader.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
It was great to meet you guys when you guys were down at HITBSecConf :) i got a question since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well ?
P.S : Thanx tony for signin my phrack 63 :)
Prabu
www.prabu.usAnonymous
January 01, 2003
It was great to meet you guys when you guys were down at HITBSecConf :) i got a question since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well ?
P.S : Thanx tony for signin my phrack 63 :)
PrabuAnonymous
January 01, 2003
Dude, where's the photos! :-)Anonymous
January 01, 2003
Xepol: Well the only tools I have so far is "Visual Basic 2005 Express Edition Beta 2" when using Monad. I'm not much of a developer, I mostly steal other peoples codes to test stuff. Coding has never been my thing (logic thinking that is :P), but it could be a good idea to try it out for a year.
A lot of money for someone like me whom don't develop anything for anyone though.
The money would come from my own pockets and not some companies sighs oh well.
IE team: Could you please update us every now and then regarding releases of IE betas and when IE 7 will be released?
I have been reading on Paul Thurrot's site for some time now and he seems to be able to get the dates (not sure if is he right though).
Thanks for the info, might give it a try next year. :)Anonymous
January 01, 2003
"since IE is available for Mac OS X will it be available for the GNU/Linux Operating system as well?"
Why would you ask such a thing?! Why would anyone want IE on Gnu or linux?
In fact why would you want it at all?Anonymous
January 01, 2003
Hey guys, just a quick note to thank the IE team for coming down to KL. It was really REALLY great meeting up with all of you and I hope that you enjoyed yourselves at our event. Anyway, since Jim asked; the photos from the event have just been released :) I'm pleased to say the atmosphere was well captured; even the post conference party!
http://photos.hackinthebox.org
Cheers,
LD.Anonymous
January 01, 2003
" IE7 is not and will not be available on OSX. Macintosh development of IE ended some time ago."
Thankyou.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The conference materials have been released.Anonymous
January 01, 2003
Firefox isn't going to get wiped out by IE7. Nor will Firefox stop IE7 from going out to a hundred million machines in short order.
With many hundreds of millions of folks on the Internet, there's room for more than one or even two browsers. Healthy competition is good for everybody.
Vendor-patriotism isn't really needed.Anonymous
January 01, 2003
Woah, settle down Paul. I was merely disagreeing with your points, just as you disagreed with whoever called themselves "sigh".
I post on this blog because I want MS to improve their product, not just to bash it. I want IE to be the best browser out there because all of my clients use it, and if the software is up to scratch then my job as a Web Designer is easier and more rewarding.
I make criticisms in the hope that the IE team will listen and improve their software. I'm over the moon that IE7 is going to support more standards and even the "not-yet-standards", but at the same time I'm gutted that IE6 will remain the same.
I'm not a fanboy either, I'm just passionate.
I deal with IE6 every day. (emphasis on "deal")Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Nice post Link, I agree with just about everything you've covered. Except I still think IE6 is a bad browser (mainly because of the lack of some particular CSS support, I'm getting tired of saying that).
Also, you say "these comments are of no use for anybody". But later on you say "IT'S A BETA, A BETA.. it could still change."
That's exactly why it's important to pump out the suggestions/crits before it's too late. The IE team also asks for feedback, and that's what they're getting.
I tried the IE7 beta and you're absolutely correct about the interface being confusing. You should have seen my colleague use it for the first time.
Now, when can we see some new blog updates? It's evident that everyone's getting a bit wrestless (or maybe it's just me).Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
See http://TheFuturum.com - you can send message to eternity there.Anonymous
January 01, 2003
Hi Christopher, It was great catching up with you after my presentation at Ruxcon, I hope you also enjoyed it. Apologies for not being able to hang around for too long afterwards, I was in a rush to get to the airport. If you are back in the US now, have a look at some of the emails I have sent you (I hope you are getting them). I have some interesting ideas that I would like to speak to you about - look forward to hearing from you again. Cheers.Anonymous
January 01, 2003
I have to say, I'm a little curious regarding your progress when it comes to ingrating your authentication technology (InfoCard) into IE 7, as well as any news on how disscussions are going with Firefox and Safari in getting them to adopt the tech.
It's just I was reading an article on the subject: http://www.pcworld.idg.com.au/index.php/id;2112242001;fp;2;fpid;1, which said that while infocard was not on IE 7.0's feature list, it may well end up being included and that you guys where in talks with the other major browsers to see if they where interested in adopting it as a standard technology.
This, according to 'experts' "can only help" when it comes to security, so I think it's definetly something worth pursuing.
P.S. This is only my second blog (my first being the one above), so my point there is that if I've made a fool of myself in either, please be kind!Anonymous
January 01, 2003
I definitely agree with the calls (and there have at least been a couple here so far), for some new blog updates from the IE team, as it's been a good ten days since this one got put up. Come on guys, don't tell me you've run out of stuff to talk to us about?....Anonymous
January 01, 2003
The person who calls themselves "* sign *", you are terribly wrong. Perhaps the non-technical people at Microsoft are only interested in making money, but if you know as many developers as I do, you'd realize that all they're interested in is making the coolest, greatest program in existance. That's what drives the IE team forward, not adding the least possible amount of features to their software as possible while still holding onto a relativly large userbase. Developers aren't making insanely big bags of money, so their payback is knowing they contributed to a really awesome piece of software.Anonymous
January 01, 2003
Paul (greyhats) wrote:
"You have obviously not spent any time in computer security, otherwise, you would not be saying such things.
...
I have been on the front lines of software security, especially Internet Explorer and Firefox. "
I have been working with computers since the Carter Administration. What kind of security professional puts confidental information on a public server?
Stop drinking the kool-aid. Firefox is not going away, and the points I made are valid. I won't quibble the minutia. Microsoft is releasing IE7 as a business move. Only features/architecture/bugs deemed relevant to their interests will be addressed. That's business 101.
Customers will choose what fits "their" needs.Anonymous
January 01, 2003
I know that Firefox isn't more secure than everything else, but the last time I got spyware/adware was when I was browsing innocently with IE6. I still haven't had any viruses, adware or spyware since I started using Firefox, therefore I will continue using it until I get something I didn't ask for.
If you're still designing for Netscape 4x then that's your choice, but IE still has about 90%+ more market share.
And the thing that seperates IE's plugins/extensions from Mozilla's is that Mozilla hosts their own extensions, therefore eliminating most of the risk.
For the record, I am actually hoping IE7 regains IE's lost market share. As long as standards support is improved then I'm a happy chappy.Anonymous
January 01, 2003
milki wrote:
"With IE 7 Firefox will disappear."
* IE 7 will only run on a subset of Windows versions and will ignore Mac, Unix, Linux.
* IE 7 is holding on to broken architecture(ActiveX).
* IE 7 has not dealt with long standing security bugs.
* IE 7 has not dealt with long standing markup bugs.
* IE 7 has a bizarre tabs/menu/button GUI implementation.
* IE 7 is too little, too late.Anonymous
January 01, 2003
With IE 7 Firefox will disappear.
I found a addon for Mouse Gestures in IE.
But can someone tell me if their are somethings like the AdBlock Extension and the Customize Google extension for Firefox.
Thank You
You Can email me these requests at
cricketmilki@yahoo.comAnonymous
January 01, 2003
LordMike : There is (was?) an OS version only subscription for MSDN. It would be worth finding out if it qualifies for the IE betas.
Certainly, if you don't need developer tools, but need access to just the OS stuff, it has a certain appeal.
Who knows, maybe TechNet Plus might even be more appropriate (again, you'll have to check, I'm not sure if they get the IE beta, but I would think that they should, since the IE beta is aimed at IT people, and TechNet is FOR IT people)
And ya, my subscription costs come out of my pocket too - it can hurt just a little. Better than the 4g only option MS used to have though.Anonymous
January 01, 2003
IE7 is not and will not be available on OSX. Macintosh development of IE ended some time ago.Anonymous
January 01, 2003
"Am I the only one that finds it extremely amusing that Microsoft is promoting/publishing books under MSPress on Security?!
Writing secure code?!?!
Threat Modeling!?!?"
I think you are.
The authors of these books (e.g. Michael Howard) know their stuff. The purpose of the books is to help other people learn this stuff. I'm pretty sure that "Writing Secure Code" is required reading for new Microsoft developers.
Regarding the "other browser" you mention... how many of those who contribute to the code base are educated about how to write secure code? How many of the new features undergo thorough threat modelling before being developed?Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Now that the hackers have previewed IE 7 beta 2 could you announce a public beta date ?Anonymous
January 01, 2003
Beta 2 will be out 7th december. This might change, because IE 7 was supposed to be released this year, but is now moved to march 2006.Anonymous
January 01, 2003
When will Beta 2 be ready? Beta 1 wasn't even worthy being called "beta".Anonymous
January 01, 2003
I'm glad the IE team is doing heavy work on security. Since it's a popular target of criminals, my organization has decreed that we will stop using IE in some sensitive areas. I approve of their caution.
Perhaps when IE gets locked down properly, and loses the reputation as a vulnerability, such measures will be unneeded.
Don't get discouraged. Keep working on it.
thanks
DavidAnonymous
January 01, 2003
I know this isnt the appropriate blog to ask this quesiton but anyways :
will the 'Image toolbar' be re-availalbe in Beta 2 when it is released. The options are still within the settings in Beta 1 - image resizing still functions but the image toolbar doesnt display (unless Im doing something wrong ?)
ThanksAnonymous
March 11, 2008
Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact).Anonymous
March 11, 2008
Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in factAnonymous
March 11, 2008
PingBack from http://outatime.wordpress.com/2008/03/11/address-bar-improvements-in-internet-explorer-8-beta-1/Anonymous
March 11, 2008
PingBack from http://www.e-spot.se/address-bar-improvements-in-internet-explorer-8-beta-1/Anonymous
March 15, 2008
PingBack from http://angeliquewi.wordpress.com/2008/03/15/internet-explorer-8-novita-per-barra-url/Anonymous
May 12, 2008
PingBack from http://internetexplorerblog.info/?p=101Anonymous
May 29, 2009
The comment has been removedAnonymous
May 31, 2009
PingBack from http://woodtvstand.info/story.php?id=6188Anonymous
June 13, 2009
PingBack from http://onlyoutdoorrugs.info/story.php?id=353