3vil Day vs g00d Day

One of the best keynote speakers of this conference so far has to be George Stathakopoulos (general Manager of Product Security for Microsoft). Essentially George took us through the history of how the Microsoft security team evolved from nothing into a force to be reckoned with and a diary of how his life had been disrupted by the various vulnerabilities and attacks over the last decade.

His talk included each major problem from ILoveYou, Code Red, Nimda, Blaster, Sasser, SQL Injection to today’s botnets and the reason why you get your security updates on Tuesday! Stathakopoulos said that his team regularly run two types of sessions for Microsoft executives:-

- 3vil day when executives are updated on the latest vulnerabilities and attacks against Microsoft products and

- g00d day when executives are updated on the latest defences.

One of the most interesting aspects of George’s talk was that he was able to traverse the diversity of people and culture at FIRST. In other words he was able to speak at both a technical level (unfortunately he couldn’t release his presentation due to the virus coding it displayed) and at a senior executive level where he admired and enthused about the philosophy of FIRST (everyone working together to secure the world) and how senior executives were trying to get the law to hand out stricter punishments.

For example, Stathakopoulos sited how Microsoft were able to locate and prosecute the creators of the Sasser worm which cost billions of dollars to industry but the creators were apparently only sentenced to twenty-one months.

Several aspects about Stathakopoulos that made him easy to listen to were:-

His straightforwardness

His honesty about lessons learned not just from within Microsoft but also from outside

Although his passion for his job was obvious, he did not need to fly the Microsoft flag – something many junior executives could learn from.

It would be good if one day he puts pen to paper and writes a paper/chapter/book on lessons learned from working in the security trenches.