I attended a Microsoft propaganda event this morning in Tivoli.

Steve Balmer, Microsofts CEO, talked about "Innovation or Stagnation". The interesting stuff from his talk:

  • About the latest worms and virusses, among them Blaster, he had a slide roughly like this; my comments are in this font on the next line:
    • Security Expert discover flaw.
      Or a blackhat hacker makes the discovery. This is a lot worse because it'll be kept secret until people discover that they get hacked and are not too embarrassed to admit and report it.
    • Microsoft release a security patch.
      Or scrambles to do so after an exploit is discovered in the wild and thousands of Windows servers are already compromised.
    • Hackers reverse-engineer security patch & build virus.
      Well, at least the files affected by a patch points to where the problems are.
    • Customers can't deploy patches prior to new virus.
      Yeah, patch management is a bitch. Mr. Balmer said they were working hard on improving it. Good to hear.
    Now, this is of course wishful thinking and yet another piece of FUD from Microsoft to try to make security researchers use the Microsoft (and many others) sponsored Responsible Disclosure which they no longer try to make an RFC. They're no doubt plotting for other nefarious ways to make it "required" in one way or another.
  • Steve Balmers own home PC was hit by Blaster. Ha!
  • Microsoft has created internal tools for static sourcecode analysis for security flaws (deciphered from CEO speak, caveat emptor) which will be made publicly available for free "soon".
  • Quote: "We need to improve patch management." Right.
  • Microsoft has been working with AMD and Intel to make their next generation of CPUs support per-page W^X permissions. At least that's what I think he was talking about, it was encoded in CEO speak, so he might have talked about something else than that. Anyway, the AMD Opteron™ CPU is already available, and the Intel Itanium® 2 will also soon be available. Both supports per-page W^X permissions. This is a Good Thing™.

In the end there was a short Q&A session, much to my surprise. Not terribly interesting though.

Next up was Martin Kiær from Microsoft Enterprise Consulting talking about "Trustworthy Computing". It was the most technically interesting part of the morning, the highlights were:

  • "Security is a process to assure that the acquired security products are used correctly" (paraphrased). The thinking is that you need security products. In an ideal world you don't, because software would be built correctly to begin with.
  • In SP1 for Windows Server 2003, due out late this year or early next year, a "Security Configuration Wizard" will be available. A beta version was demoed, and it looked like a real nice tool. The best part was that you could create a security profile and apply it with a few clicks of a mouse, or, and this is the cool part, a little scripting. Very powerful.

The last speaker after a short break was Pascal Stoltz, Director of The Information Worker Group, in other words he is the director of the group producing Office, Visio, FrontPage and that sort of boring stuff. Basically he was out to spread FUD and I won't go into that, it was just around 20 minutes of unsubstantiated claims, benchmarketing and talk of ROI. He also managed to royally mess up what Open Source and Open Standards are on his second or third slide. It was a mess, but he's probably just a businessman, a manager.

They know that StarOffice and even more OpenOffice.org are the main competitors for their cash cow office suite.

Cameras weren't allowed inside (yet a saw at least two people taking pictures with their mobile phones), so I couldn't take any pictures with the camera I had borrowed from Henrik, but afterwards I took a short little photosafari through Tivoli with SiGNOUT hunting for textures to use on my website and just enjoying the very pleasant autumn weather and Tivoli itself.