THE OFFICIAL BLOG OF THE SBS "DIVA"

Spread the word.  If you want to put in your blog site a campaign to showcase that you too are sick and tired of prechecking of software installers that are included in security updates. 

Put this code below into your blog site (in Community Server it's in the News section) to showcase that you have had it with vendors that are sneaking software onto consumer machines in the guise of security updates.

=====start here=====
<a href="http://www.bleepingcomputer.com/blogs/mowgreen/index.php?showentry=1564"><img src="http://imk3xq.bay.livefilestore.com/y1p1UoWJx5pbfw0Eua0Ybyw20g4Nb3NSaNwtb57Dy3ITBVUguIg513j_SoQHAjUuLg0RuhDZVbD8AMTDiUbDfNb92wldtgJuOGU/banthechecksmall.PNG" alt="[Security updates should only offer Security updates]" title="Let&#39;s get vendors to stop offering toolbars and extra software with Security Updates" border="0" /><br /><br />
=====stop here=====

It will resolve into that red banned check logo you now see on the left side of the blog and point to Steve Wechsler's campaign to stop vendors from doing this.

 As Bill Sanderson said it best (inspired by Steve Wechsler) .... "It's time for security folks to come to a united front on this issue--Microsoft is guilty as well, with their toolbar installs pre-checked on certain Java updates.

In addition to an update process which is technically secure--(I think the community is pretty clear on this)--the process needs to be one consumers can trust--and that trust is violated when non-security related updates or add-ons are offered as part of what is fundamentally a security update process.

Microsoft's own update process does this well.  We need to convince the competition that they don't need that crutch to get their product out there." 

Dear Mr. Jobs,

Glad you are feeling better and back to work.  Thanks for rushing out the iPhone patch for the Blackhat issue that was just announced this week.  http://support.apple.com/kb/HT1222 Kudos for getting a patch out that fast.  Bet ol' Ballmer couldn't patch his phone platform that fast, huh?

But can you do me a huge favor?  When you offer an update for iTunes CAN YOU STOP PRECHECKING SAFARI AND MOBILE ME?  I'm getting a tad tired of you and every other vendor that sees updates as a mechanism for cramming your applications down our throats.  We went down this road before and you had it unchecked.  Now you are prechecking it again. 

And don't think that I'm letting any other vendor off the hook, Flash with their google toolbar, Sun Java with their Microsoft MSN (now Bing) toolbar..... enough with the prechecked crud you guys keep doing.

You are violating the trust of updaters.  It is no wonder that people are shutting off updates.  This post is dedicated to Mow.. Steve Wechsler who found his mother's computer with every security patch installed toolbar known to mankind on it.

BleepingComputer.com -> Hey, Software "Vendors", Stop installing CRAP with your security updates !!!:
http://www.bleepingcomputer.com/blogs/mowgreen/index.php?showentry=1564

Join me in demanding from our vendors that Security updates do not offer up toolbars or any other non security related updates.  No additional software should be prechecked when we are obtaining security updates.

That goes for Microsoft, Sun, Adobe, or any other vendor that prechecks a toolbar or other offering with a security update.

Grab your "Ban the check" logos from here:  http://cid-c756c44362cd94ad.skydrive.live.com/browse.aspx/Ban%20the%20Check?uc=1&nl=1

Brad Dinerman sent over a white paper of interest --

Fieldbrook Solutions - Brad's TechTips for Security:
http://www.fieldbrook.net/TechTips/Security/SocialNetworking.asp
http://www.fieldbrook.net/TechTips/Security/SocialNetworkingSecurity.pdf

Former minister defends government departments' use of Twitter | Politics | guardian.co.uk:
http://www.guardian.co.uk/politics/2009/jul/28/twitter-government-departments

Is there a right way to use social networking tools and a wrong way?  I'd say yes.  I still don't like it when someone urges people to use Twitter as a support tool.  To me it's like going to an empty room and yelling "Help I have an issue" and hoping that there is some wacko person who just happens to walk by and hear your yell. 

That said, www.Tweetdeck.com  with a search on #blackhat and #defcon this week and you can learn the buzz around a conference.  That's not good of course when someone you are following goes to a conference and your follow stream turns into "all conference, all the time" (check out http://www.twalala.com/login or www.twittersnooze.com for such times).  But there are risks of such platforms.  Short urls.  Tricked clicks.  Reputation hijacking.  It's a scary place out there, so be prepared when folks ask you about the issues.

The Official SBS Blog : Microsoft Exchange 2007 SP2 installation is blocked on Windows SBS 2008:
http://blogs.technet.com/sbs/archive/2009/07/30/microsoft-exchange-2007-sp2-installation-is-blocked-on-windows-sbs-2008.aspx

Important update: Installing Microsoft Exchange 2007 SP2 on Windows Small Business Server 2008 currently causes problems in some web services of Windows SBS 2008 and requires manual steps to fix the problems. A prerequisite check is deployed in Microsoft Exchange 2007 SP2 setup program for Windows SBS 2008 so that Windows SBS users will be alerted and prompted before proceeding with installation.

-------------

I didn't want to add my opinion to the original announcement....

At first I was in the SBSer mode and was slightly freaking out about this.  How DARE the Exchange team build a service pack that is blocked from installing via Microsoft update or WSUS?  How dare they manage to build such a beast of a service pack that it needs a separate KB reading or an installer to fix back up the things they break? 

But I then had to remind myself that Exchange's servicing history (or lack thereof) has always been like this.  No Service pack has been able to be deployed via Microsoft update or WSUS.  And in fact patches only got MU-able after Exchange 2003 sp2.  I got lulled into a false sense of expectation of patching due to the fact that SBS 2008 jumped into Exchange 2007 sp1 and didn't have to deal with the service pack.

Granted as well, that I really don't want someone to blindly patch with this size and type of a Service pack without backing up the database first.  But with all that justification in my brain of how crappy Exchange historically has deployed service packs, and this really isn't anything new, it is hard to justify the cost and potential for issues when there isn't much of value in this Service pack for the SMB space.

You Had Me At EHLO... : Exchange Server 2007 Service Pack 2 available in Q3 2009:
http://msexchangeteam.com/archive/2009/05/11/451281.aspx

Enhanced Auditing .  Okay maybe there's value there.
Exchange Volume Snapshot Backup Functionality .  Already there in SBS and it's about TIME that you released this, SBS and EBS has had it since they shipped and it was promised to normal Exchange servers for months now. 
Dynamic Active Directory Schema Update and Validation  - Schema updates shouldn't be taken lightly and this is preparing the box for future ones
Public Folder Quota Management - hopefully they've thrown in more than just PowerShell commands as the GUI is lacking
Centralized Organizational Settings  - again a PowerShell update
Named Properties cmdlets  - Again this is another "I'll have to see it before making judgment"
New User Interface for Managing Diagnostic Logging - finally more GUI!

Microsoft mainstream support policy for Exchange Server 2007 remains unchanged. Microsoft will continue providing support and Update Rollups to customers running SP1 for 12 months after SP2 ships.  Translation to me is that we have a full TWELVE MONTHS to get this sucker on our boxes,  Thus even once we get the SBS team wrapper, there is no rush to install this on Servers.

Bottom line .... this is a service pack that I'm having a hard time justifying a value to the customer for.  At least at first glance, this is one that I might apply to new clean servers, but existing SBS 2008 servers, I'm going to have to wait and see what value it has.

Other than 1 year from now I'll urge you to update to be on the update rollups for Exchange 2007 sp2... I can't see value it in ...and a lot of risk.

The Official SBS Blog : Microsoft Exchange 2007 SP2 installation is blocked on Windows SBS 2008:
http://blogs.technet.com/sbs/archive/2009/07/30/microsoft-exchange-2007-sp2-installation-is-blocked-on-windows-sbs-2008.aspx

Important update: Installing Microsoft Exchange 2007 SP2 on Windows Small Business Server 2008 currently causes problems in some web services of Windows SBS 2008 and requires manual steps to fix the problems. A prerequisite check is deployed in Microsoft Exchange 2007 SP2 setup program for Windows SBS 2008 so that Windows SBS users will be alerted and prompted before proceeding with installation.

Microsoft Windows SBS team is working on a Microsoft Exchange 2007 SP2 installation tool on Windows SBS 2008. The tool will automate the Exchange 2007 SP2 installation with a better user experience. With this tool released, users can download the tool to the Exchange 2007 SP2 setup folder and launch the SP2 setup from the tool. The tool will remove the prompt, stop the FSE services, launch Exchange 2007 setup UI, and then perform post-setup cleanup after SP2 installation is successfully completed.

For users who want to deploy Exchange 2007 SP2 on their Windows SBS machines urgently, manual steps are provided in KB 973862. However, we strongly recommend users to leverage our upcoming installation tool for a successful SP2 installation. We will inform you via this blog when this tool is available.

Note: KB 973862 should be available next week. 

Here's this week's special WindowsSecrets article on this week's Out of band/Out of Cycle patch:

Install MS's out-of-cycle patches for IE, apps:
http://www.windowssecrets.com/comp/090730

....T-E-M-P-O-R-A-R-I-L-Y.... right?  Just for testing?

And mind you I'm seeing more apps that demand that UAC is on or that the firewall is enabled.  Granted Live Mesh is not a normal app but I found it interesting that you can't install Live Mesh unless the firewall is enabled.  But say you need for testing purposes (to deal with a sucky app to prove a point) that it won't work with the firewall totally disabled.  And you notice in your 2003 or 2008 server that you can't temporarily turn off the firewall by the gui interface or the netsh commands? 

The key is that you have to tell the group policy on the server to release control.  In SBS 2003 do the following...  http://www.sbslinks.com/group.htm  Launch the group policy management console on the server.  Right mouse click the Windows Firewall on the left slde.  Untick the "link enabled" setting.  At a command prompt type in gpupdate /force and hit enter.  This will leave the policy in place and allow you to go to the workstation and turn off (again temporarily) the firewall. 

On a Server 2008 box the setting is similar but this time go to the http://msmvps.com/blogs/bradley/archive/2009/05/29/group-policy-defaults-for-sbs-2008.aspx Windows XP policy or the Windows Vista policy and again, undo the link enable there. 

You may need to type in gpupdate /force at the workstation to force the group policy change faster, but that will allow you to manually adjust the firewall on the workstations.

Now, that you've proven to the vendor that the app works, ask them specifically for the ports or application they need opened up.  Go back up to the server and add your exclusions up in that firewall settings.  That way you can have your apps happy, and keep the firewall on the workstations.

So the other day I noted on a server I have that there was a service called Windows service pack installer service and it wasn't running.  Okay ... hummm I don't remember that service before so let's check my running service inventory.  Nope, last time it wasn't there.  So where did that come from.  The file is an official one from Microsoft , but the name is Windows 2000 service pack installer service so what the heck is it doing on a Server 2003 box?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24295747.html

Others have seen it as well.

This where "know thy system" comes into play.  The ONLY thing I changed on that box was that I ran a special install of Malwarebytes.org a few days ago just to ensure that it was malware free.  Sometimes that cleans off more crud off a system that normal antivirus says is clean.  So being in a paranoid frame of mind (with Blackhat in the works) I ran it on the box. 

So let's uninstall that app and see if that goes away.  And sure enough... and as reported in the software monitoring alerts... Application Malwarebytes' Anti-Malware (C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx and will no longer be run when a user logs into the system.  Once I removed that application, that particular service went away.

Security Fix - Microsoft's Emergency Patch Mess:
http://voices.washingtonpost.com/securityfix/2009/07/microsofts_emergency_patch_mes.html?wprss=securityfix

From the comments:

"I am not sure about the following comment Microsoft made regarding the release of these latest patches to IE. "We decided to issue these updates now rather than wait for things to get worse." Why would Microsoft wait to release these patches? They should release them as soon as the patches are ready, especially if they are critical patches. The above statement makes me think Microsoft waits to release patches until things are bad. I do not understand that. "

Microsoft patches on a cycle that releases the patches on the second Tuesday of each month.  The reason that this is being released now, and not later in August is one word: BLACKHAT.  Tomorrow (Wednesday) at 3:15 p.m., three researchers are giving a talk on how to bypass the existing ActiveX blocker.

Microsoft BlueHat Blog : Black Hat USA Spotlight: ATL Killbit Bypass:
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx

For more check out the upcoming newsletter at www.windowssecrets.com

If you are patching today for the out of cycle patches, be aware that the Exchange 2007 update rollup 9 is also out on the update site today.

You Had Me At EHLO... : Update Rollup 9 for Exchange Server 2007 Service Pack 1 has been released:
http://msexchangeteam.com/archive/2009/07/17/451835.aspx

As Don reported, if you use Storagecraft you'll want this patch as it fixes some issues with the backup.

Tonight I applied the patch to the two servers that run the blog site and one (Yoda) got stuck on shut down.  Fortunately the other (Brianna) didn't so I was able to go to her and run a shutdown command of

shutdown -r -m \\Yoda

Mind you Philip recommended that I do a shutdown -r -f -m \\Yoda as that will force the reboot.  Now in a real production/we need this up all the time/server you would be wise to install a remote IP device that would allow you to get access to the server below the operating system.  Many of the quality servers have this with special network cards (iLos for HP, DRAC for Dell).

If you start moving more things in a hosted setting, having remote management below the OS level is key.

Catherine Eibner : Help bring Sara Ford to Tech Ed Australia:
http://blogs.msdn.com/ceibner/archive/2009/07/28/help-bring-sara-ford-to-tech-ed-australia.aspx

So if you are from downunder and happen to be planning to go to TechEd, can you do me a favor and vote up Sara Ford so she can go to Australia and get a new Koala stuffed toy to replace the one she lost in Hurricane Katrina? 

(Note to Sara.... I have a new found respect for the Aussies that come to America for conference and events... after being in the plane that long they are more insane than I thought... but then again the Aussies are giving away a netbook with Win7 for conference attendees so they aren't that insane.  And while you are there make sure you go to the local zoo to check out a real Koala!  And while there don't forget the TimTams -- http://en.wikipedia.org/wiki/Tim_Tam )

Remote Desktop Services (Terminal Services) Team Blog : Windows Server 2008 R2 RDS and Windows Server 2008 TS CAL Compatibility:
http://blogs.msdn.com/rds/archive/2009/07/27/windows-server-2008-r2-rds-and-windows-server-2008-ts-cal-compatibility.aspx

If it wasn't bad enough figuring out licensing.... now TS cals are no longer TS cals but they are R2RDS cals in the Windows 2008 R2 era.  I think I'll be calling it TS for a long long time.

"Please note that in order to install Windows Server 2008 R2 CALs on your Windows Server 2008 license server, you need to request your Technical Account Manager (TAM) or Escalation Engineer (EE) for KB 971302 and install it on the license server." 

Or they can also use the trick where you edit the request hotfix page and get the request url directly: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=971302

Keep in mind that Windows 2008 R2 cannot be installed over the top of SBS 2008 as well (yes we tried, we wanted to see if it would be blocked or if things would blow up)

So no, you can't do an inplace upgrade of SBS 2008 to and R2 era build of Windows 2008 to get that direct access/branch cache stuff.

The old rule of software is that you wait for Service Pack 1 to deploy software.  But since Windows 7 is in reality Service Pack 3 of Vista, should you wait? 

I'd argue that you are doing yourself a disfavor if you wait for Service pack 1. 

And to all those who want to upgrade inplace from XP, the funkiest systems I've dealt with are inplace upgrades.  I wouldn't recommend inplace as a preferred deployment means.  Besides, when you start deploying Windows 7 you should also ask yourself if it's time to jump the 32 to 64 bit barrier.  Due to that reason alone, you will need to do clean installs and migrate the data.

Windows 7 Role-Based Learning and Readiness:
https://partner.microsoft.com/US/40110019

One of the tools I use to monitor activity on the blog site is a product called www.eventsentry.com for $85 for one server (less, the more server and workstations you add) it has a nice built in monitoring toolkit. 

Some of the events that it tracks that I like are.... (keep in mind these are 2k3 events, not Vista or 2k8)

7036 - start of a service.  Handy to know when services are starting and stopping.
21 - Server/Workstation restarted due to automatic updates
626  - User account Enabled
629 - User account disabled
642 - User account change
624 - User account creation
630 - User account deleted
644 - User account locked out
627 - User account password change attempt
628 - User account password set
671 - User account unlocked

Audit policy change
612 - Audit policy change
608 - User right assigned
609 - User right removed

Group Management
649,654,664 - distribution group changed
648,653,663 - distribution group created
652,657,667 - distribution group deleted
650,655,665 - distribution group member added
651,656,666 - distribution group memeber removed
641,639,659 - security group changed
635,631,658 - security group created
638,634,662 - security group deleted
636,632,660 - security group member added
637,633,661 = security group member removed

Logon failures
539 - account locked out
544,545,546,547 - IKE failures
533 - Logon at prohibited computer
530 - Logon outside allowed time
531 - Logon with disabled account
532 - Logon with expired account
535 - Logon with expired password
534 - Logon with invalid type
529 - Logon with unknown username/password
537 - Unknown logon failure

System events
513 - Windows shutting down
512 - Windows Starting

General server hardware
11 - Disk error
52 - Disk fail predicted
1076 - unexpected shutdown

Server stuff
26 - Application popup
6009 - Server boot

Download details: Security Audit Events for Windows 7 and Windows Server 2008 R2:
http://www.microsoft.com/downloads/details.aspx?familyid=3A15B562-4650-4298-9745-D9B261F35814&displaylang=en


Remember in Server 2008 and Vista, the security codes are different.  Much more granularity was needed so codes were added to the base numbers.

Windows Security Logging and Other Esoterica : Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+:
http://blogs.msdn.com/ericfitz/archive/2009/06/10/mapping-pre-vista-security-event-ids-to-security-event-ids-in-vista.aspx

"In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.

The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096)."

626  - User account Enabled = 4722 in Server 2008/Vista/Win7
629 - User account disabled = 4725 in Server 2008/Vista/Win7
642 - User account change = 4738 in Server 2008/Vista/Win7
624 - User account creation = 4720 in Server 2008/Vista/Win7
630 - User account deleted = 4726 in Server 2008/Vista/Win7
644 - User account locked out = 4740 in Server 2008/Vista/Win7
627 - User account password change attempt = 4723 in Server 2008/Vista/Win7
628 - User account password set = 4724 in Server 2008/Vista/Win7
671 - User account unlocked = 4767 in Server 2008/Vista/Win7

Other events you might want to track in Server 2008 --

If you have a SBS 2003 and you want to install WSUS 3.0 on it, there are certain group policy settings that will help make it easier.  If you have a SBS 2003 r2, in fact, you can just copy the settings.

There are three group policies that SBS 2003 R2 sets up are as follows:

Client Computer policies, Common settings policy and Server computers policy.

Common settings Policy sets up the basic settings so that the workstations can look to the server for it's patches

Administrative Templates

Windows Components/Windows Update

Policy	Setting
Allow Automatic Updates immediate installation	Enabled
Allow non-administrators to receive update notifications	Enabled
Automatic Updates detection frequency	Enabled
Check for updates at the following interval (hours): 1
Policy	Setting
Configure Automatic Updates	Enabled
Configure automatic updating: 2 - Notify for download and notify for install The following settings are only required and applicable if 4 is selected. Scheduled install day:   Scheduled install time:
Policy	Setting
Delay Restart for scheduled installations	Enabled
Wait the following period before proceeding with a scheduled restart (minutes): 5
Policy	Setting
No auto-restart with logged on users for scheduled automatic updates installations	Disabled
Re-prompt for restart with scheduled installations	Enabled
Wait the following period before prompting again with a scheduled restart (minutes): 10
Policy	Setting
Reschedule Automatic Updates scheduled installations	Enabled
Wait after system startup (minutes): 1
Policy	Setting
Specify intranet Microsoft update service location	Enabled
Set the intranet update service for detecting updates: http://SERVERNAME:8530 Set the intranet statistics server: http://SERVERNAME:8530 (example: http://IntranetUpd01)   That update setting is whatever you deem... I choose download and notify since I have another patch management tool that I use most of the time. Next up is client computers policy Computer Configuration (Enabled) Administrative Templates Windows Components/Windows Update Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 3 - Auto download and notify for install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 03:00 Last up is the Server policy settings Computer Configuration (Enabled) Administrative Templates Windows Components/Windows Update Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 3 - Auto download and notify for install The following settings are only required and applicable if 4 is selected. Scheduled install day:   Scheduled install time:   To set up the group policy, go to Computer Configuration, then Administrative templates, then the Windows components, then Windows updates.  Find the Configure automatic updates properties and adjust the settings as you see fit.

 It can be a bit intimidating but if you install/or look at a functioning SBS 2003 R2 you'll see how it works under the hood.

... like not.  There's one thing that consistently bothers me about Windows 7.  The very much obvious "hiding" of the compatibility issues of software.  When you look at what Windows 7 does to ensure that you can run your old apps it does two major things.. one it tweaks the compatibility settings for you by running a compat wizard.  And two, if you have Win7 Professional or higher and hardware that will run virtualization you can run a virtual XP mode.  Oh yeah, and the UAC is lowered down so it won't throw up yellow warning windows.

Why does this annoy me?  For several reasons. 

One, Win7 is just adding a compatibility wizard to walk you through the steps needed to make older software work on Win7.  It does EXACTLY the same steps that I do on Vista, it just runs a wizard to do the steps for you.  But the compatibility tweaks are not unique.  I've done them before in Vista.

Two.  If your software is so old that you need to install it on XP, the chances are that it sucks in the security department as well.  Okay okay I know business is key but just keep in mind that if it flat out will not run on anything but XP and demand administrator rights and the firm has not released a new version, that firm is proabably out of business.  If you can't afford a new version, that's one thing.  If the new version doesn't provide your business with value, that's another.  But if the firm hasn't come out with a version that supports Vista, or Win7 and will only support XP ... and it's been this many years since Vista came out?  How healthy is that company anyway?

Three.  That pesky UAC.  Personally I liked the annoying warning windows.  Because each time that app threw up a yellow warning window that's shorthand for "I'm a sucky coder". If the driver installer throws off a UAC error, that's a sign that they are not signing drivers and will keep you in the 32bit world. 

With XPMode in systems that are Win7 professional or higher it means to me that we will have XP around for a long, long time.

Now this is the time to investigate if you can make the jump from 32 bit to 64 bit.  Most of our core apps at the office run in 64 bit just fine.  Really really old tax software that runs in 16bit hates 64bit.  Mind you this is like 1988/1989 vintage software and the statute has closed on those tax years anyway, so it's a bit of a moot point.  That's not to say that you won't find clients that have really old 16bit only software, but for the vast majority of your software that we run,  even if it was bought in 2004, it will run just fine on Windows 7.

But the idea that you have to now buy all new applications and can't use your old crappy ones... unfortunately they'll be around for a long long long time.

Coming up next Tuesday...

You Had Me At EHLO... : Update Rollup 9 for Exchange Server 2007 Service Pack 1 has been released:
http://msexchangeteam.com/archive/2009/07/17/451835.aspx

and a out of band/out of normal security patch day that impacts Visual Studio and Internet Explorer:

The Microsoft Security Response Center (MSRC) : Advance Notification for July 2009 Out-of-Band Releases:
http://blogs.technet.com/msrc/archive/2009/07/24/advance-notification-for-july-2009-out-of-band-releases.aspx

Get your patch management and risk management tools ready to rumble.

http://www.techcrunch.com/2009/07/23/microsofts-money-pit-every-dollar-of-online-revenue-is-wiped-out-by-a-dollar-of-loss/

So remind me again of how cloud computing is suppose to be the future of where all the money is?  Okay okay this is an "investment"... rightttt... in the meantime hopefully that wheezy old traditional software business will hang in there long enough for that online software biz to take off.

Want to have an RSS feed that gets all of your good security information for the Microsoft platform in one spot?

http://www.microsoft.com/mscorp/twc/blogs/default.mspx

The Trustworthy computing group as prepared a landing site with all of their Security blogs in one spot. 

Pretty cool.  One blog location that I wish they would focus on more is cloud computing and more proactive security blogging from that camp.  But for now, that's a very nice landing spot for current technologies.