informa
News

Microsoft's 'Stepto' Gets Into the Game

Microsoft security star Stephen Toulouse talks researchers and Microsofties, cooking, and golden retrievers

Microsoft Corp. (Nasdaq: MSFT) security guru Stephen Toulouse first heard his security calling when he got hacked.

Figure 1:

The hack was on a dare. Toulouse, also known as "stepto" (pronounced "step toe"), had been running his own Internet Relay Chat (IRC) pipe from home for a about three years -- just a place to talk, joke around, and "bitch," he says. In 2002, he got fed up with one member who had been goading him that the IRC system's host Windows 2000 server wasn't secure.

"He wouldn't let it go. So I checked my Windows updates, and I had them all. I came back and said, 'OK, put a file on it or tell me the contents of one of the files on my hard drive,'" Toulouse recalls.

It took the hacker just 30 minutes to relay the contents of a file on the server. "I had missed an update," says Toulouse, who was then a technical writer and trainer for Microsoft and not working in security. "Back then, not all security updates automatically went into updates," and some had to be manually selected.

Toulouse considers that a defining moment in his career -- and it turned out to be an important moment for Microsoft security as well. "I missed it, and it allowed one person in. I realized if I can't get this as an employee of the company, how can our customers?" he says. "That got me interested in security and wanting to be part of the solution to make that easier."

He joined Microsoft's Security Response Center (MSRC) team that fall, where he eventually took over the thankless, shoot-the-messenger job as communications manager for security incidents -- a role he held until October, when he was named to his current post as senior product manager for Microsoft's Trustworthy Computing Group.

"Any time there was an attack or anything of that nature, I would work with the technical teams and make sure all of the information was communicated to the press, researchers, and the public," he says of his MSRC days. "I can tell you exactly how long it takes to get to my front door from my office: with all green lights -- about 19 minutes."

Toulouse's first days on the job were a baptism by fire. He had just moved from Dallas to Seattle when the Slammer worm hit on January 26, 2003. He was staying in temporary housing -- with his wife, two golden retrievers, a cocker spaniel, and a cat -- across the street from the Microsoft campus. He was still trying to sell his house in Dallas and find an affordable one in the much pricier Seattle area.

He remembers the day like it was yesterday: He walked into Microsoft's makeshift command center and was immediately put in front of Mike Nash, then vice president of the security technology unit. "He said, 'I want you to own the online experience of how our customers are understanding whether they have a SQL instance on their machines. I don’t care if Bill Gates himself tells you to go do something else, tell him to please come see me first.'"

So he sat down and over the next 24 hours mapped out on notepaper all the applications that shipped with the vulnerable SQL instance. "I was running across the street to put the dogs out" from time to time, too, he says.

Stepto, 35, meanwhile, has emerged as one of the most high-profile yet approachable security executives in the company. The self-professed online gaming addict writes a popular blog under his online name, and he takes part in major researcher mailing lists, confabs, and floats as comfortably between that world and his corporate home base in Redmond as he does between real life and Xbox online gaming.

His Stepto blog at times is anything but politically correct, with four-letter words sprinkled among the prose, and he says Microsoft gives him "complete freedom" to reach out to researchers and think and speak independently. "Microsoft has more confidence in people talking about the issues of today. There could be things I could say that would need to be put more carefully... But I don't feel like I have any restriction."

He's proud of Microsoft's progress in working more closely and effectively with researchers, especially during the development of Windows Vista. But he admits Microsoft and researchers who believe in full disclosure have agreed to disagree. "We can disagree on methods... [But] we draw the line on illegal activity." His current job entails ensuring security features in Microsoft products are on track, but he also cultivates relationships with security researchers.

Toulouse says Microsoft continues keeping the lines of communication open with researcher HD Moore, for instance, a longtime Microsoft nemesis with a full-disclosure philosophy. "Unfortunately, an attacker can use the same knowledge [Moore releases] and turn it around" maliciously, he says. "He's a rock star, and a smart guy who makes tools lot people find useful. We're not going to say we won't work with him again. That's not good for him, us, or our customers."

Stepto's rapport with the research community doesn't mean that he's always popular. He's been called a Microsoft shill, and he admits some people will discount his views just because of who he works for. But he's also refreshingly candid about Microsoft's missteps in security.

"Every vendor should strive to have a good relationship with security researchers. That's a lesson we learned the hard way," he says. "We've [Microsoft] made a fundamental shift in our thinking" here.

But Stepto isn't so diplomatic when it comes to his online gaming preferences. An avid Xbox gamer who prefers science fiction games, he says he doesn't "get" Second Life and other virtual worlds where you're merely yourself, buying an apartment and filling it with furniture. "It's just a meta-reality and feels boring to me versus goal-oriented games. It's just not my thing."

Personality Bytes

  • Worst day ever at work: "January 26, '03, when Slammer hit. It was a difficult time for me personally and our customers.

  • Proudest Moment: "I've never been much of a coder, but I was very excited when I noodled my way through an [XSS] exploit and knocked it over myself."

  • Phobia: "Dentists. It's not the office, the chair, or anything other than the scraping sensation... I can't stand it. It drives me insane."

  • What Toulouse's co-workers don't know about him: "Before I came to Microsoft, I was a waiter at an upscale barbecue restaurant in the Highland Park part of Dallas, where I once serve barbecue ribs to George W. Bush, back when he owned the Texas Rangers."

  • Favorite sports team: "The Dallas Stars [hockey team]."

  • Favorite hangout: "These days, it's my house. I paid enough money for it, so I might as well hang out there. Also, the 08 Wine Bar & Grill in Bellevue, where they have a variety of Washington wines and a variety of beer."

  • After hours: "Gaming. And I cook -- I didn't just wait tables. Reading, going to the movies, playing with my dogs."

  • Music in his smartphone right now: "I don't carry an iPod... I have a smartphone with a 2-Gbit card with Amy Winehouse, Yo Yo Ma, Built to Spill, and Matisyahu... It's a mishmash."

  • Lunch with Bill Gates? "No, but I've been in occasional briefings with him. I traded an email with him not long ago about SPOT [Small Personal Objects Technology] watches."

  • Comfort food: "Anything I cook. Cooking is my stress relief."

  • Ride: "Mercedes C350. It has a little compact body with a 3.5 litre engine. It's a sleeper -- no one sees it coming."

  • Next career: "Writing. I've been working on a nonfiction book unrelated to computer security -- about New Orleans."

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Recommended Reading: