Microsoft Corp. (Nasdaq: MSFT) security guru Stephen Toulouse first heard his security calling when he got hacked.
The hack was on a dare. Toulouse, also known as "stepto" (pronounced "step toe"), had been running his own Internet Relay Chat (IRC) pipe from home for a about three years -- just a place to talk, joke around, and "bitch," he says. In 2002, he got fed up with one member who had been goading him that the IRC system's host Windows 2000 server wasn't secure.
"He wouldn't let it go. So I checked my Windows updates, and I had them all. I came back and said, 'OK, put a file on it or tell me the contents of one of the files on my hard drive,'" Toulouse recalls.
It took the hacker just 30 minutes to relay the contents of a file on the server. "I had missed an update," says Toulouse, who was then a technical writer and trainer for Microsoft and not working in security. "Back then, not all security updates automatically went into updates," and some had to be manually selected.
Toulouse considers that a defining moment in his career -- and it turned out to be an important moment for Microsoft security as well. "I missed it, and it allowed one person in. I realized if I can't get this as an employee of the company, how can our customers?" he says. "That got me interested in security and wanting to be part of the solution to make that easier."
He joined Microsoft's Security Response Center (MSRC) team that fall, where he eventually took over the thankless, shoot-the-messenger job as communications manager for security incidents -- a role he held until October, when he was named to his current post as senior product manager for Microsoft's Trustworthy Computing Group.
"Any time there was an attack or anything of that nature, I would work with the technical teams and make sure all of the information was communicated to the press, researchers, and the public," he says of his MSRC days. "I can tell you exactly how long it takes to get to my front door from my office: with all green lights -- about 19 minutes."
Toulouse's first days on the job were a baptism by fire. He had just moved from Dallas to Seattle when the Slammer worm hit on January 26, 2003. He was staying in temporary housing -- with his wife, two golden retrievers, a cocker spaniel, and a cat -- across the street from the Microsoft campus. He was still trying to sell his house in Dallas and find an affordable one in the much pricier Seattle area.
He remembers the day like it was yesterday: He walked into Microsoft's makeshift command center and was immediately put in front of Mike Nash, then vice president of the security technology unit. "He said, 'I want you to own the online experience of how our customers are understanding whether they have a SQL instance on their machines. I dont care if Bill Gates himself tells you to go do something else, tell him to please come see me first.'"
So he sat down and over the next 24 hours mapped out on notepaper all the applications that shipped with the vulnerable SQL instance. "I was running across the street to put the dogs out" from time to time, too, he says.
Stepto, 35, meanwhile, has emerged as one of the most high-profile yet approachable security executives in the company. The self-professed online gaming addict writes a popular blog under his online name, and he takes part in major researcher mailing lists, confabs, and floats as comfortably between that world and his corporate home base in Redmond as he does between real life and Xbox online gaming.
His Stepto blog at times is anything but politically correct, with four-letter words sprinkled among the prose, and he says Microsoft gives him "complete freedom" to reach out to researchers and think and speak independently. "Microsoft has more confidence in people talking about the issues of today. There could be things I could say that would need to be put more carefully... But I don't feel like I have any restriction."
He's proud of Microsoft's progress in working more closely and effectively with researchers, especially during the development of Windows Vista. But he admits Microsoft and researchers who believe in full disclosure have agreed to disagree. "We can disagree on methods... [But] we draw the line on illegal activity." His current job entails ensuring security features in Microsoft products are on track, but he also cultivates relationships with security researchers.
Toulouse says Microsoft continues keeping the lines of communication open with researcher HD Moore, for instance, a longtime Microsoft nemesis with a full-disclosure philosophy. "Unfortunately, an attacker can use the same knowledge [Moore releases] and turn it around" maliciously, he says. "He's a rock star, and a smart guy who makes tools lot people find useful. We're not going to say we won't work with him again. That's not good for him, us, or our customers."
Stepto's rapport with the research community doesn't mean that he's always popular. He's been called a Microsoft shill, and he admits some people will discount his views just because of who he works for. But he's also refreshingly candid about Microsoft's missteps in security.
"Every vendor should strive to have a good relationship with security researchers. That's a lesson we learned the hard way," he says. "We've [Microsoft] made a fundamental shift in our thinking" here.
But Stepto isn't so diplomatic when it comes to his online gaming preferences. An avid Xbox gamer who prefers science fiction games, he says he doesn't "get" Second Life and other virtual worlds where you're merely yourself, buying an apartment and filling it with furniture. "It's just a meta-reality and feels boring to me versus goal-oriented games. It's just not my thing."
Kelly Jackson Higgins, Senior Editor, Dark Reading