Hackers, Meet Microsoft

Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

Blue

... is the corporate color. It's just too easy.

Re:Blue

[MrAnnoyanceToYou]

Microsoft: How many times have you seen it today?

You'd think they'd have some shame rather than pride about bugs crushing their entire OS at once.

Re:Blue

[chucks86]

I always knew that the blue window was 1 pixel larger than the others...

Blue?

[XanC]

I didn't know that... But come to think of it, the Windows 3.0 splash screen was all blue.

And 3.1 was a black background, but blue graphic.

Re:Blue?

[nxtr]

Come to think of it.... BLUE screen!

Re:Blue?

[Trogre]

oh yeah?

REDmond!

Re:Blue?

[piinkfloyyd]

Ill get Mod'd down for this, but... green money.... & yellow envy (your buddies on *nix)

Re:Blue?

[The+Wooden+Badger]

I didn't know it was blue either. I always thought of blue associated with IBM. Maybe we will get to see another SCO type lawsuit against IBM?

Re:Blue?

[mattspammail]

Not anymore. With Longhorn, they're changing to red. At least we'll get fewer BSOD's.

So, uh, during that hushed silence

[Neil+Blender]

What were they thinking? "Oh, shit our OS isn't secure?"

Re:So, uh, during that hushed silence

[halltk1983]

I think it was more along the lines of "I hope the boss doesn't get this or he'll find my pr0n stash on the corporate laptop"

Re:So, uh, during that hushed silence

[WillAffleckUW]

What were they thinking? "Oh, shit our OS isn't secure?"

More likely:

"How can we spin this from bad to good?"

Re:So, uh, during that hushed silence

[Anonymous+Writer]

Answer:

"That is a feature, not a bug"

Re:So, uh, during that hushed silence

[Dunbal]

Or OMG they found my stash of gay pr0n right here in front of everybody...

Re:So, uh, during that hushed silence

[WillAffleckUW]

"That is a feature, not a bug"

Help me, Obit Juan Denobi, you're my only hope!

makes me think of that scene in Starship Troopers where they talk about nuking bugs dead and then you see a film clip of kids stepping on cockroaches while their teacher laughs insanely ... and just as effective ...

Re:So, uh, during that hushed silence

[dawnread]

It's totally silent in my office the whole time - that's sociable engineers for you!

Re:So, uh, during that hushed silence

[Cerberus911]

It's funny people, not Interesting.

Re:So, uh, during that hushed silence

[halltk1983]

SHHH!!! I'm just in it for the mod points... not like it affects my Karma any mor one way than the other :::wink:::

Re:So, uh, during that hushed silence

roooooooooooooooooooooooooooooooofleoollollolololo looloolololololololoollolololololo mission imposible!!!!!!!!!!!!!!!!!111111111111111111111111 111111111111111111111111111111111111111111111

Re:So, uh, during that hushed silence

[Lord+Ender]

More like: It is because of the amazing popularity of Windows that we are targets of these attacks.

Re:So, uh, during that hushed silence

[dtfinch]

Now spin that from bad to good.

Re:So, uh, during that hushed silence

[Infinityis]

Probably something along the lines of "At least our TCO is lower..."

Re:So, uh, during that hushed silence

[damiam]

Not to burst your bubble, but Funny mods don't affect karma anymore.

Re:So, uh, during that hushed silence

Thank you... that WAS the joke!

Re:So, uh, during that hushed silence

[Belial6]

Since they were going to fire him the next day anyways, now he can sue for discrimination!!!

Re:So, uh, during that hushed silence

[kai.chan]

"Look! Microsoft Windows is the only Operating System you will ever need! We have a record of Always-Flops!"

Re:So, uh, during that hushed silence

[djfray]

no it was more along the lines of "Neil Blender is a tool"

Re:So, uh, during that hushed silence

[Dunbal]

Microsoft is an equal opportunity employer and does not discriminate against religion, ethnic background, or sexual orientation. In fact, we are proud that Mr. Jonny N. Gineer chose our little get-together as his "coming out of the closet" day, and Microsoft offers support to all its employees who are homo^H^H^H^H men who like men.

Re:So, uh, during that hushed silence

[PingPongBoy]

It is because of the amazing popularity of Windows

Tangentially, billions of people really consider Windows to serve them well. MS may have rushed it to the market without finding all the security holes - so now we need hackers to find them but also to disclose their results rather than exploit them.

Users, beware. Make your backups and know how to recover. This is a good policy even if the OS is secure.

On top of this, we have to be careful computers that reference our personal information may be compromised. Chaos can reign unexpectedly.

Re:So, uh, during that hushed silence

[Capt+James+McCarthy]

"That is a feature, not a bug" Acutally, "That is an unsupported feature."

Re:So, uh, during that hushed silence

[Junior+J.+Junior+III]

It's true. Total Cost of 0wnz0rship is much less with MS Windows. Ask any black hat and they'll tell you, the tools and training necessary to take over a box running Windows is much less than a box running BSD or Linux.

Re:So, uh, during that hushed silence

[ZBytz]

The amount of times i've heard that one!

Re:So, uh, during that hushed silence

Then care to explain why the most popular web server is the most secure? After all IIS is nearly last place and is the least secure. And #1 web server is the most secure. Apache, by anyone's measurement is the standard in web servers. And it is also the most secure.

Re:So, uh, during that hushed silence

[GeckoX]

I don't know why I am bothering replying to an obvious troll, but just to counter the BS for anyone that cares:

Apache is indeed the most popular. Latest stats show it at ~69%. Correct, you get a cookie.

On the other hand, your statements about IIS are completely off base and unfounded. IIS is solidly at number 2 with ~20%. IIS is not the least secure web server. And apache is not, 'by anyone's measurement', the standard in web servers.

Give it up already. Apache and IIS are both robust, mature web servers. There is no benefit to be had in trying to promote a server monoculture so why bother? What's your agenda?

OK, nuff feeding of the trolls.

Corporate Color

[DavidLeblond]

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Must... not... make... obvious... BSOD comment.... aughhh!

Re:Corporate Color

[taniwha]

Err isn't 'big blue' someone else?

Surely MS's corporate colors must be more like the windows logo red/yellow/blue/green?

Re:Corporate Color

[nachoboy]

The blue is actually a reference to the color of the square around your photograph on the Microsoft corporate cardkey. Only full-time employees of Microsoft have blue borders. Contractors and vendors have an orange border. Events for Microsoft employees only are typically referred to as "blue-badge only."

Re:Corporate Color

[craXORjack]

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

For once I'm glad to be in a red state!

Re:Corporate Color

[LifesABeach]

I'm a little concerned about the hackers 'invited' to attend this conference. You see, school is still in session, and did the parents, or legal guardians of the 'invited' ones sign a 'parent permission' slip? Just a thought, but would any of these hackers happly admit to still wearing super hero underwear?

Re:Corporate Color

[ShortBeard]

Just like at Intel.

Intel employees have blue badges. Contractors have green.

Re:Corporate Color

[ImaLamer]

Well, I for one welcome our Microsoft sponsored hacker overlords...

Re:Corporate Color

I thought the fab guys also had green.

Re:Corporate Color

[sTalking_Goat]

just like at Genentech. Genentech employees have blue, contractors have red.

Re:Corporate Color

[CmdrGravy]

Just like Spar ( So near so Spar ), employees have cards with purple borders and salesmen and contractors have cards with purple borders BUT with orange spots on them. The interesting thing is that with constant use the purple fades out to blue to long term employess have cards with blue borders. Until they either lose their cards, break them or have them replaced in which case they will have purple cards again unless they have left the company and returned as a contractor or salesman which would leave them with the card with the purple border with yellow spots.

Re:Corporate Color

School is in season? Damn, if you'd studied the first time you wouldn't be in summer school now.

Re:Corporate Color

[mikefe]

Have you been looking at goatse again?

Please die now, if you actually think that is funny.

How about 'Blue Screen' ?

[bani]

To me, it's a far more fitting name.

Re:How about 'Blue Screen' ?

The comment above yours seems appropriate.

Was it really necessary to explain Blue Hat?

I mean... what were we going to think... that it was named after the Blue Man Group? That IBM was hacking Microsoft?

Re:Was it really necessary to explain Blue Hat?

[porcupine8]

But then the submitter might have actually had to slightly alter the article text to take that part of the sentence out.

You wouldn't want to make someone put some EFFORT into something, would you? Then it might come close to actually resembling a summary instead of an unattributed quote.

They really need to stop saying "*submitter* writes..." and just put the article's author there.

Good start

[Jason1729]

But will MS actually do anything?

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

Re:Good start

[StupidHelpDeskGuy]

True, but I am sure you have a few arrogant coders at your place of business. A few senior level coders certainly have an over inflated sense of self where I work. An experience like this would probably be beneficial in and of itself.

Re:Good start

[dpilot]

> But will MS actually do anything?

But *can* MS actually do anything?

Given the bowl of spaghetti called nearly 2 decades of Windows, how much freedom of action do they really have to clean things up? Tug at a strand here to fix it, and who knows where the other end is? How many side effects will there be from that one fix? Yet at the same time, their market power is based on Windows and their code base. Force too big a migration, too much retraining, and it might well turn into a different kind of migration - to someone else's platform.

They've got a ticklish and tough job ahead. But then again, they did it to themselves.

Re:Good start

[still_sick]

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

I think it's a matter of levels. Sure, they doubtless know about all the holes in the code or whatever (being the ones that, y'know, PATCH it) - but it's a totally different understanding than that of an expert user.

It's like an Automotive Engineer and a Mechanic. They both "know" essentially the same things about any specific car. But it's their viewpoints and specific backgrounds that make their individual understandings both unique and useful.

Re:Good start

[dbIII]

Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

Possibly not. Isn't it the policy at Microsoft to almost exclusively hire recent graduates that haven't worked elsewhere? Even a monoculture of the best graduates is still a monoculture, and it is quite likely that they are not aware of things that are common knowlege elsewhere. Bringing in others gave us NT - not bringing in others gave us Outlook, IE in a state of near abandonment for years, ping so far off standard you could use it to crash servers and a whole lot of software in which it is obvious that little thought of security or even networking was involved.

It's like the old saying - three ways to do things: right way, wrong way, army way. Training recent graduates to the corporate culture only works if there are others coming in to stop it being an exercise in corporate narcissism, which is dangerous in a company like Microsoft that makes money by high volume, low development cost "good enough" software as distinct from the expensive low volume stuff you would trust to handle a stock exchange or air traffic control. If they aimed to be the best they would not be so successful, they would be undercut.

The guys writing the code need to be aware of what is going on in the rest of the world.

Re:Good start

[Poeir]

I'd heard the three ways to do things are the right way, the wrong, and the Max Power way.

Re:Good start

i've always heard it as the right way,the wrong way, and the cost effective way...

Re:Good start

[SWTP_OS9]

That is the crux of the matter. I have written programs for clients and it is a mega mess of calls and strange crazy links etc. They change things as soon as you learn how to do something usfull. And not really support area they should but dont.

All software has a life cycle. And Windows has reached the end of its life. Any decent software engineer will tell you after awhile if you are patching it this hard. All your doing is patching patches! And deffently doing that will cause more problems. Like a room full of mice traps loaded with ping pong balls. Toss one in and after a while they will all be trigered.

Wonder how much of windows is real code vs patched.

It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out. Which would be that date of 2010 that was floated on a memo a while back. Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.

With Dell making noises about if offered would put OS X on their boxes could force Microsoft to finaly do the correct thing and make a real secure Windows from scratch. It will breake 20 year old software but is it better to do that then be a leaking buckett of patches covering broken code! Thta no one wants to buy or use.

Re:Good start

[drsmithy]

It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out.

Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).

Moreover, since NeXT was actually released for the first time way back in 1989, OS X's codebase is actually around 4 years *older* than Windows NT's.

Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.

Microsoft will not create another from-scratch OS in the forseeable future. There is simply no need. Technically and architecturally NT is just as good as any of its contemporaries. 99% of problems in Windows come from legacy support (being phased out with .NET, x86-86 also providing a convenient excuse) and less than ideal default settings (hopefully on the way out with LH).

Re:Good start

[peragrin]

nope it's not being phased out.

the managed .NET code that was supposed to be an all new APi is being removed to speed up the deadline. Avalon is being back ported to windows XP. Win FS is being dropped due to it being to big of a concept and MSFT doesn't have anyone to copy off of.

Longhorn I hoped would of been a complete rewrite. it failed. There is not a single new innovative feature in longhorn now. spotlight searches fast and effective, on all but networked drives. GPU driven displays OSX and a large number of X server's(sgi's)

New remote command shell is a combination of applescript and a python interpreter. It would of been cool but it's been delayed.

Yet somewhere MSFT found the time to make their own Bit torrent P2P client and server setups. I guess it shows where MSFT lays it's priorities. An app that won't bring them cash or their Next Generation OS.

Re:Good start

[zbuffered]

Like the article, your post contains no commentary on the actual nature of the specific Windows problems demonstrated at "Blue Hat".

Using tools like void11, you can disconnect wireless clients. Windows automatically attempts to reconnect to the WAP. If you've got an identically-named WAP and you can overpower their WAP, they'll connect to yours instead. They won't be notified, and will think that they are on their own network. Which doesn't matter too much because you could alternately just sniff all their traffic (or even inject your own) without setting up a WAP of your own.

There's a lot that MS can do about it, and code written 2 decades ago has absolutely no bearing on it.

Re:Good start

[i.r.id10t]

Who says they can't start over? How many times has the marketing dept. promised "incredible new windows experience" stuff? Why not make it new. Keeping compatability for 3rd party would be easy - heck, the Wine folks can do it and they don't have the luxury of seeing the source of the original.

Re:Good start

disclosure: I'm an intern at Microsoft.

You know, you claim that Microsoft is insular, but I haven't seen that here. I mean in the few days I've been here, I've met people on my team who have worked at Sun, IBM, and BEA. I myself am a college intern and have worked for TI, Nortel, and a bunch of start-ups. Exactly where are you getting your information, from which you base your opinion? Or are you just making stuff up? I suspect it's the latter.

Re:Good start

[dbIII]

You know, you claim that Microsoft is insular, but I haven't seen that here. I mean in the few days I've been here, I've met people on my team who have worked at Sun, IBM, and BEA. I myself am a college intern and have worked for TI ... Exactly where are you getting your information, from which you base your opinion? Or are you just making stuff up?

Old information - a great deal from Crigley in years past, MS recruitment brochures and a local MS employee I knew years ago - it's good to hear it is changing.

Re:Good start

[Fallen_Knight]

Not to mention todays grads don't have the skill of the former.

used to be you loved CS to go into it, now many do just for a quick buck or a job.

i'm in 3rd year at SFU, and most poeple i know can't program worth a damn. pointers, multi threaded stuff, assembler confuses many of them. Some never used anything but java untill this year! and then here i am sitting in CMPT 300 as the teacher tried to teach C++ to most of the class and THEN theach OS OS and threads. sad.

Skill level has come way down. there are some good ones i've met, but when i look at some teaches code and find errors, and see the general lack of skill... Most of the skilled people i know are still only skilled in application level and usualy with java. So very few who know asm/C and hwo to do low level on the metal stuff.

best teacher i had was one who did work in alot of companies, he knew his shit. then i got a new young guy next sem, just got out of school and did research, he code sucked. He just didn't know things.

The guys writeing the core code of a operating system should be old vertrens, because they know what works, and they've been around forever and seen it all. I dont' care what school anyones come from, or how smart you think you are.

I work on windows device drivers, I know how hard it is to even do low level work, let alone do it right. My dads been doing drivers for 20+ years now, i'll see something and think, oh, in school, or this way is better, and most of the time, hes like no, the school way is wrong because XXXX and such. Stuff you wouldn't know unless you'd seen it done, and fail.

Experiance is worth way more then any school. Sad that the people who hire don't relize that.

Re:Good start

[stoborrobots]

It's a good thing that we don't have 19 year olds with no experience writing our operating systems then, isn't it? :-)

Re:Good start

[SuperDuperMan]

Microsoft can't put every single one of there thousands of programmers on a single task like working on Windows.

And it's not like they are understaffed on the OS team. Adding more programmers to a project does not ensure success and may actually make the process take longer.

Re:Good start

[freakmn]

Isn't that just the wrong way?

Re:Good start

[sankyuu]

It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch

... and then puts it on a Power platform :)

Re:Good start

Idiot. MS *Research* wrote a *paper* about some peer-to-peer technology. They have near free reign; indeed, it's one of the only research labs left that do. This has nothing to do with corporate priorities.

Slashdot responses about MS and BitTorrent are just FUD.

Re:Good start

[inode_buddha]

"They've got a ticklish and tough job ahead. But then again, they did it to themselves."

Yeah, but getting then to admit they did it to themselves is something else altogether, IMHO.

Re:Good start

[Mac+Degger]

Hehe...why do you think it's taking 'em so long to get Longhorn out the door? They decided to re-do a whole bunch of stuff, and it seems they've discovered that doing it 'right' means that it takes a hell of a lot more effort than just merely typing out code.

Re:Good start

what are you talking about?

WAP - Wireless Application Protocol
(you know, mobile phones etc.)

Re:Good start

[zbuffered]

Wireless Access Point.
Ooh, you're right. I've gotta stop abbreviating it like that. Thanks for setting me straight!

Re:Good start

Yes, but it's faster :)

Re:Good start

x86-86 also providing a convenient excuse...

I think you meant x86-64

haha

Re:Good start

[peragrin]

Very true, but when your cutting features that you have promised for the past 6 years just to get the product out the door something is seriously wrong.

Since XP was released.
OS X has matured into a great product getting faster and better with each release.

Linux has gone from hard to install for the average person to being easy.

Beos has come back from the dead.

Sky OS was competely written by a lone programmer(1999-2005)including drivers and a full GUI.

Now MSFT out numbers all those companies/people by 10 to 1 in the case of apple. why can smaller companies produce more unique software faster than MSFT can? The size of the apps is the same. They can do similar things to MS offerings. yet MSFT can't keep up.

Re:Good start

[dpilot]

When I read the article, I think more about the security where I work, and I'm just trying to figure out who I can send it to so that constructive things can happen.

The wireless issues are just the tip of the iceberg. That's in the realm of "exploiting the API," in other words, the exploit potential is in the specification. Most of the Windows exploits so far have been of this sort. The next layer under have been buffer overflows. Both Windows and Linux have seen these. Beyond that, Linux has had format string issues, and I don't even know if people have started looking at Windows for them, yet.

But there's another layer yet, binary on the wire. In the past, and I'm going particularly to the OS/2 years here, Windows used the API as a marketing weapon. That included announcing APIs as preemptive strikes against competitors' products and shoving binary protocols over wires and in files to stymie interoperation or reverse engineering. Clear text protocols tend to be syntax/semantic-checked, since it's assumed that someone may have been in there.

With binary wire/file protocols, want to bet for or against the assumption that it's already been parsed, not viewed by human, and therefore can be used as-is?

As you accuse, I say nothing about the specific Windows problems at Blue Hat. But then the only people who could are Microsoft employees or the invited hackers, and I'll bet all of the above are under some form of non-disclosure.

Re:Good start

[X_Bones]

All software has a life cycle. And Windows has reached the end of its life. Any decent software engineer will tell you after awhile if you are patching it this hard. All your doing is patching patches! And deffently doing that will cause more problems.

Whoops! Looks like it's time to stop using that Linux kernel you've got there. After all, there's been so many patches to it that there's no more 'real' code, right?

Re:Good start

[Jesus_666]

Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).

Actually, NeXT bought Apple for a negative amount of money.

Re:Good start

[Jesus_666]

Yes, but Apple doesn't need to use heaps of legacy code in their OS - they just run MacOS 9 in an emulator.
Linux doesn't bother with binary backwards compatibility as the stuff is usually delivered in source form anyway.
BeOS... Well, let's just say that BeOS just doesn't have as many legacy apps.

Windows, OTOH, is expected to be binary-compatible with apps from 1995 while behaving better than the Windows from 1995. I can't even begin to imagine how painful any kind of work with the Windows codebase has to be.
Maybe Microsoft should just make a stripped-down Windows XP and let virtualization software run that in order to run any pre-LH app. Binary incompatibility might ansure that stuff is neatly separated. However, given that most customers are still using legacy Windows (and can't or don't want to change), that might not be a smart move.

Re:Good start

[Dare+nMc]

> If you've got an identically-named WAP and you can overpower their WAP, they'll connect to yours instead.

hmm, I never let windows manage my wireless settings, but the linksys, 3com, cisco, and intel based drivers I have used, their defaults is to not allow associatian to mixed cells, IE this is only true with them, if you either dont have security turned on, or the computer knows the WEP key of the rogue AP.

I assumed this article meant they took a computer on the local network, and used it's WiFi to bridge onto the msft network from their external network, allowing them to bypass the corporate firewall.

Re:Good start

[LilMikey]

used to be you loved CS to go into it, now many do just for a quick buck or a job.

I graduated 4 years ago... same story then. Possibly even worse since many of my fellow students started down that path with dot-com era delusions.

The program where I went was C-based and required a semester or 2 of 68k asm so many people kinda got the picture but they still graduated a bunch of shmucks.

Re:Good start

[SWTP_OS9]

After these last few weeks. Would not suprise me at all!

Re:Good start

[peragrin]

I always thought that is why they bought connective and virtualPC.

That way Longhorn would have a nearly the same speed virtual windows. It could become unstable but the new system would just drop it and it could be restarted.

Of course My bet is that MSFT couldn't get the performance they want so they are just going to run the win32 api on top of longhorn.

Why doesn't MSFT just completely and totally drop the old crud from longhorn. Then when longhorn is stable and cool, build either a VPC emulator, or a wine like emulator to cross translate. It's not like the system specs are going down for Longhorn.

That is how you upgrade a system, you phase the old stuff out slowly. OS 9 apps have/are getting 7 years to upgrade, and you can still run the old OS's just not on newer hardware. Windows is maintianing compatiblity with win 3.1

OS X has to be backwards compatible. Heck I play OS 9 games on OS X and it very rarely even has to start Classic mode. The libraries load and go.

Re:Good start

I think that you missed the part about Linux being further developed and expanded by those with 20+ years of industry experience, from firms such as Intel and IBM, to get Linux to where it is today - an actual viable OS platform, rather than some finnish student's homebrewn Minix-like / *nix-like OS project.

Or do you somehow labor under the illusion that "today's Linux kernel", was wholly written by Linus?

Re:Good start

[SuperDuperMan]

Apple doesn't suffer the same fate as Microsoft due to their relatively new OS. Not as many legacy apps to keep working and also they release more incremental builds. If Microsoft put out a new version of Windows every 12-18 months for $129 most people wouldn't upgrade anyway.

Re:Good start

[Jarlsberg]

Wonder how much of windows is real code vs patched.

There is no real difference between a patch and "fresh" code. There is code rut, certainly, but any upgrade to a software product is merely a coherent compilation of additional code, or patches, if you will.

Puzzled: why get angry?

[shm]

From TFA, "... some of the engineers were turning red, becoming obviously angry at the demo hacking incident ..."

I would think they would be looking at their shoes.

Re:Puzzled: why get angry?

[Hockney+Twang]

Contrary to popular belief, most of these developers aren't intentionally releaseing what they know to be insecure code. They test it beforehand, and sign their work. They are making what they believe to be a good effort at security.

Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.

Re:Puzzled: why get angry?

[bani]

Saving face is exactly the wrong motivation to fix security problems.

If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked.

Re:Puzzled: why get angry?

[geekoid]

This is what happens when you hire prima-donas with monster egos.

MS upper managment has a long fight trying to change entrenched developer and middle managment habits.

Every MS and former MS employee I have worked with throughs a fit when proven wrong. OR worse, there code works, but is impractical to maintain and ask them to change it.

I have only workde with a few dozen of them, so my sample is small and could be anomalous.

Re:Puzzled: why get angry?

Let's see.. they were "turning red". Anger? or embarrassment/shame? Most people are going to turn red from the latter far easier than they will from the former! Maybe they were angry at _themselves_ for not thinking about the exploit opportunities, but this sounds like a case of good ol' embarrassment to me.

Re:Puzzled: why get angry?

[Neil+Blender]

Exactly. When someone finds a bug in our software and it's my fault, I usually get embarassed or mad at myself (or the testers depending on the exact nature of the bug and how reasonable it would have been for them to have found it during test.) To the person who found and reported the bug, I feel grateful, even if they are a total dick about it.

Re:Puzzled: why get angry?

[Usquebaugh]

I would not be angry I'd be ashamed.

I'm always open to somebody trashing my code. If they can trash it I need to learn what flaws I'm not aware of that I'm coding.

Re:Puzzled: why get angry?

[Usquebaugh]

No,

it pretty much matches my experience. Arrogant and ignorant, not really a good combo.

You can always tell a microsoftie, but you can never tell him very much.

Re:Puzzled: why get angry?

Contrary to popular belief, most of these developers aren't intentionally releaseing what they know to be insecure code

Are you *sure* about that? Last time I was with a Microsoft representative, he insisted that their code was always "ready to ship". When questioned, "But it isn't ready - there are still many bugs". Again came the answer; "ready to ship".

Imagine if you made a product, and were fairly proud of the work you had put into it

Then its likely you aren't working for Microsoft.

and publicly demonstrates that it's terribly flawed, making you appear to be a fool

Um. Because you *are*.

It's natural to be angry

No. Its stupid and immature to be angry. Embarrassed and apologetic would be more appropriate. It would then be a good idea to ask for help and admit that you made a big mistake.

Re:Puzzled: why get angry?

[mikael]

But they should know already what the virus writers are looking for ... things like receiving blocks of binary data containing the size and data of the block, and just reading the specified amount of data without any regard to the size of that existing buffer, or implementing script functionality that allows arbitary scripts to be downloaded, executed, wander through the filesystem and read/write arbitary files, or applications that use sockets as the default communication protocol between tasks.
(Although in the latter case, no-one could really have anticipated that network drivers designed for office LAN's would be permanently exposed to the outside world through broadband connections).

Re:Puzzled: why get angry?

Microsoft representative != developer

Re:Puzzled: why get angry?

[KingPrad]

Does the motivation matter? The problem is fixed, right? And they will take better care in the future...so what does their motivation matter?

Re:Puzzled: why get angry?

[Nobody+You+Know]

No. Its stupid and immature to be angry. Embarrassed and apologetic would be more appropriate. It would then be a good idea to ask for help and admit that you made a big mistake.

No, it's not. Say you work for Microsoft, and your job deals with the NTFS filesystem. You have done everything in your power to make your system secure, but you still have to depend on other coworkers making their systems secure as well. So someone on the wireless team screws up and has a flaw. The exploit demoed uses the power of NTFS against itself to hide a virus. If I was that NTFS programmer, you're damn right I'd be upset, because you know when that bug hits the virus databases, the exploit description will include something about using a flaw in NTFS, even if the code is working exactly as it is supposed to. My work gets blamed even if it's something else that led to the exploit.

Re:Puzzled: why get angry?

You are a fucking retard. Stop wanking and wake up to reality.

Re:Puzzled: why get angry?

Guess that depends. If you're too lazy to aim for the top and do your best at all times, then yeah, doing just enough to not be made a fool of is perfectly all right.

Re:Puzzled: why get angry?

[Nobody+You+Know]

Saving face is exactly the wrong motivation to fix security problems.

Why, exactly? If saving face motivates people to solve the problem, then I'm all for it. Frankly, I don't care if they fix the problem because they want to save face, impress their girlfriend or because little green men from the planet Weebo have told them to. I care about results. If the problem is fixed, the problem is fixed. Their motivation doesn't even enter my mind.

Re:Puzzled: why get angry?

[Tony+Hoyle]

a flaw in NTFS, even if the code is working exactly as it is supposed to

bzzzt. Wrong.

Security must be multilayered. *assume* the information you're getting is full of crap and defend accordingly.

If NTFS can be spoofed by trusting some other subsysten the there *is* a bug in NTFS.

Re:Puzzled: why get angry?

[shm]

You can always tell a microsoftie, but you can never tell him very much.

Okay, that's going into my sig.

Re:Puzzled: why get angry?

[itwerx]

it pretty much matches my experience. Arrogant and ignorant, not really a good combo.

Yep, same here.

Re:Puzzled: why get angry?

[BVis]

Damn, you sound like Tony Robbins on Quaaludes.

Re:Puzzled: why get angry?

[GT_Alias]

There are few motivations as powerful as public humiliation.

Re:Puzzled: why get angry?

[SteeldrivingJon]

Why, exactly? If saving face motivates people to solve the problem, then I'm all for it.

The problem is that saving face can be accomplished by only hiding the problem, or squelching discussion of it, or pretending it isn't there.

Saving face generally seems to take the path of least resistance, and implies a desire to not face the issue.

Re:Puzzled: why get angry?

[UncleFluffy]

I have a policy of always buying someone who finds a bug in my code a beer and saying "thankyou".

Re:Puzzled: why get angry?

[alexhs]

Aren't they supposed to turn Blue Scr... err... Face Of De... Desperation ?

Re:Puzzled: why get angry?

[inode_buddha]

"If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked." No, the engineers are not totally fucked, just slightly fucked. The real losers are the buying public, who buys their fucked product. The CxO's are a whole other ball of wax, IMHO.

Re:Puzzled: why get angry?

Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.

People have been publicly demonstrating these terrible flaws for years and it doesn't seem to have helped. Or does it not count unless it's at a Microsoft-sanctioned event, as opposed to in the wild?

Re:Puzzled: why get angry?

> If the problem is fixed, the problem is fixed. > Their motivation doesn't even enter my mind.

You would make a very very bad boss. ;)

Re:Puzzled: why get angry?

geekoid #135745
Usquebaugh #230216
itwerx #165526
Nothing under six digits here but all under 850,000. Surely that signifies something.

Re:Puzzled: why get angry?

Puny human, the denizens of Weebo care nothing for your pitiful computing devices.

Come the day of the great liberation you will however care all too much about ours.

Mwah, ha ha ha...

Re:Puzzled: why get angry?

"The problem is that saving face can be accomplished by only hiding the problem, or squelching discussion of it, or pretending it isn't there."

I thought this thread was about M$, not PJ.

Re:Puzzled: why get angry?

[SComps]

Let's not forget to complain about bloated code. There's a jumping off point somewhere. If your input comes from a trusted source, it's only right that you should be able to trust the input. Don't give me this crap about having to defend accordingly. That's a load of bull and everyone knows it (or should at least consider it). If that were the case, the world would have big ass combination locks and magnetic actuators on every door in their house. Inside AND out because well.. you know just because they LIVE here doesn't mean we have to trust them. (sure.. for some families this is normal.. not mine to take it for what it's worth)

Go ahead. mod me flamebait, I have marshmallows.

Re:Puzzled: why get angry?

[Da+Fokka]

There are few motivations as powerful as public humiliation.

That surely explains why Bush was re-elected.

Oh wait...

What the heck, I've got karma to burn...

Re:Puzzled: why get angry?

[WhiteWolf666]

My magnetic actuator running WindowsME has locked me into my bathroom before.....

Re:Puzzled: why get angry?

[GeckoX]

We're talking about projects at a major corporation with thousands of developers involved. You'd have to be pretty dumb to take it that personally.

You want that kind of weight on your shoulders, you're probably wrapping your own linux distro or something. Then, sure, take it personally.

Re:Puzzled: why get angry?

[CFTM]

I see your marshmellows and I raise you HoHo's.
Prepare to defend yourself!

Re:Puzzled: why get angry?

[GeckoX]

I had a new teacher in college who had just finished a 3 year stint at MS. He was teaching OpenGL in C++. He was the most arrogant programmer I have EVER met. Weird, because he was a fairly quiet, normal, down to earth guy. But when it came to programming, and graphics especially, he could do no wrong.

He gave me a D- on my first project in that class. (It was our 3rd semester, 3rd C++ class). My project was excellent in many ways. I was one of only a few people in the class who even remotely got OpenGL. I personally helped mentor probably a dozen other people through that project.

I disputed it with my program director, whom was our core professor as well. After a code review, my project was re-graded to A+, the teacher in question seriously reprimanded, and he never marked any of our projects again.

That was also his first, and last course tought at that school.

Re:Puzzled: why get angry?

[f0rtytw0]

In one of my classes in college the professor told us to not have a personal attatchment to the code you write. This makes it easier to accept any flaws that someone else points out to you and not get all upset about it. To enforce this we were given a project to work on and would have to do a code walk in front of the class. The professor and the rest of class would then proceed to question just about everything you did in the code and try to point out mistakes. This taught me to be more open about any code I have written and to graciously accept any suggested changes or fixes. Taking any of that personally just seems unprofessional to me.

Re:Puzzled: why get angry?

[itwerx]

Nothing under six digits here but all under 850,000. Surely that signifies something.

Oh my gosh! That's amazing!

Why the odds of that must be, um, (whips out calculator), pretty good actually...

SLow but steady, Microsoft rises from the ashes...

[nugneant]

...like a Phoenix. Slowly, people are catching on. I mean, this HAD to raise some eyebrows.

It's one thing to read about this on the internet - people say all sorts of things on the internet and you learn to tune it out ater a while.

But seeing it in front of your own very eyes, watching the hack attack commence in the blink of an eye, the pulse of a heartbeat, the shiver of a twitch, the essence of a raindrop, the flash of an instant, with the click of flint before it ignites the gunpowder in a Civil War era cannon-- etc-- it's shocking.

And so, ten years later, after learning from the hackers, their once-sworn enemies, the Great Microsoft rose to became Operating System: NWO. And that, my children, is the story of how Herr Syrs Bill Gates and Al Gore created and patented the internet.

Hey!

[Mr2cents]

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Hey, IBM is Mr. Blue! Microsoft is Mr. Pink!

Re:Hey!

[CyberDave]

Mr. Pink: How about if I'm Mr. Purple? That sounds good to me, I'll be Mr. Purple.

Joe: You're not Mr. Purple. Some guy on some other job is Mr. Purple. You're Mr. Pink!

Mr. White: Who cares what your name is?

Mr. Pink: Yeah that's easy for you to say, you're Mr. White, you have a cool sounding name. All right look if it's no big deal to be Mr. Pink, do you wanna trade?

Re:Hey!

[Daytona89]

No, Symantec (Or at least Norton) is Mr. Pink.

Re:Hey!

Just remember that Mr. Blue dies and Mr. Pink gets away with the diamonds. Do we really want MS to be Mr. Pink?

Re:Hey!

[daniel_newton]

Wait a second.. I like Mr Pink!!

Re:Hey!

[a+whoabot]

"Just remember that Mr. Blue dies and Mr. Pink gets away with the diamonds. Do we really want MS to be Mr. Pink?"

Listen very carefully near the end; Pink gets caught by the cops.

Re:Hey!

[EddWo]

Thief Of Time

Re:Hey!

Still better than being dead :)

Re:Hey!

[GeckoX]

Don't exactly have to listen carefully.
He's quite obviously blown to shit.

Re:Hey!

[Captain_Chaos]

Hey, IBM is Mr. Blue! Microsoft is Mr. Pink!

I thought that was Norton?

Re:Hey!

[Mr2cents]

As long as you don't mind picking up the soap, I guess..

Pay outs

[1967mustangman]

So microsoft has what like 50 billion in cash reserves? Why don't they just do a bug bounty and like $50 a bug. Like mozilla did. 50 billion/50 = 1 billion bugs they could find and fix that would hav to make some kind of dent right....................oh wait never mind.

Re:Pay outs

[DAldredge]

No, they have between 10-20 billion. They returned over 25 billion to their shareholders via tax free dividends.

Re:Pay outs

While finding the holes is important, fixing them in a way that doesn't break something else or make new holes is what really costs the money.

Re:Pay outs

[umofomia]

They returned over 25 billion to their shareholders via tax free dividends.

Where'd you get the impression that it was tax free? People who received the dividends still had to pay taxes on it (though it was treated separately from normal income).

From http://www.microsoft.com/msft/FAQ/faqdividend.mspx :

What is the tax treatment of the special dividend?
The special dividend, along with the November 2004 quarterly dividend, was treated as "qualified dividend income" for U.S. federal income tax purposes. These dividends may also be considered "extraordinary" under the U.S. federal income tax rules depending on the facts and circumstances of the stockholder. Treatment as extraordinary may affect a corporate shareholder's basis in its Microsoft stock or, with respect to individual shareholders, may affect the tax characterization of a sale of their Microsoft shares. Thus, we strongly urge each stockholder to consult with their tax advisor regarding their specific tax treatment of these dividends including all applicable state, local, foreign and U.S. federal tax considerations.

Re:Pay outs

[ThreeE]

As the recipient of a fraction of this $25B, I'd like to say that it wasn't tax free.

Re:Pay outs

Sure! They'll just send a check to whoever sends in a good patch... oh.

Re:Pay outs

'REDUCED DIVIDEND RATES FOR INDIVIDUALS

Certain dividends received by an individual shareholder from domestic and qualified foreign corporations are taxed at the same rates that apply to capital gains. Thus, dividends will be taxed at rates of 5% (0%, in 2008) and 15%. These lower rates apply to dividends received in taxable years beginning after 2002 and before 2009.

The lower rates on dividends apply for purposes of both the regular and alternative minimum tax.

To qualify for the reduced rates, the dividends must be from domestic corporations and qualified foreign corporations. The following are qualified foreign corporations:

* a foreign corporation incorporated in a possession of the United States,
* a foreign corporation eligible for the benefits of a U.S. income tax treaty that the IRS determines to be satisfactory and that includes an exchange of information program, and
* a foreign corporation if the stock with respect to which the dividend is paid is readily tradable on an established securities market in the United States.

>Dividends received from mutual funds and real estate investment trusts (REIT) may also qualify for the reduced rates. The mutual fund or REIT must determine the qualifying amount, if any, and presumably will report the amount on Form 1099-DIV.'

Re:Pay outs

You answered the question already. They only have about $50 billion dollars. You couldn't even fix IE or Outlook at that rate, unless they buy Apple and use an emulator to run the legacy Windows stuff.

MS is going to buy Apple?! I read it on the interweb thing, so it must be true.

Re:Pay outs

[DAldredge]

It appears that I was wrong in regards to the tax rate on the MSFT dividends.

Please ignore it.

Re:Pay outs

[DAldredge]

http://slashdot.org/comments.pl?sid=153009&cid=128 37776

My brain wasn't working.

Re:Pay outs

Damn DAldredge, you are a moron.
How about we ignore everything you post, liar.

Re:Pay outs

[Flyboy+Connor]

Why don't they just do a bug bounty and like $50 a bug.

Maybe because it would give slightly unethical programmers a reason to deliberately put bugs in the code?

Re:Pay outs

[SComps]

yeah.. worked like a charm for Mozilla.

*snicker*

I was sure it was green

[djKing]

M$'s corporate color is blue? Could have sworn it was green.

- Peace

Re:I was sure it was green

[Infinityis]

Nope, the front is blue. But I would agree about the greenbacks.

Re:I was sure it was green

I thought it was a disgusting greenish-brown; what you get when you mix red, green, yellow, and blue (with pigments, not light)

Re:I was sure it was green

Green for all the money, or green for the envy of Apple's products?

well, it's a start, but a late one

[yagu]

The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".

Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.

Re:well, it's a start, but a late one

[tktk]

Yeah...but did anyone actually test them? If I were a senior manager, I would have raised my hand too.

Too bad about the other two. I guess they don't have enough guile to be promoted any further.

Re:well, it's a start, but a late one

[TripMaster+Monkey]

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

Anyone can say that they have knowledge of a particular issue...how many of these vice-presidents actually went on to demonstrate that knowledge? I'm guessing zero.

Re:well, it's a start, but a late one

[njcoder]

When questioned further... "Oh! I thought you meant SHEEP attacks. That damn Chupacabra!"

Re:well, it's a start, but a late one

[neil.pearce]

how many of these vice-presidents actually went on to demonstrate that knowledge?

Give them credit.

How many of 'em have sat in their lounge, constructing
a heap of crisp $100 bills from their annual bonus,
only to find it "overflowing" into the kitchen.

Re:well, it's a start, but a late one

[Effugas]

So the last event at Blue Hat was a panel with all the speakers, answering general questions from the moderator and the audience. I ended up relaying Conover's experience regarding 18/20 senior managers knowing about heap overflows -- and, no joke, one of the heads of their Security Business Unit stands up and says, "Ah. So who exactly didn't know about heap overflows?"

A number of large companies end up being managed by professional managers who know nothing about the field they're involved in. MS is many things...definitely not one of those.

--Dan

Re:well, it's a start, but a late one

[sharkey]

Don't make fun. I just saw van with a NASA logo go by outside and...

Who are you? What are you doi......

The Space Shuttle ROCKS!!

Re:well, it's a start, but a late one

[lheal]

While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line

To Microsoft, security is about features. A builtin "firewall", VPN, encryption of this or that, trusted something or other. Applets and wizards.

They're basically stuck in that position, too. The cash cow is actually layer upon layer of such features, fundamentally designed for a different, and far less ambitious, job than it's now asked to perform.

I'd better stop, or I'll go into full-on rant mode. Oops, too late.

Windows needs a complete rewrite, but that's not enough. If they did that now, they'd wind up with the same sorts of problems they currently have.

Even a total refocus on security is not enough. They have to change who they are as a company. They have to change the mindset that says that software's value is determined solely by how much revenue it produces.

To a software business the value of a product can be measured by how much money it makes, but it's an unholy error of the stupidest freshman sort to value individual parts of the design by how much they'll bring in. Some parts are so essential, and some phases of design so vital, that without them the overall product falls on its face.

The marketplace doesn't know enough about the inner workings of your product to tell you what value to place on any particular phase of design. The market (eventually) tells you how well it likes the finished product versus your competitor's, but hidden design processes aren't part of the comparison.

Security has got to be considered at every step of the design process. It follows along with robustness, portability, scalability, and overall algorithmic soundness.

I have a suggestion for you Microsoft design managers out there, for the next time your boss says, "Hey, let's make [X] really easy - that would really sell!". Don't just nod. Look at them and say, "Maybe, but it would also be simple to exploit."

The response will tell you how far the focus has really shifted.

Re:well, it's a start, but a late one

[fabu10u$]

I suspect they really only know a heap overflow is "that damned thing that causes us to have to issue so many patches."

Re:well, it's a start, but a late one

[williamhooligan]

First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks.

That would be Elliot MacHangerstanger (Witchsmeller Pursuivant Of The Hunting For Uses Of The Word 'Windows' or 'Microsoft' Unaccompanied By The Registered Trademark Symbol Directorate) and Horace Ebelfleffer (Vice President In Charge Of Concocting Windows License Keys Whilst Ensuring No Naughty Words Are Accidentaly Formed).

Elliot thought it had something to do with international food surplusses. Horace simply dislikes raising his arm.

Re:well, it's a start, but a late one

Actually, all products undergo a mandatory security review before they are shipped. Many products fail. Many bugs are found. The fact that there are still bugs in the released product doesn't say that much about MS's commitment to security; there's not a general purpose OS that doesn't have security holes (and a few that have as many or more than Windows).

What does say a lot about Microsoft's commitment is their willingness to drop hyped, marketed, revenue-earning features in favor of security and stability releases (Longhorn being pushed back and XPSP2 being released). This gets a lot of bad press in places like Slashdot--"Oh, look at that, they're pushing back Longhorn again!"--but it shows how seriously MS is committed to sacrificing short term profits in favor of long term security.

I think you're speaking more from ignorance than anything else. Nothing you said above indicates that you are aware of the security review process, nothing you said indicates that you are aware that a very large business unit exists with the sole purpose of conducting code reviews, responding to vulnerabilities in the wild and from researchers, and promoting secure practices in product development (things that, I am disappointed to say, many open source projects--including the Linux kernel, I believe--do not have).

Article Mirrors

[codergeek42]

MirrorDot: http://mirrordot.org/stories/b00dd63c5d96524552391 9b313b38ee2/index.html
Coral Cache: http://news.com.com.nyud.net:8090/Microsoft+meets+ the+hackers/2009-1002_3-5747813.html?tag=nefd.lede

Waiting... waiting...

[zakkie]

for for the the first first .com.com .com.com joke! joke! ;-) ;-)

Re:Waiting... waiting...

[codergeek42]

That that was was not not funny. funny. =P =P

Re:Waiting... waiting...

[m85476585]

There is also a net.net, a info.info, a museum.museum, a edu.edu, a gov.gov, and a org.org, but no biz.biz, name.name, cat.cat, jobs.jobs, mobi.mobi, post.post, travel.travel, pro.pro, aero.aero, coop.coop, int.int, or mil.mil

"End of an era"?

[TripMaster+Monkey]

From TFA:

"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

Funny...the Fedora install on my laptop seems fairly customizable and fairly secure all at once...

Re:"End of an era"?

[Turd+Rippleton]

That's b/c not nearly as many hackers are targeting Fedora... or Apple for that matter. I have to admit though, Kaminsky's remark is a little dramatic.

Re:"End of an era"?

[TripMaster+Monkey]

While what you say is certainly true, I'm not sure I buy that as a complete explanation.

Consider Apache vs. IIS...IIS is in the minority there, but which is more secure?

Re:"End of an era"?

[Turd+Rippleton]

Well said :)

Re:"End of an era"?

[Randseed]

It depends. That seems to usually be the bottom line in this kind of thing.

Linux these days is generally more secure out of the box. But when you install it, you really need to do a 'netstat -ln' and see what's open. Then set up a reasonable firewall. Your average idiot out there can't do this. (I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.)

Linux can be less secure than Windows. Usually that's accomplished by turning on all sorts of crap that you don't need, not securing it, and not updating it.

Windows, by default, is a typical blackbox. The thing is an absolute mess. Years after they first appeared, we still have Outlook viruses that pop up every day. Web browsing with MSIE is like playing Russian Roulette. At least with Linux you don't have to worry about that as much. With Linux, you set the system up, and it stays set up that way for the most part. So many packages (malicious and legitimate) change settings in Windows, that it's nearly impossible sometimes to have a good picture of what is going on with your system.

I took a Windows system down ony my home network because after one of my family used the thing for a few months I threw a traffic and systems analyzer on the thing and saw so much spyware and so many viruses on it that I couldn't justify letting the thing stay on my network. This was with Norton Antivirus running on it, mind you. As it is, any Windows installation I have is sectioned from the rest of the network for just that reason. They sit on their own subnet, can't talk to each other, can't talk to the LAN, and can only route out to the Internet.

Re:"End of an era"?

[Effugas]

What would you think if almost all the code on your system was assembled by Microsoft -- even the third party stuff?

Strange. Bad. Awful.

But it's the reality with RPM, or even Apt/Emerge. The Linux distributions really have limited how much stuff the average user installs randomly from the net. But it's a temporary thing...Spyware for Linux isn't worth developing, because there aren't enough non-geek eyeballs to sell.

It's overall a pretty cool article, but the comparison I had made when talking to Ina was that spyware-assaulted Windows vs. the always-perfect nature of a fresh Knoppix CD is a surprisingly tough contest, and that people may be willing to give up their own ability to customize their system in return for the ability to protect the basic functionality of their system.

--Dan

Re:"End of an era"?

[Shippy]

In my opinion, IIS has been more secure compared to Apache in their respective latest major versions.

Go to SecurityFocus and do a search on the vulnerabilities. IIS 6.0 since its release in April of 2003 has had two (2) vulnerabilities. Apache, on the other hand has had 30 (!) since its release of 2.0.44, which is the release I could find that was closest to the release date of IIS 6.0. If you go back to all of Apache 2.0 (the major release), there's a whole page more of them, but I didn't think that comparison was fair.

Re:"End of an era"?

[spisska]

Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

. . . and you can have any color car you want as long as it's black.

And you're free to speak your mind as long as your mind speaks what we like to hear.

And you can vote for whomever you want, as long as you're voting for a Party Approved (TM) candidate.

And you can buy whatever TV you want as long as you don't try to open the back and read the digital signal.

And you're free to worship in any Christian church.

And for your security and convenience, would you mind taking off your shoes?

We thank you for holding.

Your call is important to us.

Re:"End of an era"?

I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.

Here's a clue: the default install of Fedora has zero open ports and an iptables firewall blocking all incoming TCP connections, as well as SELinux mandatory access control restrictions on most network-facing daemons.

Re:"End of an era"?

[LadyLucky]

IIS 6. Compare that to Apache. I think you may be surprised.

Re:"End of an era"?

[TractorBarry]

Unless of course our fantastic new DRM scheme is allowed to protect your computer for us^H^H you !

Expect much more of this sort of talk in the years to come.

Re:"End of an era"?

[SComps]

your point is?

Seriously.. what is it? I read your post I came away from it with nothing. Much like this one only I have the satisfaction of knowing that I didn't let yours go without mention.

*smiles*

Are you saying we can't modify our computers? (we can and do daily) or that they modify it for us? MS isn't the only one. When's the last time apt-get overwrote some custom .conf files on you. (if your a debian person) or some other application modified something for it's own needs that didn't coincide with your own? It happens, gotta get a grip, suck it up (insert 8 or 10 other cliche's) and move on.

Re:"End of an era"?

[farker+haiku]

When will you people finally understand that Norton is not the end all be all anymore? If you run Windows, you need multiple virus scanners and multiple spyware scanners. Try AVG in addition to Norton.

Re:"End of an era"?

[jezstephens]

Don't make it sound like that's acceptable though.

Re:"End of an era"?

during install fedora asks you what level you want the firewall set at. the default is medium security. I have no immediate recollection of what that specifically means, but suppose that it would be protecting all of the standard services run by default. you actually have to take positive action(ok, just a click) to remove that security by selecting no firewall.

Re:"End of an era"?

[Randseed]

Which is nowhere near acceptable. The system should be designed such that, for the most part, I don't need to be scanning my system for viruses, spyware, malware, etc., on a continuous basis.

Re:"End of an era"?

[Jakeypants]

Jesus Christ. You turned your obviously uneducated family loose on a Windows box? Do you think that had they been running Linux that they'd magically know "gee, maybe I shouldn't run this app from www.obviouslyspyware.com." No. They'd run as root, download and run every shitty piece of software they could find.

Don't blame Microsoft for problems caused by uneducated users (unless we're talking about Windows ME). I've never gotten a virus or spyware installed that wasn't my fault. Stop spreading FUD.

Re:"End of an era"?

[Randseed]

I'm not spreading FUD. If they were running Linux, there would typically be far less reason for them to install anything as root. Under Windows, there's a huge liability with MSIE and Outlook holes, which don't exist in the same way with Evolution and Firefox. (Firefox has its own problems, yes.) In one sense, some of the increased security is just due to the fact that there aren't as many targetted exploits out there for Linux compared to Windows, and that's because of market penetration.

Hell, I bought a HP machine that shipped with so much questionable shit installed that it even made my head spin. Most of it got uninstalled immediately.

Like I said, the catch is that under Windows, it compromises the entire machine. Under Linux, you don't tend to need to run as root to do user things or install software by default, and there are fewer big, honking security holes that everyone knows about.

Yes, if they ran as root, installed every piece of shitty software they could find, and if there was more malware out there that targetted Linux, it would be just as bad. I'm not arguing that, because it's absolute fact. But at least when family member A compromises herself, it doesn't affect family member B or trash the entire system.

And yes, Microsoft has made extraordinary strides in security from, say, Windows 95 to ME to 2000 to XP. It's so much better than it was before. It just still is in no way close to the point where I'd go stick, say, patient information on it (being a doctor) and expect to have any kind of security.

Re:"End of an era"?

[Randseed]

Here's a clue: the default install of Fedora has zero open ports and an iptables firewall blocking all incoming TCP connections, as well as SELinux mandatory access control restrictions on most network-facing daemons.

About all I can say to that is "cool." And I mean it.

Silence of the Lambs

[WillAffleckUW]

would be more appropriate than Blue Hat conference.

Re:Silence of the Lambs

[DaveCar]

Maybe Brown hat?

Or Ass-hat?

for Microsoft it is easer...

[ratta]

to have bugs found by hackers rather than by its own employes (that have access to the source code).

Re:for Microsoft it is easer...

[Humorously_Inept]

Is that so entirely unusual? Would you trust yourself to edit a manuscript that you wrote? When you review your own work, you naturally see your intentions instead of your results. That can be true at a personal, team or corporate level so it's not necessarily just a matter of easier.

Re:for Microsoft it is easer...

[ratta]

i find quite sad that someone who can access the source code is looking for the help of someone who cannot access it... Sorry, but your comparison with a manuscript doesn't really make sense (i this context).

Re:for Microsoft it is easer...

[zerokey93]

I would trust myself, but chances are, any other human that reads it just wouldn't get it. I would also trust someone close to me, but I think the results would be similar. You need an alien set of eyes. Which is why on a project as immense as Windows, code reviews and QA should probably be done by groups outside of that specific area of development.

I'm not a MS employee, so I'm not aware of exactly how they do things, but this makes sense. It has worked for several companies I've worked for.

Re:for Microsoft it is easer...

[Locke2005]

What makes you suspect that anyone working at Microsoft has ever done a real code review? Any Microsofties wanna correct this impression? Remember it is always cheaper to let your customers do your QA for you rather than finding the problems yourself...

Re:for Microsoft it is easer...

[colinrichardday]

And Microsoft can't have code auditors look at the code?

Also, nothing will guarantee that all bugs will be caught.

Re:for Microsoft it is easer...

[Humorously_Inept]

It does make sense. You have explicit knowledge of your creation because you participated in its specification, design, testing, field trials, etc. You are bound to the process used to create it so you're likely to overlook omissions or critical flaws in it. Would you do your own code review? Have you ever written an essay or something and discovered word omissions or sentences that appear to be disjoint in some fashion? For each problem that you find, how many do you end up missing? You see what you intended when you concieved the project and not necessarily what is there because you know what's supposed to be there.

That's why it's so useful to get people who are totally detached from the project to have a stab at finding problems. That's also why, when you write a novel or story, you have a friend edit it and likewise why your publisher employs copy editors instead of just taking your word for it.

Hushed silence, huh?

[Red+Dane]

I bet most of the engineers were thinking.. oh cripes.. what if we discover ANOTHER FLAW?

I raise a beer to all salaried software developers who put in long crunchtime hours.

|-|4rd c0r3!!!

Wow. Luring a laptop onto an insecure network. Those guys are fucking 31337 man. I ph34r them!!!!

Is it just me, or is this just the usual load of slashdot wank?

Re:|-|4rd c0r3!!!

I agree. 802.11 hijacking is nothing special.

2002 WTF? O.o

[Spy+der+Mann]

From TFA: That shift began in earnest with a well-publicized memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities.

Sheesh! It's 2005 and there are still unpatched vulnerabilities. Damn hackers, they're always faster than us! (/sarcasm)

Wait for it, Wait for it...

[kryogen1x]

How many Red Hat jokes are going to be made now?

Re:Wait for it, Wait for it...

Moderators! That wasn't funny. It wasn't even amusing. It was a total waste of bits to tell you that a joke might come along, maybe, but this won't be it. Argh.

Re:Wait for it, Wait for it...

[Night+Goat]

None yet. Because there aren't any to make. Where is the joke?

Re:Wait for it, Wait for it...

I just got it!

Humor, I love it!

-Anonymous Phil

Re:Wait for it, Wait for it...

Two.

Redhat Enterprise Linux, and Fedora Core

Re:Wait for it, Wait for it...

[HG2]

Jar Jar is that YOU?

And a fatal error...

[CPNABEND]

Resulted in the BLUE screen of death!

Re:HEY TIMOTHY! SUCK ANY MORE COCK TODAY! FAGGOT!

You know that picture is almost on-topic.

Technical Competence

[ronark]

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

So what? Maybe they read some document informing them of what a heap overflow is. It's more important that these managers understand what goes into the code and the technical details that make the system operate, not what an "obscure" problem like a heap overflow is. Microsoft's managers can only claim technical know how if they have experience working as developers, because otherwise it's simply too hard to understand the real issues that the engineers have to face.

Re:Technical Competence

[Neil+Blender]

Didn't you read the whole article?

When pressed for more details on the subject, one vice president answered, "That's when your....heap.....overflows? Right?"

Re:Technical Competence

[ronark]

Damn. I must have missed that part. Did the article describe him as being pointy haired?

Re:Technical Competence

[viva_fourier]

Likely, the alpha manager raised his hand as to appear knowledgeable about overflows,
and the rest of the suits, well, followed suit...

Re:Technical Competence

[vanman2004]

I'm in high school and I've heard of it.

I would hope that even MS managers would know what it is and not just have read that phrase in a TPS report...

Re:Technical Competence

So 18/20 managers know what a heap overflow is, yet the idiots writing the code don't?

I think it's sad that we're still battling the same flaws that were common 20-30 years ago in software. Very sad.

I wish I could single out Microsoft, but they just have their own unique brand of incompetence. The whole software industry, from Microsoft down to the smallest open source project, doesn't have a freakin' clue (except maybe a dozen programmers, if that many).

It's just pathetic actually.

Re:Technical Competence

[quarkscat]

Too bad MSFT really, really doesn't like GPL, which is a damn sight less viral than their "Shared Source" license. A very nice little package called "libsafe" handles stack errors on linux pretty nicely. A Windows libsafe DLL that gets called early (and often) would go a long way toward finding most of those pesky vulnerabilities.

Of course, MSFT could also port their entire OS code over to Sun Java and have everything run in a java sandbox, except for Sun's Community Source license.

If MSFT's Longhorn makes use of OS vrtualization in order to (nearly) eliminate BSODs, does that really mean the the coding errors have been fixed? Or that "the tree falling in the woods" really doesn't (illogically) "make any sound"?

I really don't see how a "Blue Hat" conference will make a whit of difference in MSFT's coding practices, any more than Bill Gatus's pledge that "Security is Job One!" did.

Colors explication:

[ratta]

White hats do white magic

Black hats do black magic

Blue hats do blue screens of death

Re:Colors explication:

Red Hat do foss revolution speedup

Re:Colors explication:

I say, that boy's about as sharp as a bowling ball!

In readable English please?

Re:Colors explication:

[Hentai]

I'd also like to note that, in the FF series at least, "White Mages" do protective spells, "Black Mages" do destructive spells, and "Blue Mages" steal their opponent's powers and use them as if they were their own.

Re:Colors explication:

[head_dunce]

...and Red Hat's are little vampires sucking de blood from de SCO... BWHAHAHAHA!

Re:Colors explication:

And what about the Red Hats?

Re:Colors explication:

[Random+Web+Developer]

"explication"

You must be french :)

Re:Colors explication:

[Jesus_666]

And according to 8-bit Theater, Red Mages are complete ubernerds, which also fits reality quite well. ;)

Ha HA

[cerebralpc]

In my best Nelson voice

Blue?!?

Blue is the color you get when your depressed, If I had to work there as security programmer, I would be blue too... knowing that the next scriptkiddie would cost me my job..

Also remember, it's not Blue Screen O Death, it's Blue Screen Of Job Security for people who have to support it :)

Some things to note

[UnknowingFool]

Programmers actually thought that their code could not be exploited. I don't know if this is collective arrogance or part of the MS culture, but it seems most of the world outside of MS knows how easily code in general can be exploited. With as many security problems MS has had and Bill Gates many public proclaims about security, you would think that they would know there may still be issues in their code.

Re:Some things to note

[GT_Alias]

I don't think most developers I know would dare to proclaim their code hacker-proof, but I think they would be red-faced just the same were their code publicly exploited. This doesn't show any arrogance on the part of MS, this shows a willingness to admit that their code can be exploited, and a certain humility to allow it to happen in an acknowledged, open forum. I know there is no more open forum than the real world, but when the exploits are out there the engineers can hide behind the Microsoft(tm) name. In this setting, the programming errors had faces and egos to go with them. I think it doubtful the engineers believed they would walk out with no egg on their face (or pie, depending on whether or not you're Bill Gates), so there's a down-to-earth quality to this event that MS doesn't typically show.

"visibly angry"

[bani]

Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident.

To me, this is very telling about those engineers' beliefs and attitudes about their own code. It also speaks volumes about their skill (and their personal belief about their own skill levels).

Real engineers fix problems, they don't get emotional.

Re:"visibly angry"

[CaptainCarrot]

Especially as this should have some as no surprise. That Windows is insecure isn't exactly secret, esoteric knowledge.

Re:"visibly angry"

You don't think you can become emotionally attached to code you spend alot of time on?

Re:"visibly angry"

[TripMaster+Monkey]

Real engineers fix problems, they don't get emotional.

Spot on. A`real engineer would have welcomed the learning opportunity, not wasted time getting all moody.

Re:"visibly angry"

[gordgekko]

That's right, real engineers aren't human beings who would be upset to have their work publicly shown to be lacking. They're supremely efficient human beings who engineered their own feelings out.

Real engineers are human beings and it's quite acceptable for someone to get mad before they tackle a problem they helped create.

Re:"visibly angry"

[Chris+Kamel]

You're not an engineer obviously. To be the best at whatever it is that you do, you have to take it personally. People who work with concepts like "I just do what I'm paid to do" are rarely ever the best. A software engineer's code is his little baby, to see it being broken/hacked into or whatever is like seeing someone harming their baby. And worst of all, it's happening because they didn't "secure" their baby enough. Actually one of the common techniques for interviewing software engineers is to ask them to talk about _the_ project they're most proud of, if the interviewee didn't get personal they're usually deemed not passionate enough about their job and it could be a deal breaker for hiring the canidate.

Re:"visibly angry"

[Chris+Kamel]

sorry, forgot to close the tag after the first "have to" :s

Re:"visibly angry"

Imagine you wrote 10,000 lines of code, 99.9% of which is completely bug-free, and then somebody comes along and finds the 10 lines that you wrote at 11pm on a Friday. Suddenly he's the genius for spotting one overflow out of the hundreds of places where you correctly compensated and you're a moron who can't code.

Get it now?

Re:"visibly angry"

I would be more concerned if they weren't emotional. If you are not emotionally involved in what you are doing, why are you doing it? You are likely to do a half-assed job because you don't care one way or the other, as long as you get your money.

I think most people would consider Linus a "real engineer" and he gets quite emotional over his pet project.

Re:"visibly angry"

Isn't that what he just said?

Posting for the sake of posting are we?

Re:"visibly angry"

So you're saying that the guy who, working on his own time, found the only vulnerability in 10,000 lines of code without access to source, working only by black-boxing, on a totally undocumented system, (in my mind roughly equivalent to needle in a haystack) is to be respected less than the person who missed a simple overflow in code that they're paid to maintain?

Re:"visibly angry"

[TripMaster+Monkey]

Posting for the sake of posting are we?

Sounds more like what you've been doing lately, AC. Following me around, trying to get in your pathetic little digs every chance you get.

Honestly, you must spend more time on my User Info page than I do.

Re:"visibly angry"

[coyote-san]

If you're writing code at 11pm on Friday (or any night for that matter) and that code isn't being subjected to normal QA/QC review, you have bigger problems than a few buffer overflows.

If you have buffer overflows "because it's late and you're tired," your process is fatally broken. It should be second nature, e.g, I use snprintf() without even thinking about it. If it's more complex, it should be encapsulated in a few heavily tested convenience functions.

Who did you say you work for again?...

P.S., there are plenty of situations where the time you dropped the ball is far more important than the times you didn't. E.g., 99.9% is totally unacceptable if we're discussing automobile accidents causing serious injury - that's maybe once every 18 months.

Re:"visibly angry"

[Shanep]

Real engineers fix problems, they don't get emotional.

This is so true. I've worked with many people in IT and communications over the past 17 years, in financial, military and educational institutions from desktop support to reverse engineering. People who get emotional when challenged or proven wrong are putting their ego before the problem. Their ego becomes the biggest problem and the real problem they're getting paid to fix tends to get fixed in a way that makes them look good, which might not actually be the technically better way.

The most exceptional people I have worked with, shrugged failure off and carried on with fixing things or making them better. The loudest people don't know shit and cover it up with fast talking. It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.

Unfortunately, in the past 17 years, only two people in my mind stand out to be the exceptional people, the rest are all competing in a bullshit competition with each other or are otherwise mediocre.

Re:"visibly angry"

[njcoder]

First, the hackers they had at this thing seemed mostly to be "security experts". They don't do this "on their own time", they try and build a business out of it.

Second, we don't know why they turned red. It might not have been anger, it might have been embarassment. If it was anger it might have been anger at themselves. They may have all stubbed their toes at the same time :)

People who code, or create things in general, usually have a strong attachment to their work. It's part of what makes the good ones so good. Being at a conference where you have to sit through and watch people point out your mistakes and not bring up your accomplishments can't be fun.

Re:"visibly angry"

[kisielk]

HEY! I'm a real engineer, and I resent that "human being" comment! Highly efficient cybernetic organism...

There should be some insensitive clod joke in here somewhere..

Re:"visibly angry"

[Locke2005]

Sorry, but most of the on-job problems I have had are due to "taking it personally". This includes being called into a special meeting and literally yelled at for improving the product without permission. Don't know about you, but I would prefer to work with people that can separate their work from their own ego.

Re:"visibly angry"

[porcupine8]

Lacking mod points, I'll give you a "hear, hear!"

Re:"visibly angry"

[poopie]

Imagine you wrote 10,000 lines of code, 99.9% of which is completely bug-free, and then somebody comes along and finds the 10 lines that you wrote at 11pm on a Friday.

More like...

Imagine you've written 10,000 hours of code, 99.9% of which is dependent on APIs you didn't write, and then somebody comes along and points out fundamental security flaws in the design that the APIs you use is based on.

Re:"visibly angry"

[ebuck]

Yes, we are human, but then again, not all engineers are equal.

I once worked for a company that hired an outside consultant to ask how they could get their product into a "better place". It was nasty code that contained snippets of Fortran, C, C++, and three other scripting languages. Some of the newer portions were being developed in JAVA with a database as the "inter-system" communication protocol. It compiled on one specific version of UNIX and threw memory alignment errors.

The consultant did an excellent job, and he really should be commended for identifying key weaknesses in the product; however, when he presented his findings, most of the managers grew visibly upset, and a few raised their voices (but I wouldn't call it yelling). People defend their collections of bad ideas, and rationalize that it's much more costly to fix problems than to just live with them a little longer.

I enjoyed my time there, but I moved on because I couldn't stand to see good ideas replaced with bad.

Re:"visibly angry"

[Tony-A]

Real engineers fix problems, they don't get emotional.

I suspect that in many cases, real engineers get emotional and use that drive to actually fix problems.

Very telling, yes. After the time past since security was top priority, the realities come as a surprise? It's one thing to convince your boss that your code is secure. It's quite another thing to convince competent hackers.

If that five cents per compromised machine was anywhere near right, it speaks volumes on the effectiveness of Microsoft's security.

Re:"visibly angry"

[ArielMT]

Kind of like certain versions of the formmail.pl cgi script? (Addressed to both parent and grandparent post.)

Re:"visibly angry"

[William+Robinson]

Real engineers fix problems, they don't get emotional.

I have been developing since more than 15 years and have worked for great organizations. You could get emotional if corporate process and stratagies do not permit you to develop quality code. Have you ever worked in a marketing driven company where dirty work is appreciated by clueless managers, because it is fast and they wanted everything yesterday? Have you ever worked for an organization that puts more priority to marketing gymmics?

M$ is not an exception, and many good practices of Software Engineering are bypassed there. The developers are expected to code and pray ( I am exagareting, but it is not far from reality).

Organization process is very important. It brings the best out of individual. Real engineers feel suffocated with lot of marketing shit around.

Re:"visibly angry"

[aussersterne]

As someone who once a very long time ago owned a software company that dealt in networking products (back in the days when UUCP and KA9Q were common), I'd suggest that *real* engineers basically cum in their pants when technical challenges are presented and they can't wait to get out of the room, get back to the screen, and *make it work*.

Problem-solving in software development is like a drug for the desirable class of engineers. In a lot of industries it's okay to have a "good enough" attitude, but in any kind of engineering (be it software, network, civil-structural, or aeronautical) I want to see people on the job who do it because they can't help themselves, because it's in their blood to make rock-solid cool things, not simply because they're drawing a paycheck and meeting deadlines.

I guess it all depends on what you mean by "real engineers" and how you think real engineers approach real problems.

Love solving problems = no red face, great product
Just get paid = red face, late (broken) product

Re:"visibly angry"

If they've cum in their pants, the first thing they need to do is to change their pants. Then go make it work. It's really hard to concentrate when you've got squishy pants on.

Re:"visibly angry"

[kimanaw]

To me, this is very telling about those engineers' beliefs and attitudes about their own code

I'd like to suggest that all those throwing stones here take a reality and gut check.

Development at MSFT is a pressure cooker. Schedules tend to be pushed to the limits by low level mgmt whose own genitals are resting on the chopping block pretty much 24x7. So it shouldn't be terribly surprising that MSFT has quality issues. Code either gets pushed out the door, or people (and esp. managers) get fired. (Rumors are already circulating RE: the heads that have rolled due to the Longhorn debacle)

So if you were "treated" to the exersize of having someone waltz in and prove that your code is vulnerable, after you've been pushed to the wall for an extended period, I suspect you'd likewise feel more anger than shame, and probably a lot of frustration, too. After all, most of us don't intend to write bad code, but when the gating QA factor is an overly aggressive date on a calendar, you'll have little opportunity to be concerned about hacks outside the acceptance test suite.

Re:"visibly angry"

unfortunately you're speaking to a shitload of people who have no idea what ka9q is or how amazing it was at the time.

Re:"visibly angry"

Maybe you just say a bunch of stupid things that a bunch of different people think deserve a little dig, but not so much they'd be willing to waste karma on it.

--An Entirely Different AC

Re:"visibly angry"

[TripMaster+Monkey]

but not so much they'd be willing to waste karma on it.

What a joke. If you're not man enough to say what you got to say without huddling under the AC blankie, how can anyone take you seriously?

I say what I want to whom I want when I want...and my karma is 'excellent'. Why is that, do you think?

(Oh, that's right...I forgot. It's 'excellent' because I'm a 'karma whore'. Silly of me to attempt to discuss this rationally...)

Re:"visibly angry"

[Tony+Hoyle]

You don't get upset when someone points out a bug in your code?

I know I do... I don't get angry as such (except with myself). I'll occasionally go into denial 'it works for everyone else.. must be something special about your system!'... still at the end of the day it needs fixing even if it's stupid and I should have caught it earlier.

It's hard to work on code all day every day and not have a certain amount of emotional investment in it. How you react to that is a measure of maturity.. I'm not so sure it's a good measure of how 'good' an engineer you are. Your code should do that.

(f/x: looks at code) umm... OTOH maybe measuring purely by code isn't such a good idea...

Re:"visibly angry"

[CPUGuy]

Real engineers are elitest pricks :)

Re:"visibly angry"

[Tony-A]

Imagine you wrote 10,000 lines of code, 99.9% of which is completely bug-free, and then somebody comes along and ...

You're dreaming.
Donald Knuth, possibly.
Anybody else, even if they could, wouldn't take the required effort.

Re:"visibly angry"

[Tony+Hoyle]

Telling management that the code is outdated and you need to rewrite is the hardest thing in the world.. I'm glad I (mostly) work for myself now.

I had one manager nod, even call a meeting designing the 'new' structure, planning how long it would take, etc.. then 2 days later call us all stupid to our faces for even suggesting it (denying that the meeting that we'd all been at had actually happened, or that he'd *ever* been in favour of change).

6 months later the company lost a 6 figure contract because the pile of crap they hadn't changed couldn't keep up any more.

Re:"visibly angry"

[dsci]

People who get emotional when challenged or proven wrong are putting their ego before the problem.

I have to disagree. I've fixed/solved some majorly complicated problems in the past 20 years. In many cases, I've gone through periods of frustration that got vented as 'anger.' Once vented, I settled down to the task at hand.

The most exceptional people I have worked with, shrugged failure off

It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.

Perhaps. But that itself does not prove (or even suggest) that some exceptional people are not also 'passionate.'

You probably should not make such sweeping generalizations. There are many personality types among people who are very effective at very complex tasks.

Re:"visibly angry"

[puetzc]

from "Profession" by Isaac Asimov:
"And those who don't? The ninety-nine thousand nine hundred and ninety-nine that don't? We can't have all those people considering themselves failures. They aim at the professions and one way or another they all make it. Everyone can place after his or her name: Registered something-or-other. In one fashion or another every individual has his or her place in society and this is necessary."

"But we?" said George. "The one in ten thousand exception?"

"You can't be told. That's exactly it. It's the final test. Even after we've thinned out the possibilities on Education Day, nine out of ten of those who come here are not quite the material of creative genius, and there's no way we can distinguish those nine from the tenth that we want by any form of machinery. The tenth one must tell us himself."

"How?"

"We bring you here to a House for the Feeble-minded and the man who won't accept that is the man we want. It's a method that can be cruel but it works. It won't do to say to a man, 'You can create. Do so.' It is much safer to wait for a man to say, 'I can create, and I will do so whether you wish it or not.' There are ten thousand men like you, George, who support the advancing technology of fifteen hundred worlds. We can't allow ourselves to miss one recruit to that number or waste our efforts on one member who doesn't measure up."

I want my software written by George! Google for the entire story if you are interested - it is one of my all-time favorites (written in 1957).

Re:"visibly angry"

[NanoGator]

"People who get emotional when challenged or proven wrong are putting their ego before the problem. Their ego becomes the biggest problem and the real problem they're getting paid to fix tends to get fixed in a way that makes them look good, which might not actually be the technically better way."

To be fair: If they have to work for a boss *and* get their projects done by deadlines often orbiting trade shows, they're bound to let their ego worm their way in. It really sucks when you can be fired for missing a deadline or in making something insecure. Ego may simply be an indication that somebody's worried about losing their job over their reputation.

Maybe I'm right, maybe I'm not. But I useta work at a software company, and I've seen some of the silly things people have been labeled 'incompetent' for.

Re:"visibly angry"

That's right, real engineers aren't human beings...

Personally, I'd have to say they aren't. I'm friends with a lot of engineers, and I don't think they're human at all. Good people, just not human.

Re:"visibly angry"

Yeah right...

Engineers are people, and people get annoyed when it is shown that their work is flawed.

Re:"visibly angry"

[Shanep]

You probably should not make such sweeping generalizations. There are many personality types among people who are very effective at very complex tasks.

You are absolutely correct. I was too hasty with that post. Need sleep......

Re:"visibly angry"

[Shanep]

I want my software written by George! Google for the entire story if you are interested - it is one of my all-time favorites (written in 1957).

Wow, you have me wanting to read more. I normally read technical books only, but I'm compelled to read more. Thanks.

Re:"visibly angry"

[Shanep]

Maybe I'm right, maybe I'm not. But I useta work at a software company, and I've seen some of the silly things people have been labeled 'incompetent' for.

Fair enough. I guess (and I should know, working for the crowd I work for), that money, time, exaustion and expectations can make anyone angry when things don't go as planned.

I have no idea how the Microsoft devs are treated, so I can't blame them without knowing them. I left more than one job because a manager did not understand or appreciate the issues they're supposed to be managing.

Re:"visibly angry"

[Daniel+Phillips]

You don't get upset when someone points out a bug in your code?

Never. I thank them and mumble some lame excuse for missing it myself. (E.g., that's why we have "other eyes".) If it's nontrivial, I may compliment them as well if that seems appropriate.

What gets me upset is ugly unreadable buggy junk with no good design basis, that is defended on a territorial basis.

Re:"visibly angry"

[GT_Alias]

To label 17 years worth of relationships as falling into either "exceptional" or "competing in a bullshit competition with each other or otherwise medicore" suggets a black-and-white viewpoint not recognizing the potential in between. I think the true talent lies with those able to utilize the unique strengths of different people. Yeah, some people won't make the cut, but making a judgement along the lines of "17 years of people and 2 qualify as exceptional" is a harsh standard to impose.

Re:"visibly angry"

[Shanep]

Yeah, some people won't make the cut, but making a judgement along the lines of "17 years of people and 2 qualify as exceptional" is a harsh standard to impose.

Maybe I'm harsh then. Exceptional is exceptional after all. Maybe my idea of the word is too strong for your liking. When I state exceptional, I am talking about the full package. Someone who is brilliant and reasonable for example. Someone who is truely gifted yet willing to consider an alternative idea or opinion.

I don't see it as black-and-white, I see a majority of plodders, just turning up to work to pay the bills. Some loud arseholes who are "it", talk a lot but don't really contribute much more than the "safe-bet pre-packaged half-solution" which almost fits and then boast about how wonderful they are. Then there are the nice folks who care about the job but don't do it all that well. And then there are those few exceptionals who not only manage to put up with the rest, but also see the real issues and fix them in creative ways that have the bullshit artists desperately searching for some way to save face and the plodders complaining that this makes everyone else look bad (and the nice folks congratulating).

There is a very bad problem in IT where I live, where people protect their knowledge and if they're lacking they bullshit. Those people are not exceptional and unfortunately I see the majority either dull and many being full of crap.

This is really how I see it. Maybe things are great in your part of the World, but in my part of the World the mundane rule and protect each other. I'm quite sick of being verbally shot down by morons when I know I have an excellent, unique solution which actually fits while using current infrastructure (and my track record show this time and time again when I actually get given the chance). It is true that I have difficulty with these people, but my difficulty does not make them any less mundane or insecure.

I do need to work on my people skills to learn to manage these types, but I think my problems are nowhere near as bad as theirs and at least I am aware and willing to face my shortcomings. A bullshit artist is a bullshit artist and plodder is a plodder. They are not what they are because of me, but I do see them for what they are.

Re:"visibly angry"

[kaens]

You know, I never got the whole "ACs are cowards" thing. I mean, other than the fact that coward is part of the acronym.

You are not much less anonymous than an AC, unless your real name is TripMaster_Monkey. The biggest difference between ACs and non-ACs, at least on a site this large, is that you can read up on a poster's history.

It's just an internet forum. Who fucking cares? And anyone saying that you should disregard every post written by every AC is a fucktard. There's a ton of people with usernames that do nothing but troll as well, and a ton of good AC posts as well.

People may have different reasons for posting AC. Maybe someone just wants to make a flippant remark that they normally wouldn't post (this is the case a lot of the time it would seem) or maybe someone really is cowardly. Maybe someone doesn't want to make a slashdot account. Maybe someone just wants to post as AC for no reason.

The previous part of my post is not directed at you, specifically - I just think everyone railing against ACs are moronic at best.

"huddling under the AC blankie" - what the fuck kind of meaningless crap is that? Why don't you post your full name, street address, and some links to pics and stop "huddling under the pseudonym blankie?" Jesus.

You say what you want to who you want when you want, and you've got 'excellent' karma. I post what I want to whoever I want whenever I want, and I've never even looked at what my karma is because I DON'T FUCKING CARE.

I also don't care about you making "me too" posts, and I think that the people objecting to you making those posts are dumb. And, if you've got someone following you around making AC posts just to troll you, then they are dumb as well. Or at least just bored.

Anyhow, don't let much of anything that gets said to you on the internet get to you. You'll just end up pissed off.

Re:"visibly angry"

[Mac+Degger]

And that's the difference between real engineers and 'software engineers'.
When there's real lives on the line (as in when building bridges, or engines or whatever), you just don't have the luxury of considering your ego; if a problem is detected, you're just glad to have caught the problem before the bridge has crashed or the engine has blown up. You then do all you can to fix the problem...you don't have the luxury of getting angry; you move on and fix what needs to be fixed.

Well, in theory. But even in practice that's what civil or mechanical engineers tend to do, 'cause they really don't want to kill people. I imagine that that's what happens to software engineers who do medical software for stuff like remote operations, too.

Re:"visibly angry"

[Tomfrh]

I would worry about any engineer who was detached enough not to get at all upset.

Re:"visibly angry"

[bani]

Actually I am an engineer, and I write code specifically dealing with security issues.

The problem is that when you get emotional, it clouds judgement and you make mistakes. You often make the problem worse.

Look at how irrational parents can become when "protecting their little baby".

This is exactly the wrong mindset to have when dealing with security issues.

Think about the real pros - test pilots, ER doctors, etc. If you get emotional and take things personally, you fuck up big time. The real pros stay calm, cool headed, and work the problem.

It's possible to be passionate about a project, but if you get redfaced when confronted with criticism of your project, it indicates you have real ego problems.

Re:"visibly angry"

[wilhelm]

Well said! If I had mod points, you'd surely get 'em.

To take your point a little further, emotion is the wrong mindset to have when dealing with any problems, not just security problems - as you way, it just clouds judgement, and causes mistakes.

I am a system admin, formerly a programmer, and I see this in my everyday work. Some "programmers" and "system admins" I deal with get really upset if I tell them, always as constructively as I can, their solutions are impractical, or will take too much manual maintenance, or are just plain too complex. I always try to offer alternatives when I can. Yet they generally take my criticism very personally, and it's quite clear that's all it is, personal animosity. Most of the time, their solutions are houses of cards, and fall down with regularity. And they'll never admit that there could be a better way to do things, because that would also be admitting that, what, they are not the best?

I try to be as dispassionate as I can while at work. I don't care about who's better than the other guys, I care about correctness of function and ease of maintenance, and I call it the way I see it. It's motivated self-interest - whatever keeps my pager from going off in the middle of the night is a Good Thing(tm).

Re:"visibly angry"

[gregjmartin]

As humans, most of us show emotion when our work is challenged. That is not wrong - but human. What's critical is what we do with that emotion once we recognize it. The mature evaluate it and their work and turn in into something positive. The immature get defensive.

Personally, I never want someone who works with me to shrug of failure. I want to understand why they failed and learn from it.

Re:"visibly angry"

[Shanep]

Personally, I never want someone who works with me to shrug of failure. I want to understand why they failed and learn from it.

When I say "shrug off failure", I mean that their failure itself is not a big deal to them and they quickly move on to understanding their failure and fixing it, instead of spending time worrying about it and trying to make it look less of a failure or pointing the finger elsewhere.

Their failing, not the failure itself. Of course the failure is important to understand and learn from.

Microsoft Security

[jfonseca]

Microsoft has managed to link itself with bad code to a degree that, recently, I spent over 40 minutes convincing a programming team that Code Complete was actually a good book and did not reflect the bad quality of Microsoft software.

Re:Microsoft Security

[cowens]

I always find it useful to point out that the author doesn't work for Microsoft, just published by Microsoft Press.

Re:Microsoft Security

[hot_Karls_bad_cavern]

Agreed.

i learned from that book. It was just a piece of what we were to read in the class, but a nice piece.

We also read The Cathedral and The Bazaar in that class.

Wonderful things learned from both; a nice mix with a programming problem we'd never been faced with and a working-with-a-team element we were new to at that early time in our ed.

Re:Microsoft Security

As for myself, I don't believe in "unexploitable code." Human beings make mistakes, they don't see the "obvious to someone else" in their own work. Even patches can open up new holes.

Anything but...

[fembots]

Green Hat

Kind of old...

[Dunbal]

From TFA...

The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target...

We're in what, mid June now? Slashdot: "olds" and recycled duplicate articles for nerds, I guess...

Still it's nice to know that Microsoft at least acknowledges that there is a problem they aren't addressing properly.

Re:Kind of old...

[colton+cummings]

By Ina Fried Staff Writer, CNET News.com June 15, 2005 4:00AM PDT

Car Jokes?

[LiquidCoooled]

fta: Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.
"I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?"

I wonder if Bill actually laughed the first time he read the microsoft car joke?

Re:Car Jokes?

Ford cars are still blowing up!!

http://www.cnn.com/2005/US/06/16/ford.vehicles/ind ex.html

Is just a coincidance or is Bill just trying to distract us??

It's been 40 years and this bug hasn't been fixed. Hell ... exactly why does Microsoft have to fix their security issues? Obviously the public can't mind too much if they are still riding around in their Fords.

Yuo... yuo...

fail fail it it.

You mean to tell me...

[doswarrior]

"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."

So you mean to tell me, that Microsoft employs *no* hackers of any hat or has ever known one? They make it seem like it was the first Thanksgiving all over again. Puh-leaase.

Today's lesson is: Hire hackers if you want to build a secure OS.

Can We Get Firefox Developers To Do This, Too?

[kmactane]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.

Re:Can We Get Firefox Developers To Do This, Too?

[Mingco]

They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Ironically, once they reach the top of the heap in security, they'll discover that it has been overwritten by overflowing buffers.

Re:Can We Get Firefox Developers To Do This, Too?

[Atmchicago]

You are basing your argument that Microsoft will become number one in security based on an analogy with its ability to take over the browser market. You have to be careful, however, because your analogy is too simplistic when you look into it. Developing a buggy browser that you force into your operating system is entirely different from designing and implementing a secure codebase onto your operating system. Think of which is harder: to design something that reads HTML and displays it, or to design a secure OS?

Microsoft can probably pull it off, but it's no simple task and will take a lot more than a simple $50/bug.

Re:Can We Get Firefox Developers To Do This, Too?

[zifferent]

What kind of FUD is this?

Astroturf isn't going to be unanswered on my Slashdot!

Make no mistake. This is a stunt, and I'm not going to stand for it!

M$ doesn't really care about security, and if they didn't have Linux and Firefox breathing down their neck their security record would keep getting worse.

Mark my words M$ products will continue to writhe in the secuurity dumps, because they are a closed source company at the end of their upgrade rope. They can't even get ppl to switch to XP! How the heck are they going to get ppl to switch to Longhorn?

I'll tell you how. By heaping on pointless features and adding cruft, and blathering on about how important the new widget is. That's the only way to sell the next generation OS and office suite.

But while M$ continues to rebuild much of their code from scratch (and introduce plenty of new bugs and security flaws in the process), Linux and BSD will continue to build upon stable code bases and will only become more stable.

From here on in the Cathedral model of OS development is going to fail them.

Onward LINUX soldiers!

Re:Can We Get Firefox Developers To Do This, Too?

man, if you're going to troll, try to at least be a little subtle about it. Jeebus.

"Onward LINUX soldiers!" indeed.

Re:Can We Get Firefox Developers To Do This, Too?

[SirSlud]

Agreed.

Hell, IE bugs became simple predominant coding styles, and that was a huge thing in terms of sticking to one browser if you didnt have the cash or expertise to develop web content for multiple browsers.

Security is different; you're making APIs and parsers and the like more picky, not less picky .. its gunna be damn interesting to see what happens in the next 5 years.

Re:Can We Get Firefox Developers To Do This, Too?

[Kirth]

These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

I don't think so. Of course they are now taking security a bit more serious, but there are so many big conceptual mistakes, so many design flaws, they won't and can't fix, or they would break thousands of applications which you can't just recompile...

Like:
- case insensitive but case-preserving filesystem (ambiguities in filenames)
- active X and other unsafe scripting languages all over the place. Its not just the browser, its also word, excel and lots of other programs.
- rpc for just about everything.
- unsafe program interfaces. some application will happily accept any malformed events from some other components.
- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

Re:Can We Get Firefox Developers To Do This, Too?

[zifferent]

Troll?

I thought it was rather funny.

Re:Can We Get Firefox Developers To Do This, Too?

[marcosdumay]

"Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security."

That is the problem, security can't be achieved the same way that browser market domination was. To fix security, MS will need the following:

A lot of rewritting, that is expensive. But can be done.

A lot of testing, that FOSS gets for free and MS pays a lot. But can be done.

Also, they'll need to modify the relationship they have with their customers. That is a hard one, MS will need to respect their clients. They'll need a complete reestruturation, but can be done.

And, finaly, the problem: MS will need to discontinue bad projects, breaking past compatibility.

Lets face it, Windows, IE and Office are kept on top because of the net effect. The advantage that people get when running those products is to get something that is compatible with everything else, so they don't need to care about that. If MS suddenly break past compatibility, they'll see their market suddenly vanish.

This is why MS will not develop secure products so soon, their software projects are flawed and they can't correct it. Those events are good PR, but will not make MS programs better than FOSS.

Re:Can We Get Firefox Developers To Do This, Too?

[lowe0]

Linux can continue building upon stable codebases all it wants. When, however, will it produce an OS I actually want to use?

Re:Can We Get Firefox Developers To Do This, Too?

[jafac]

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing.

Exactly. Working for a major Systems Integrator, our customer actually has a special team of people who do nothing but hack systems, and recommend security changes to the products they buy.

We thought we had locked down our systems pretty well. They turned it out pretty good, and produced a 92-page report. (of course, some of it was gratuitous).

However, the end result: slapping security changes onto an already-developed product, results in a whole lot of breakage. This lesson will benefit our NEXT customer. And it will really, really hurt our current customer. The lesson? Security should be designed-into a system from the start.

Re:Can We Get Firefox Developers To Do This, Too?

First, MS did not get IE right. They used thier dominant desktop position to squeeze out other players. The failure of netscape was due equally to the netscape problems and the fact that MS sabotaged Navigator. I have used nearly every major browser since Mosaic. To this day IE does not provide the expected overall functionality one would expect in a web browser, but exists merely to support a few, mostly lame, MS features.

Second, most of MS problems are caused by the fact they miss nearly every boat, and then come up with half-assed solutions to catch up. Security is not somehting that can be tacked on later, like a GUI or browser or RSS feed. It must be designed into the infrastrucutre. It is quite unreasonable to allow untrusted agents unlimited access to the file system, and then set up optional limits on that access and call it security.

Firefox is not comparable because firefox is not a component of the OS. It is not, as is IE, an application front end, but a standard stand alone web browser. The critical nature of firefox bugs cannot reach that of IE becuase they are not, by definition, OS level faults.

Finally, these 'try to break into my house' kind of tests are king of useless. If nothing happens then the vendor unfairly claims security. If something happens, it is either spinned to a nonevent or the particular problem is fixed, and, agian, security is unfaily claimed. It is a PR stunt.

I am sure you will tell your clients to go with MS no matter what, as you likely make most of your money fixes the MS problems, and an effecient OS would mean that you would be forced to find a real job.

Re:Can We Get Firefox Developers To Do This, Too?

Win95 came with IE 2.0, a very basic browser. Version 3.0 was a major improvement, with 4.0 handly beating Netscape's. I believe version 1.0 was internal only.

Re:Can We Get Firefox Developers To Do This, Too?

[kosmosik]

> And let's not forget that Netscape
> provided Microsoft with some much-
> appreciated help in taking over the Web,
> by screwing up their own release schedule
> so badly that there never was a Netscape
> 5.0.

Lets not forget that MS laveraged their monopoly on operating systems to give their browser away for free and still being able to operate (financialy). Netscape was just killed by MS. The lack of 5 version release was an effect, not a cause.

> They are aiming to be the top of the heap
> in security, and they've got drive, ambition
> and aggression.

Too bad still they have serious problems here. Like things got better inside corporate networks etc. (but not like it is MS-only achievement - entire market was generated around windows lack-of-security). But it still *is* an issue.

> Make no mistake, this kind of event is
> exactly what a company that wants to get
> secure should be doing.

No, publishing some marketing stuff with phrases like "hackers are hacking Windows and everybody is happy" is like PR/marketing bullshit.

Face it - now the real crackers (I mean virus writing etc.) are working for profit - under wings of multinational organizations. This is no longer underapriciated-geek-thing - this whole security business is about money. Not some "blue hats" (WTF are they?) - it is like - you crack a system -> you get profit from it. Marketing stupid names like "blue hats" is not going to change much.

(...)
> These things say to me that, within a few
> years, we're going to see some really damn
> secure stuff coming out of Microsoft.

Yeah - like say it gazilllion times and it will become truth. It is not like MS has not made any secure product. The opinion (MS -> insecure) comes from the fact that MS had done some unsecure products before. Yelling "WEEE ARE ALL ABOUT SECURITY DADADADA ETC." wont change much unless there will be noticable changes with their security practices. Right now I see a problem with MSIE (in general - entire system) - when you ask the video driver to draw very huge bitmap the system hangs... It works for +/-50% of systems (my research, even if it would be 5% it is still an issue). And guess what - you wont find MS talking about this *problem*. So how do they handle security?

Re:Can We Get Firefox Developers To Do This, Too?

[ArielMT]

Two minor points first.

First, the earliest release of Windows 95 came bundled with the even more handicapped Microsoft Internet Explorer 2.0, which was comparable to Netscape Navigator 2.x, to compete with Netscape's Navigator 3.x series of Internet suites. Among its other faults, IE2 couldn't even do frames. I speak from personal experience, having bought and installed "Microsoft Windows 95 Upgrade for Users of MS-DOS, bundled with New Microsoft Internet Explorer 2," a box with 17 floppy disks, in 1997.

Second, the only reason that Firefox exploits are cropping up at a seemingly greater pace is because Firefox is being covered in the press more than before. Statistically speaking, the rate of Firefox exploit discoveries hasn't increased since it was last called Phoenix.

About your prediction that we'll see very secure stuff coming from Microsoft, please don't hold your breath. Microsoft has entrenched in just about every new computer sold today features and technologies that by design undermine that computer's security (ActiveX for one). These features can't be secured against exploits and remain able to perform as advertized. The only way for your prediction to come true is for those designed-to-be-insecure features to be completely abandoned (and for everything else to be fixed, of course). And if that happens, that'll be a very happy day indeed. But I honestly can't see Microsoft abandoning the bad until MS ceases to be a relevant OS producer.

Re:Can We Get Firefox Developers To Do This, Too?

[CPUGuy]

Windows95 actually came with IE2 (which was basically Mosaic with a face-lift).

Win95 OSR2 came with IE3, which was actually on part with Netscape 3.

Re:Can We Get Firefox Developers To Do This, Too?

[badriram]

Sorry, I just tried as a regular user, Windows folder is not writable. Neither is the program files folder. The root folder however is.
Application makers are responsible for being careful about accepting malformed events. It is stupid for programmers to assume nowadays anything that comes in to a program is secure.
Active X and scripting languagees in windows is no more unsafe than in any other operating system. LEarn to logon as a user
Case insensitive is no make life easy for normal people. case preserving is for POSIX compatability. This way both can work.
they do not use rpc for everything, for yes they could limit it more.

Re:Can We Get Firefox Developers To Do This, Too?

[CPUGuy]

I hate to break the news to you, but IE3 was on par with Netscape 3, and IE4 just blew Netscape out of the water. MS only 'sabtaged' Netscape because IE was simply a much better browser at the time.

Hell, for the longest time, IE was THE browser to use because of it's standards compliance, features, etc...

Also, the only security advantage Firefox has with not being integrated is that it's not shipped with the OS. The fact is, is that IE is shipped with every single Windows computer, and as such anyone can be exploited by it. IE is NOT part of the OS, except that the rendering engine is used to render some OS componants, however, it is no more integrated than Firefox.
Firefox is also just a front-end, just that it is a front-end to a different rendering engine (Gecko).

Re:Can We Get Firefox Developers To Do This, Too?

Netscape wasn't opensource. Firefox is, this means that creativity is never stifiled because individuals can fix the problems on their own and help others who use the same browser.

Re:Can We Get Firefox Developers To Do This, Too?

[drsmithy]

Firefox is not comparable because firefox is not a component of the OS. It is not, as is IE, an application front end, but a standard stand alone web browser. The critical nature of firefox bugs cannot reach that of IE becuase they are not, by definition, OS level faults.

IE has no greater ability to do damage to the system than Firefox does.

Re:Can We Get Firefox Developers To Do This, Too?

[GISGEOLOGYGEEK]

You dont have a clue whether or not there are any 'conceptual mistakes', 'design flaws', or 'thousands of applications' that would be broken, that can't just be recompiled. No Idea At All. Your just repeating what all the other linux sheep keep saying, and the sheep reward you with 'informative' mod points.

Get out of your chair, go out into the world, and try to create an original thought.

Re:Can We Get Firefox Developers To Do This, Too?

[mewphobia]

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Okay if this were fuzzy logic class you'd get a distinction. But it's not.

The internet has been integrated with most applications because it was easy. To add the internet to your application you just need to strap on some more code. It's a trivial task, and microsoft still had it's troubles (as you pointed out). But your analogy is flawed...

repeat after me: SECURITY IS NOT AN AFTERTHOUGHT.

I have no doubt that microsoft's products will be more secure in the future. But it's terribly hard for a company as large as microsoft to change their processes. Plus they have an amazing amount of backwards compatibility to uphold. This won't be anything like the first browser wars.

Re:Can We Get Firefox Developers To Do This, Too?

[Feztaa]

Learn to logon as a user

Now, obviously this is unscientific, but all the anecdotal evidence I've seen is that many, many, many programs will refuse to run properly when run as an unpriveleged user. And this statement is very telling:

Sorry, I just tried as a regular user,

That indicates to me that you normally run as Admin, likely because half your apps break when you run as a user.

Re:Can We Get Firefox Developers To Do This, Too?

[Splintax]

writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults.. I disagree. I'm not really sure if this is a fault in the Windows code itself but there are several things in these folders that you may want to edit without rebooting into DOS or whatever. I would suggest that an 'advanced' mode be togglable so that all directories are writable. Same with disabling that 'System File Protection' BS. Ever tried to replace notepad with metapad or something? It's a complete pain in the ass.

Re:Can We Get Firefox Developers To Do This, Too?

[Tim+C]

- case insensitive but case-preserving filesystem (ambiguities in filenames)

How so? You can't create (for example) readme, README and ReAdMe all in the same directory on Windows, so you can't cause ambiguity like that.

- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

Normal users don't have write access to the Windows of Program Files directories. Now, you can argue that MS hasn't exactly made it easy for people to run as normal users, but that's only partly true. NT has had ACLs from the beginning, and was released towards the tail end of the 90s - developers have had what, a decade to get used to the idea of user permissions on Windows? Even only counting from the release of XP, they've had 3 years or so. Yes, user-based security on Win 9x was non-exsitant, but come on.

Re:Can We Get Firefox Developers To Do This, Too?

[Flyboy+Connor]

Interesting points, but not totally on the money.

The first main difference between Microsoft and the Internet, and Microsoft and Security, is the fact that IE was a product separate from Windows, while security pervades all of Windows. It is a lot easier to add something than it is to modify it.

The second main difference is that Microsoft could basically BUY themselves the Internet. They just acquired products and companies which went in the direction they wanted to go, slapped a MS logo on their products, and were in business. Security is something they have to solve completely in-house (unless they are willing to release their source code, of course, but that would probably lead to a major DROP in security).

And the third main difference is that adding the Internet does not require a quality increase. Making Windows secure does.

Re:Can We Get Firefox Developers To Do This, Too?

[I'm+Don+Giovanni]

Yes, most users run as admin; a hold over situation from the Win9x days when users and apps had no concept of different user account levels. Longhorn (when it finally ships) will have the limited accounts as the default account setting. This is just one example that disproves the grandparents assertion that some things are too hard to be fixed.

Re:Can We Get Firefox Developers To Do This, Too?

[eskoperkele]

"SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it."

SP2 brought us a firewall that blocks some corporate antivirus clients from obtaining new virus databases from local server.

Getting better, are they?

Re:Can We Get Firefox Developers To Do This, Too?

[earthbound+kid]

Windows 95 did not come with a web browser at all. Internet Explorer 1 was released along with the Plus! pack in August '95 though. By November, IE 2 was already out of the gate. Check it.

FWIW, I thought IE3 was decent, but not quite as good as Netscape. IE4, however, was better, and that was the end of Navigator.

Re:Can We Get Firefox Developers To Do This, Too?

Security is not somehting that can be tacked on later, like a GUI or browser or RSS feed. It must be designed into the infrastrucutre.

You're right - but you're wrong to say Windows hasn't got that security designed in from the beginning. Every file and every registry key have ACLs assigned to them (ACLs more flexible than read/write/execute owner/group/world). Every process runs as a user with definable rights. From the standpoint of the core OS, the only mistakes MS made were in defaulting users created during the install process to Admin privs, and not kicking ass among third party devs who took for granted the Admin-level user. MS is fixing this.

Now we move to services. Yup, too many services exposed after system installation. At server level MS is fixing this by defaulting less services running - and providing a nice tool to walk the user through the process of deciding which services should and shouldn't be available. At client level, the SP2 firewall defaults to 'listen only to people I talk to' mode.

Next up: exposed services which pass data or login info in the clear or with easily broken encryption. IPSEC encryption for all services has been available (both client and server) since Win2k. In Longhorn we'll see more services (maybe all of them?) also encryptable via SSL.

Check. Now, exposable services with buffer overflows or other exploits. MS is has been going through all code very aggressively to eliminate these issues.

Great. We're back to the local system then - user might try to escalate his own privs, or inadvertently run programs which try priv escalation. Honestly I'm not sure what MS is doing here (other than strongly emphasizing LUA as they should have long ago), but I suspect they've got a few plans.

Grandparent is right. MS is making all the right moves, and will have formidably secure products in the next three years. FOSS needs to be devoting at least the same percentage of its overall energy to the same goal, rather than engaging in the exact kind of denial so many in this thread have accused MS of wallowing in.

Re:Can We Get Firefox Developers To Do This, Too?

[johnw]

- case insensitive but case-preserving filesystem (ambiguities in filenames)

Huh!? Much as I like the UNIX programming environment and dislike the Windows one, this isn't a valid criticism of Windows. If anything, this is behaviour that Windows (eventually) got right and UNIX got wrong (and as you say, fixing it in UNIX is a lot more work than just re-compiling).

It's when your filing system thinks that README, ReadMe, Readme, and readme are all different files that you can hit ambiguity problems.

John

Re:Can We Get Firefox Developers To Do This, Too?

[Cro+Magnon]

The problem is the DEFAULT on XP is to run everything as root. The developers, and often Microsoft itself, saw little reason to change from the 9X style. If Microsoft had done security right when XP came out, there would have been some short term grumbling and accusations that MS was doing it to break 3rd party apps, but it would have settled down and we'd have a reasonably secure Windows now.

Re:Can We Get Firefox Developers To Do This, Too?

[Jeehannes]

Ever tried to replace notepad with metapad or something? It's a complete pain in the ass.

You need NotepadEx (http://notepadex.cjb.net/). Painless.

Re:Can We Get Firefox Developers To Do This, Too?

[RasputinAXP]

Then how, exactly, does spyware make its way onto my machine with IE installed on it?

That's right, ActiveX!

A nice handy layer of DOOM for my users' systems, because they don't know NOT to click the blinking "OK" in the popup window they just got, which just tossed another version of CoolWebSearch onto their system which then screws them from being able to get to some sites.

"No greater ability" my shiny metal ass.

Re:Can We Get Firefox Developers To Do This, Too?

[Daniel+Phillips]

Microsoft did not beat Netscape on product quality as much as illegal monopolizing tactics. Your argument by analogy breaks down here. This time, Microsoft does not have any obvious way to fix its problems by gaming the system, which may help explain why, two years after promises that everything was going to change, Microsoft is still flopping around like a fish out of water in the security space.

Unable to game the legal system, Microsoft resorts to gaming Slashdot's moderation system. How the mighty have fallen.

Re:Can We Get Firefox Developers To Do This, Too?

[Splintax]

That wasn't my point, the point was the difficulty in manually replacing notepad.exe with something else.

metapad is a single executable that you can rename to notepad.exe and have replace notepad. But WinXP's file protection makes it difficult to do this.

Re:Can We Get Firefox Developers To Do This, Too?

[drsmithy]

Then how, exactly, does spyware make its way onto my machine with IE installed on it?

Same way it would if it exploited a Firefox vulnerability.

"No greater ability" my shiny metal ass.

IE runs in user space just like Firefox. If you're not running as an Admin, most (if not all) malware crashes and burns. If you are running as an Admin, running firefox won't help you if a similar vulnerability exists in Firefox.

IE does not have magical powers. It does not have mysterious hooks into the NT kernel. It does not run with special permissions. It has no more (or less) ability to damage your system than Firefox does.

Don't be deceived, it's part of the plan

First they show that (shock!) Windows is insecure, and then after much "deliberation" they will throw their hands up in the air, declare "computers" and "The Internet" to be insecure, and use that as a ploy to get Trusted Computing made mandatory by government.

I firmly believe they allow the virus and spyware problem to happen for this very reason.

Re:Don't be deceived, it's part of the plan

[SirSlud]

Cmon, Occums razor, hard core.

The ONLY reason windows users complain about windows machines these days is because of virii and spyware. Are you even a programmer?

Not to defend MS, cause I loathe their guts, but really now, have I been trolled?

Getting through to engineers is hard

[kt0157]

In my previous company I tried to communicate with engineers. I was an engineer, but it's still damned hard. Programmers just don't "get it" without hard work. In the end, this kind of smack-in-the-face-by-the-real-world approach is what is needed.

I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?

Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..

Read about this in Cooper's book "The Inmates Are Running The Asylum."

K.

Re:Getting through to engineers is hard

Perhaps if you'd keep the ad hominem attacks out of your conversations you'd make more progress?

Re:Getting through to engineers is hard

[kt0157]

Don't get me started about Ad Hominem. He was the worst. Always with the system modal dialog boxes.

K.

Re:Getting through to engineers is hard

[Vellmont]

I reckon it's because so many programmers have at least a touch of Asperger's.


So I guess this off handed comment now makes it official. Aspergers is now the default explanation for anyone in the tech industry who acts a little different from the general public. I'm glad we finally have this "explanation".

Next step, anyone that questions authority has a touch of "oppositional defiance disorder". Soon all behaviours people don't like will be defined as an illness.

Re:Getting through to engineers is hard

[kt0157]

Stop arguing about clinical definitions and just change the goddamn font.

K.

Invite outsiders or hire insiders?

[dozek]

I find it is interesting that a company with record cash in hand and well documented employee benefits would not have their own 'blue hat team' on staff. I mean, why invite outsiders in to reveal the exploits? Surely MS can afford an elite team of their own...especially when 1/3 of the R&D budget is going to security matters.

Re:Invite outsiders or hire insiders?

[geekoid]

They probably do, but outside security people are paid to find issues and are usually outside the politics.

Re:Invite outsiders or hire insiders?

[Kesh]

Exactly. Not only are outsiders able to look at the software from a clean slate, without the influence of their co-workers or company policies; they're also (relatively) free from retribution.

If they were an inside team doing the "blue hat" work, they'd be about as popular as Internal Affairs officers are to their fellow cops. There would be a lot of pressure to "just overlook that" from their friends, or folks who they feel loyalty to within the company.

Re:Invite outsiders or hire insiders?

[hazee]

Outsiders will bring a fresh perspective to the problem. There may well be company-wide perceptions that certain pieces of code are "safe" within MS, so they don't get as much checking as they should.

Yes, you could isolate your own blue team from the rest of MS, but why not just go the whole hog? Plus, this way you don't have to pay for the benefits you mention.

And finally, by getting people outside to do the work of searching for flaws, you get many more people for your money - you only have to reward the ones who find something, rather than paying them all a salary even if they don't find anything this month.

Re:Invite outsiders or hire insiders?

[Mingco]

Anyone internal who can exploit bugs is capable of fixing them, thus will be put on the fixing bugs team. But bug fixing only comes after features have been developed, and swings around in production cycles. Thus, when you are not near a shipping date, you are not bug fixing. Thus, you get put onto a features team.

Generally, for your career, it's better to be on a features team than a bug fixing team. It's a lot easier to point to a cool thing and tell your manager, "I made that happen!" than to point to some boring thing working normally and say, "I made that previously broken or easily exploited bug not happen!" Thus, individually, talented developers tend to gravitate away from bug fixing, because their worth is more easily measured in features than in bug fixing or security.

Therefore, to get some real seriously talented bug exploiters, you need to reach outside of your internal microeconomic incentive system.

Writing features is simply more fun than fixing bugs or closing exploits.

Re:Invite outsiders or hire insiders?

[Locke2005]

Perhaps this was more a trick to get the hackers to reveal themselves, so that it is easier to catch them later? Of course, if you do find someone who is particularly adept at circumventing your security, your best course of action is to hire them! Which might be the main reason most of these "hackers" showed up to show off their mad skillz...

lured?

HOW did they 'lure'?
popping bug?
spinner?
midge?
golden antenna?
it's a radio for crying out loud.

" Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of hashing algorithms, as well as the potential for sending large files via the Internet's Domain Name System. He is currently doing work for Avaya. "

what's this DNS large files business?
been tunneling port 53 for ages. because the port 53 is open prior to subscribing with many cable companies it'll get you a link for free

Re:lured?

[Effugas]

http://blackhat.com/presentations/bh-europe-05/BH_ EU_05-Kaminsky.pdf

MOD PARENTS UP!

I'm glad your parents decided to fuck without birth control. Truly you are one of humanity's greatest accomplishments.

PS: You're a fag.

Re:2002 WTF? O.o or Why I Love SR-520

[WillAffleckUW]

Sheesh! It's 2005 and there are still unpatched vulnerabilities. Damn hackers, they're always faster than us! (/sarcasm)

Heck, they just released a bug fix for an IE bug that was already fixed, put back in by mistake (since it was still in IE), and refixed in Firefox ... today.

Wow, it's like watching paint dry.

Luckily for them hackers just go away on vacation in the intervening years between bug fixes ... right?

Give Microsoft Its Due

[MrNonchalant]

I'm banking that I'm the first one to say this, and that there are at least a few reasonable moderators out there.

This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.

Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).

Re:Give Microsoft Its Due

[dustmite]

Microsoft always catch up after being behind everyone else after roughly ten years, in everything they do. The same is true for their current drive towards security, where they are starting to catch up to, say, the seriousness with which 1980's UNIX vendors approached security.

The underlying problem though is that Microsoft only ever develop anything reactively, never proactively. Every move they've ever made has been kind of like: "hey look, company XYZ has produced this excellent product ABC, and everyone loves it, let's also start working on something like that and release a semi-decent version five years from now". This will never change.

So it's all fine and well that Longhorn 2006/7 will be the first MS OS ever actually built with a serious company-wide intention of being secure, but the question is, do you want to always be at least "ten years behind" like that? Do you think it's good to keep putting your money into the company that only knows how to "catch up", in an industry that really runs much better when there is leadership and innovation?

Re:Give Microsoft Its Due

[Randseed]

The problem with Microsoft software historically has been that you buy the OS, then have to buy third-party software to get basic functionality. Part of this is because of the anti-trust laws. Part of it is because they feel that they have a duty to their third party developers like Symantec.

I can pop in a Gentoo distribution CD and in a few hours have a system set up that does far more than a Microsoft system does, and it costs me nothing. Most of those few hours is just waiting for the system to compile. If I went with Debian or another binary-based distribution, it would be a lot faster.

The catch is that, generally, Linux isn't as easy to install and administrate for people who don't know anything about what they're doing. Then again, if you think about it, as it stands now most consumers seem to haul their machine into Best Buy or eqivelent place and get them to administrate their box anyway, so this may be less of a problem than you might think.

Re:Give Microsoft Its Due

[jav1231]

My problem, philosophically, is that I don't care that M$ might be getting it. I don't distrust M$ because they have shitty software. True, this knowledge should make me want something better, but my problem is with the company culture. They want to do it all at the expense of everyone else. Rather than partnering, they would rather consume. Some think this is just good business, but I'm not sure. Eventually you become a monopoly and quality is secondary. True, they partner with some companies now, but on many key technologies they have simply "innovated" the technology either away from another company or added it into their OS to help stifle one. A big part of me doesn't want them to "get it." Just being honest.

Re:Give Microsoft Its Due

Eventually MS Anti-Virus will be free. First, they'll advertise it as a pay service. Then, the government will push them into offering it for free, since charging for it would be abuse of their position. QED. They manipulate the government into the result they want - free MS Anti-Virus.

Re:Give Microsoft Its Due

[Daniel+Phillips]

Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them.

No, for personal computing's sake, let's hope that Microsoft continues to blow it. Poor security is just the first item on the top of the pile re why Microsoft is bad for the internet and bad for the economy in general.

How about actively subverting common standards? How about making customers submit to a strip search in order to install a new modem?

Microsoft continuing to blow it is the clearly the best gift it can possibly give the internet and personal computing, after all it has taken away.

Re:Give Microsoft Its Due

[ady1]

just that antiviruse, antispyware, antimalware doesn't make your productive. They only aid you in being less productive. They make you less productive anyway since you have to maintain them, update them and alot processing power and memory to them.

Old problem, not Microsoft specific

[sublimespot]

That technique is

a) old news
b) not Microsoft specific.

Linux and OSX can also be tricked into connecting to a rogue access point.

Whichever access point is most powerful, or higher priority will be connected to.

The only shocking thing about the article is that the engineers havent seen/heard/tried this before.

Re:Old problem, not Microsoft specific

[kneeless]

No, they lured the laptop onto the network without it's consent, and without rooting the laptop first. That's why it's surprising.

Re:Old problem, not Microsoft specific

[sublimespot]

Um. Thats exactly what I was speaking of, and no its not surprising nor is it new.

Take for example a linux machine is running wpa_supplicant or some other software which has a preferred access point of "linksys" (since that user uses that ssid at home). If a "linksys" access point pops up somewhere other than at home, the box will connect to it.

Its nothing special.

The only exploit that affects XP is that it broadcasts the names of the ssid's that its searching for. This allows an attacker to change his access point to that name that is being requested and have the user connect.

Old news.

It was just silent...

[kmortelite]

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

And then some guy in the back stands up and starts yelling "Developers! Developers! Developers..."

Re:It was just silent...

[sublimespot]

you gave me a total visual of that. Sweat dripping down his armpits. hahah

Re:It was just silent...

[dangitman]

you gave me a total visual of that. Sweat dripping down his armpits. hahah

Normal people don't find that a pleasant experience worth laughing about. YMMV.

Re:It was just silent...

[sublimespot]

If you think its not funny then I guess you havent seen the video.

Re:It was just silent...

[dangitman]

I've seen the video. Believe me. Made me want to reach for a bottle of bleach to cleanse my eyes. It's funny, but not "ha-ha" funny.

Re:MOD CHILD UP

As maturity is sorely lacking in the poster.

Blue hat of death

Makes me think of that scene in The Killing Fields when you would confess your sins to the uncle they would put that colored plastic bag over your head and dump you the second they were through with you. Those that help the enemy secure their product are traitors and should be the first against the wall when the inevitable Linux desktop revolution occurs. We should think now, long and hard as to what technology we will be using to maintain our traitor's list or MS might just get the jump on us. It will be ironic if we are forced to use a feature-rich MS product to maintain our MS traitors list.

Behold, the problem

[CaptainCarrot]

Or at least part of it anyway. From the article:

The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.

"Don't necessarily focus on security features"? If this is just the reporter making up his own description it's not so bad. But if he's just echoing what he was told by Microsoft or whoever his source was, then they're looking at this backward and probably have been for a long time.

Anyone who touches that code for any reason at all has to keep security in mind every time he does it. It doesn't matter if he's responsible for authentication or whatever else they're including under the rubric of "security features". Any bit of code is a potential vulnerability. It only takes one buffer overflow, one set of bounds that's not checked, one line of code that doesn't validate the terminator on an input text string, to create one. And then it's a security problem for everybody. If making non "security feature" programmers aware of these issues is a new thing at MS, they've been doing this all wrong for years. (As many have suspected, but seeing it possibly confirmed is still a bit of a shock.)

Re:Behold, the problem

[Effugas]

That's the point -- there weren't just network programmers, or compiler writers, or the reps from the security business unit who'd go to Black Hat anyway. People from across the organization showed up.

Chill. I was there. You'd have liked it.

Re:Behold, the problem

[CaptainCarrot]

So I gathered. That was stated in the quote I presented from the article. It's nice if MS is now "getting it". It would have been far nicer had they "gotten it" some time ago. The presumption -- and again I can't determine for certain whether it's on the part of the article writer or MS -- that such events would normally be only for people responsible for "security features" but on this occasion (Huzzah!) it wasn't, was my point of departure.

Chill? My remarks were quite moderate, and I'm hardly a member of the anti-MS /. claque. If I were, I'd hardly be using XP at home, would I?

Re:Behold, the problem

[Effugas]

Yo, Carrot--

You've got a point. Sorry 'bout that.

--Dan

a little niggle

[JamesD_UK]

Can people write, or the editors make sure that article summaries are just that, not cut and pasted paragraphs from the article? The posting makes it look like Mz6 wrote those paragraphs which is only true if she's Ina Fried .

Re:a little niggle

[kaens]

Sure, they can. But they won't. All the words worth reading are below the summaries 99.99% of the time anyhow.

An extremely dangerous stunt

[G4from128k]

Unless Microsoft uses NO wireless on its campus or unless the walls were RF shielded, this was a very dangerous stunt. If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall. Range is no protection as it would be not hard to build a high-gain antenna into the lid of a hacker's laptop and orient it to pickup WiFi elsewhere on the Microsoft campus. If a hacker can gain access to an inside machine, they could plant a backdoor for later exploits including attacks on the the company's codebase.

I'm not a shareholder or a user of their products (except to the extent that the vast majority of the companies I do business with use Microsoft) but I find this an extremely irresponsible act on the company's part. If they want to try this sort of security testing, and they should, it should be done off-site or in a shielded room.

Re:An extremely dangerous stunt

[fred+fleenblat]

(a) they probably had names and address of everyone who showed up. any weird post-demo problems -> send FBI.

(b) you don't need to be on-site to attack a wifi installation. a top-quality directional antenna will work from a few miles away.

(c) what's wrong with you, don't you *want* microsoft to fail?!?

Re:An extremely dangerous stunt

[Locke2005]

And how is doing that from a conference room any different from doing it while sitting in a car out in the visitor's parking lot?

Re:An extremely dangerous stunt

They used a demo notebook and fooled into connecting to a fake ap (probably using FakeAP, oddly enough). They didn't hack the notebook.

There was very likely no net connection of any kind.

Just one "legitimate" access point and one "fake" access point, neither of which actually went anywhere.

Re:An extremely dangerous stunt

[Jah-Wren+Ryel]

If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall.

Anyone doing even halfway decent wireless networking in the corporate environment is simply using the wlan as a transport layer for a VPN. Without the VPN you can't get anywhere.

Re:An extremely dangerous stunt

[DanteLysin]

Unless Microsoft uses NO wireless on its campus or unless the walls were RF shielded, this was a very dangerous stunt. If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall.

Microsoft's wlan and corporal wan are completely different networks.

Re:An extremely dangerous stunt

[Sanguis+Mortuum]

Corporal Wan? Sounds like a Chinese army officer...

Re:An extremely dangerous stunt

[sublimespot]

fakeap creates fake access points to trick net stumbler applications like netstumbler or kismet. It switches the ssid so quickly that nobody would be able to authenticate to any of them.

All you need is a card that supports master mode . Then, a couple iwconfig commands and your card becomes an access point.

IT def of "heap overflow"

1. When the "in" tray has more paper in it than the "out" tray.
2. When you have to get up and clean out your pants because:
A. It's bothering your hemmoroids.
B. Your fellow employees are making odor
comparisons to themselves.
C. The head honcho of the IT department wants date you, and asks you if you are int "felching".

Pride comes before a fall

[Ridgelift]

FTA: Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation.

Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated Metasploit--a tool that system administrators can use to test the reliability of their systems to intrusion. But Metasploit also includes a fair number of exploits, as well as tools that can be used to develop new types of attacks.

"You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case.

"We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'"

Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.

Wow. This is great (and about time too). What really seems clear to me from all this is the problem with Microsofties is the same problem a lot of slashdot readers suffer from: hubris.

Open Source software is not bulletproof. It suffers from security defects as well. The big difference, however, is we're up front and honest about it. Microsoft can't afford to be that way, as they rely on customer confidence and their monopoly to stay in business.

Microsoft seems to be understanding that their real problem in improving security is people, not so much the technology. By letting the "bad guys" knock the bricks down in front of the programmers who build the stuff, it ouggta sink in pretty deep.

Fix the attitude among the developers and the technical stuff will probably follow. Too bad a lot of slashdotters aren't able to experience the same thing.

FINALLY!!!

[Whatchamacallit]

Time for the security guys to SMACK some sense into those MS Engineers! Go Man Go! Your system is like Swiss Cheese and you really really need to freaking fix it! This BlueHat event is literally a smackdown to wake the MS engineers and management up to just how bad it really is. It is critical for the MS Engineers to get shaken out of their MS Corporate boots and have their eyes opened to the truth. Seeing you most recent work getting compromised in seconds must have driven some of these guys completely bonkers!

The invited security experts are familiar with all kinds of expliots even at the latest patch release. However, the really smart ones are not working security for a living they are doing International Corporate Espionage where you don't publish what you find, you use it over and over and guard it as secret so you can get paid as you steal IP from one company and sell to another.

Personally, I don't believe that MS will be able to fix Windows unless they go through a complete rewrite, that means beyond Longhorn before they get it right. They can continue to bandaid it or they can start over and design the way OpenBSD designs. Include security regression testing into their milestone workflow. While they are re-doing things they can also fix all the other broken crap that needs fixin!

Re:FINALLY!!!

[RaffiRai]

> Time for the security guys to SMACK some sense into those MS Engineers!

Not that I really disagree with you there, but Microsoft invited them there to do just that. It's not like the execs were suprised..

Re:FINALLY!!!

A little tidbit:
OpenBSD itself is a reworking of what was an existing system (BSD). They didn't start from scratch and rewrite their own OS.

Passion not Anger

[EccentricAnomaly]

It's one thing to be passionate about your work and another to get angry at someone who criticizes your work. A professional cares more about doing a good job than about protecting their egos. And if you want to do a good job you need to seek out ways to find errors in your work... getting angry is counterproductive to such an endeavor.

two BILLION a year...

[zogger]

...on "security"

uh huh

think about what that sort of cash would do to help out open software in general terms, all the various neato projects done with a few dollars and a lot of skull sweat. Think about if only a fraction of that went to linux kernel development, say something small, like 100 million dollars, 1/20th of what MS spends on "security research"

I am just amazed at this,it is just a staggering sum for those products and their "security features".

Re:two BILLION a year...

[ForemastJack]

It's Friday. This'll kill my karma, but so what? It has to be said.

Quoth the parent:

...think about what that sort of cash would do to help out open software in general terms, all the various neato projects done with a few dollars and a lot of skull sweat. ...say something small, like 100 million dollars, 1/20th of what MS spends on "security research"

Yes, alas, I do know what it would get the opensource community:

• 4,283 mp3/ogg players
• 9,012 text editors
  • 2,100 in TCL
  • 3,991 in Python
  • 3,440 in Java
  • 1,020 in Perl
  • 60 in c/c++
  • 1 in LISP
• 293 stuck-at-.15a-alpha-release desktop environments (123 Enlightment clones)
• 4 useful, fills-a-need projects, 3 of which are mired in developer pissing contests, user flamewars, and forking debates.

Good news

[It+doesn't+come+easy]

It's good to see this. Credit to Microsoft for really trying. Not to be too kind to Microsoft, however, I think it is a lost cause to try and make Windows reasonably secure. Security is tough enough when you design for it from the start. Tacking security on never works. You reach a point where a fix in one place just creates a security hole somewhere else. But I guess it's better than doing nothing at all.

I worked security at Microsoft

I did security work for Microsoft several years ago. They had an internal hacking team that was pretty good. We had people in my group that were pretty good. The head of security for MSN was very good. People knew security.

However, every time I tried to push through a security fix or privacy issue, it was an uphill battle. I had to convince a PM that there was a problem, research had to be done about it, pre-production testing would have to happen, and finally a production release. Lots of the time, if there wasn't a remote execution class vulnerability, I couldn't get a fix pushed through.

The problem really became that the number of products were so diverse that any security fix at the OS level would stop some other application from working. For instance, completely turning off the null-session vulnerability in Windows 2000 SP1 by setting RestrictAnonymous to 2 on the domain controller would make Pre-SP1 Exchange stop working. Things like that made it impossible to get a good grip on the security stance.

And of course, that was just the tip of the iceberg. Add in that the security people in Windows didn't talk to the Exchange team didn't talk to the IE team didn't talk to the IIS team, and you got a nightmare. Between no cohesive communications and the general apathy/resistance to fixing things due to the political and resource minefield, I was usually unable to do my job and finally gave up.

Engineers?

[HydroCarbon10]

WTF is up with calling programmers engineers now? The term 'engineer' is regulated in all 50 states, and calling yourself an engineer without being licensed is worthy of a fine. There are some exceptions, but these vary from state to state, making it best to completely drop the title 'engineer' unless you're actually licensed in the state you're advertising in.

Re:Engineers?

The title Software Engineer is not regulated.

Re:Engineers?

[chapman_164]

Actually, calling yourself an engineer is fine. Calling yourself a "Professional Engineer" is what will get you in trouble unless you are appropriately licensed.

Re:Engineers?

[CPUGuy]

Along with what others have said...

I don't know about other colleges but Computer Science is in the engineering department here.
Now whether or not everyone there had degrees, who knows, but engineer is a correct term.

Re:Engineers?

[The+One+and+Only]

Just try telling the software engineers that. I wouldn't be surprised if the title "engineer" isn't worth something in the tens of thousands per year and two to three inches of metaphorical penis size.

Re:Engineers?

[HydroCarbon10]

As an EIT, I can tell you that its actually extremely vague and varies from state to state. You may or may not be able to get away with just 'engineer' depending on which state your in, the phase of the moon, and who happens to be sitting on the regulatory board for your state. At least, that's my understanding of the issue based on a presentation given by someone who sits on the board in Texas and was attempting to clarify the issue.

Re:Engineers?

[HydroCarbon10]

As an EIT, I can tell you that its actually extremely vague and varies from state to state. You may or may not be able to get away with just 'engineer' depending on which state your in, the phase of the moon, and who happens to be sitting on the regulatory board for your state. At least, that's my understanding of the issue based on a presentation given by someone who sits on the board in Texas and was attempting to clarify the issue.

Of course, I could be completely wrong. I still think anyone with a CS degree who managed to get a job shouldn't get to call themself an engineer.

Re:Engineers?

[djdanlib]

Here at RIT, we have a College of Computing and Information Sciences ( http://www.rit.edu/~gccis/ ) and that's where CS lives. It's separate from our College of Engineering. Computer Scientist might be considered more proper here.

Re:Engineers?

[CPUGuy]

Well, we also have "computer engineering", who do programming as well.

Re:Engineers?

[rnelsonee]

Yeah, Univ. of Maryland has CS, Electrical Engineering, and also a hybrid of the two that is actually called Computer Engineering.

I call myself an engineer because I do engineering work (and have the electrical eng. degree), even though I mostly code now.

But I can understand the frustration - there is an accredidation process you must go through before you're a "professional engineer", and I don't mean to take that away from those who actually took the required exams (EIT and PE), but I guess that's why the "professional" is there. Other professions that require this post-graduate certification (doctors, lawyers) certainly don't have this problem. Well, maybe doctors, but the people who call themselves doctors but aren't are simply quacks, and no one takes them seriously anyway.

Re:Engineers?

Let's make this simple. No iron ring, not an engineer.

Re:Engineers?

[Detritus]

There are doctors and there are physicians. There are quite a few people who are entitled to be addressed as doctor who are not physicians.

Re:Engineers?

Don't be an idiot. There are thousands of unlicensed, but legitimate, engineers in all states. And this is how it should be. If you need to be a professional engineer, then get licensed. Most engineers don't need to be licensed and shouldn't get licensed. Let the company I work for (who often dictate how I have to do my job) take on the liability.

Re:Engineers?

[/dev/trash]

Funny, then Siemens should be fined big time as they call all their programmers Software Engineers.

Re:Engineers?

[JohnsonWax]

At least, that's my understanding of the issue based on a presentation given by someone who sits on the board in Texas and was attempting to clarify the issue.

You have it right. It is vague and in some states 'engineer' is enough to get the attention of the labor board and the local NSPE. California not too long ago went through this with Cisco calling everyone engineers.

But more importantly, most programmers simply aren't engineers by training. Many programs don't cover the professional elements of safety, reliability, economics, and so on. The reason the Texas board is speaking is they're the first state to offer licensure for Software Engineering.

Re:Engineers?

[JohnsonWax]

It is in Texas.

http://www.computer.org/software/articles/Speed.ht m

Re:Engineers?

[Insightfill]

I work for a sofware company that USED TO HAVE "Engineering" in its name. They dropped it because there are a handful of states that require you have at least one "Professional Engineer" on staff, which we didn't, but still wanted to do business in those states.

Re:Engineers?

No it's not.
There was a ruling here (Canada) that denied Microsoft from using the title "Microsoft Certified System Engineer" (MCSE)

Constructive criticism

[Alwin+Henseler]

Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool.

Actually that's helpful: show how something is flawed = show how it can be improved (constructive criticism). Fix that flaw, and you have a better product than before.

As opposed to "hey it sucks, because it's <xyz>", which provides no hints on how things could be improved (well, other than removing <xyz> from the equation, if that is what makes it suck).

It's just how you look at it. Any good coder (or vendor) shouldn't be afraid to take constructive criticism. In case you see me fuck up: tell me, and be sure to include details, so I can do a better job next time.

--He who asks is a fool for five minutes, but he who does not ask remains a fool forever.

Re:Constructive criticism

[cagle_.25]

The context really matters here. If my boss sent me a quick e-mail saying, "Hey, I found a NULL pointer dereference in your device driver!" then I would thank him and fix it.

If same boss organized a conference and allowed SOMEONE ELSE to purposely expose my NULL pointer dereference by demonstrating that the mouse locks up or causes a seg fault or whatever, then I would feel that my boss was making a point: I'm an employee who is worth publicly humiliating.

I would find a new job.

Re:Constructive criticism

[GeckoX]

Yes, but what if your boss had already come to you and said "Hey, I found a NULL pointer dereference in your device driver!", and you said: "BS, that's impossible!".

And it was also reported all over the internet, and you said: "BS, that's impossible!".

What would get you to change your mind?
Or would you rather be fired?

IMHO, you'd deserve the public humiliation.

Shit, MS and even BG himself have been repeatedly publicly humiliated over security issues. Maybe this isn't as simple as fixing one single bug in code?

Re:Constructive criticism

[cagle_.25]

You're right ... that's different. And I'm right...context matters a whole lot here. :-)

What REALLY happned...

[chia_monkey]

Yeah...M$ MEANT for that to happen. Here's the real story:

M$ Exec 1: "Oh sh*t!!! We've got a security problem. One of our computers has been lured to a baaaaad network"

M$ Exec 2: "Crap. Wait, I know. Get MarComm on the phone. We'll tell the world we were running a test. We're finding flaws so we can fix them. Yeah, that's the ticket."

M$ Exec 1: "Good thinking! Maybe we should tell them to also release a statement that the BSOD is actually Microsoft's commitment to employee health. A soothing blue screen comes up, gently reminding employees to get up, stretch their legs, refocus their eyes..."

How about +1, Troll?

[ArielMT]

About your sig: Wondering why i am doing so strange posts? I am trying to get a "+5,Flamebait" or "-1,Insightful" rating.

How about (Score: 1, Troll)?

OT.

[Chrispy1000000+the+2]

+5, Overrated is much more funny.

They have to change

[DigitlDud]

It's not about creating a customer base anymore, that was the old company mission. Now they have all the customers, and they need to keep them. Aggressive business tactics only get you so far. Now Microsoft has to do what the customers want or they'll lose them to some new "Microsoft" up-start (like Google).

Microsoft has to care about this

[algae]

Here's one of the most insightful, yet scariest quotes from the article:

"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

MS has seen that it's possible for there to be a secure and customizable end-user OS (MacOS X, Linux, etc), so much as they might like to, they can't attack the problem by taking customizability away from the user. Hence workshops like these.

I think that some other posters have it right when they compare the current security effort with the rise of IE in the late 90's. Sleeping giants and all that.

ppl ppl, evrywhr!

[Apotsy]

Wher thrs musc, thrs ppl.

Re:Three ways to do things

1) The right way
2) The wrong way
3) The Max Power way*

* same as the wrong way, only faster

Homer J. Simpson

Here We Go Again

Remember Microsoft declaring Bug Month?

http://slashdot.org/article.pl?sid=02/02/02/201222 7&tid=109

"We are not coding new code as of today for the next month." Richard Purcell, director of the Microsoft's corporate computing office. That was February 2002.

The big shock for me was actually getting contacted by a Microsoft engineer requesting more information on a particularly bad CSS issue in IE6. I hadn't believed Bug Month was anything but PR till that point.

Then nothing got fixed. It's three years later and zero IE6 CSS flaws have been fixed. Zero.

There's no reason to expect better this time.

Outside firewall

I'll bet their wireless network is outside their firewall and they use a (I bet MS) VPN client to connect back in to their corporate LAN.

-ac

Why this is scary

[G4from128k]

(a) they probably had names and address of everyone who showed up. any weird post-demo problems -> send FBI.

Perhaps. But if someone gets Longhorn's source code and creates exploits for its launch in late 2006, will anyone remember to check the list of March 2005 attendees. Also a suitably documented attendee could easily pass information to an undocumented outside hacker.

(b) you don't need to be on-site to attack a wifi installation. a top-quality directional antenna will work from a few miles away.

Very true (what a very unpleasant thought). Yet attacking from the outside is harder because of the longer distance, metal in the buildings, and clutter of WiFi cells in a large campus. In contrast, being in an executive conference room probably puts the hacker in close proximity to wireless networks for top executives at the company. A keyboard logger on Allchin's or Gates' laptop would be far more damaging.

(c) what's wrong with you, don't you *want* microsoft to fail?!?

Absolutely. I'm just concerned with the failure mode. If people just stop buying Microsoft products, that's great. But if hackers find a way to pull data out my bank's databases then i will not be so happy. Loss of market-share is fine, a catastrophic breach of commercial and government systems would be very very bad.

No

Microsoft is Mr. Shit :)

MS Coders Ignorant?

[redhatkingpin]

"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."

Maybe its just me, but I would assume these guys would actually have spent time securing their own computers, dealing with spyware and warms, etc. Maybe even attempting to hack their own computers to test it. More so, do they not keep up on the latest techie news given that they are geeks?

Maybe if all MS programmers signed up to receive slashdot digests every day and took the time to read the articles and comments, they would learn from others' experiences with MS products and use those critiques to improve their products.

Do these people live in a hole or something?

I always thought...

[mangus_angus]

that most hackers had already met microsoft.

what does this have to do with windows...

[rcamera]

maybe i missed something, but what does connecting to a malicious network have to do with an operating system? could os x have connected to the same wireless network? how about linux? this is as much an os flaw as 'click yes to install spyware'

user idiocy is not an os flaw. end of story.

Re:what does this have to do with windows...

[GnarlyNome]

With 'nix the problem is getting the laptop to connect to any wireless network
at least on mine

Hushed Silence?

Why? Because it took them sooo long to break it?

A few minutes?

Must have been a slow laptop...

Knows about MD5?

[DevanJedi]

So in the right column of the article there is a little 'anecdote' from the conference that says that some guy called Allchin (god of Windows OS) asked a 'blue hat' about MD5 and the article goes on to say:

Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company.

Knowing about MD5 makes a software guru 'deeply knowledgable'? What kind of an article is this?

Re:Knows about MD5?

[Effugas]

It wasn't so much the question, as the unexpected nature of it. I'd just finished talking about very different things -- video over DNS, backtunnelling through dual-hosted name servers, etc -- and it had been about 20 minutes since I'd mentioned that, *if* someone asked, I'd show what was wrong with MD5.

No matter. This guy -- I had no idea who he was at the time -- heard something he needed to precisely understand, and got his answer at his first opportunity.

It's kind of cool that senior management at Microsoft a) showed up at an internal hacker con and b) knew enough to not only understand what I was talking about, but was interested enough to demand more.

Dude. Have you met anyone in senior management? There's a reason so many people relate to the Dilbert PHB.

Re:Knows about MD5?

[veg_all]

Exactly. The whole quote:

During a recent talk in Redmond, security researcher Dan Kaminsky wasn't sure how geeky to get. After all, he was talking to a bunch of executives on the first day of Blue Hat, not Microsoft's rank-and-file engineers.

So he kept his comments brief when it came to a flaw in something called MD5--a "hashing" algorithm, or a kind of fingerprint used to authenticate documents. He figured it was probably too esoteric for his audience. The rest of his presentation was focused on a different security topic.

But when it came time for questions, "this one guy with a shock of white hair looks straight at me and just says, 'MD5.'" Kaminsky, who said the comment seemed more like an order than a request for information, complied by demonstrating how two Web pages could have the same "hash," as the man listened and nodded knowingly.

So he tossed out some buzzword he had heard without any context to indicate that he had any idea what he was talking about (maybe he knew MD5 was a hash -- at best) and we're supposed to think the presenter was blown away at the knowledge of MS execs? It's about the same as if he had yelled out, "C!" Oh my god! That's a programming language that can have overflows! Those can be a serious security concern. Wow, he knows his shit!
Silly, silly, silly.

Re:Knows about MD5?

[DevanJedi]

an internal hacker con

Dude- according to the article, it wasn't an internal hacker con. It was a Microsoft event. And senior management is one thing; but the guy IN-CHARGE of Windows is quite another.

Re:Knows about MD5?

[Effugas]

Lesse...I was there, Dug Song was there, K2, Shok, and Dino were there...a hacker con it most certainly was, just with a rather different audience than normal.

Fallguy

Allchin's name has become largely synonymous with the Windows operating system he oversees.

The fallguy has a name!

Wireless Network

[Natchswing]

This is news to anyone at Microsoft? I have a wireless connection here. I have specifically told XP not to connect to anything other than the preferred wireless network. The only preferred wireless connection is the router here in the house.

I had the problem of the network connection regularly disabling itself and re-enabling itself. Turns out this is well documented on the internet but denied as an issue at Microsoft. Disable the zero wireless configuration service and it stops doing that.

However, occasionally it refuses to connect to the preferred network after a reboot. It will show that the network is not connected. I tell it to connect and it will try connecting to the network. It gives the "repairing your network connection" while it looks. I have a normal connection while it's looking, but when it gives up I have no more connection.

Other times, especially after a power flash, I'll notice that I'm connected to my neighbor's open wireless connection. Windows loves to connect to any random connection it can find.

I'll reconnect to my wireless network and it will show "NOT CONNECTED - You are connected to this network." Well... which is it?

I haven't found a way to stop Windows XP to connecting to any random network connection it finds. I swear I dated a girl like that once.

Offtopic ?

78% got bored and quit on 1st day. Do you have enough coffee?

:-)

Correct, but your phrasing needs a touch-up. :)

[jd]

"Saving face" can only occur after the fact, so you are perfectly correct in saying that saving face is a bad motivation, as it means that security holes won't be fixed until after they are exploited.

(A bit like Ford only recalling models of car where the cruise control causes it to explode, whether or not it is faulty in other models. This is an actual story running on CNN at the moment, believe it or not.)

The correct way to fix security holes is to identify them first. Waiting until afterwards is a bit like a bank waiting until it gets robbed to see if the security system works. By that time, it's a little late, as everything stealable has gone.

Of course, it should not be assumed that the "correct" way is easy, or even practical for something the size of MS Windows. However, the engineers should be aiming for as close to that solution as they can.

When Windows 2000 was released, there were 65,535 known bugs in their database, according to statements made at the time. These bugs had been identified, classified and filed. It is impossible to tell, outside of Microsoft, how many of these were security issues. However, I think it goes without saying that any that were should damn well have been fixed before release. Here, we are not talking about unknown, unidentified flaws - all of the really hard work had already been done. Fixing the bugs would have been easy, at that point.

You can't fix what you don't know, but when you DO know and don't fix anyway, then it is not unreasonable for people to get upset.

Re:Correct, but your phrasing needs a touch-up. :)

[sn00ker]

When Windows 2000 was released, there were 65,535 known bugs in their database, according to statements made at the time.

Does anyone else find it interesting that that number will fit perfectly into an unsigned two-byte integer? Maybe MS are using internally-developed code to keep the number of reported bugs down?

Re:Correct, but your phrasing needs a touch-up. :)

[unitron]

I always figured that was just the (under) alloted size of the database and trying to enter the rest of them just caused buffer overflows. :-)

Re:Correct, but your phrasing needs a touch-up. :)

[AaronLawrence]

Everyone thinks that at first, but after some experience you realise that it is not practical to fix *every* bug in a product. Some things are just not important enough, or so unlikely to actually happen in "real life", that it's not worth fixing them.
Of course, you prioritise and generally fix all the high priority items. I'd guess that 99% of those famous known bugs were low priority.

Re:Correct, but your phrasing needs a touch-up. :)

[zero_offset]

The number Microsoft admitted to was 63,000.

And for the record, that included things like misspellings in help files (which alone would sink any Linux distro I've ever seen), non-standard user interface issues (e.g. one of those weird dialogs where Yes/No buttons are used for non-yes/no questions) and many other things which aren't crashes or the other kinds of problems most people think about when they hear the word "bug".

Given those considerations with regard to the size and scope of Win2K, 63,000 isn't actually that bad. Firefox has more than 7300 open bugs reported, more than 10% of that number, and clearly it isn't even close to 10% of the complexity of Win2K.

Heck, how many open Linux bug reports are there?

Boycott yankdot

fuck the dumb shits!

LOL, those 'hackers' must have been rofl

[v3xt0r]

I know I do when mr. big-wig CIO at my work asks me to do security audits, although he usually fails to address the issues I raise, mainly to cover his own dumb ass for integrating a windows server environment in the 1st place. .NET? .NOT!

Take a lesson from a Microsoft exec.

[Erythros]

See a wireless networking antenna.....

Turn off Laptop for safety!!!

Wrong Thinking

[Morrog]

I've seen a few posts already that are saying Microsoft is getting better. They fail to see the pattern here. Microsoft makes a product, consumers cry and whine, Microsoft fixes it in 5 or so years, happy-happy-joy-joy until...OH another problem. It was the same then, and it'll be the same now and onward with Microsoft. They don't actively work to solve problems before an outcry, they wait for the outcry. This is responsive thinking, and I don't like it one bit. I want a forward thinking company behind the software I use. A company that doesn't just wait until everyone hates their software before fixing it. Let me quote the article "'It kind of hits people up here,' Thomlinson said, pointing to his head. 'Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut.'" Wait...where are you? A Microsoft run event? WOW! Maybe just MICROSOFT programmers are doing this... I don't want someone who acts like this making the software I use/buy. Someone who refuses to believe thier software is broken until they see it. HELLO!! The millions of people being infected as a result of unpatched issues in your software should have been clue enough. "Oh hey, our software really can be exploited! Man...that sucks...think we should do something about it?"

... and I am an alcoholic ...

[xqcom]

The first step to fixing a problem is an organization wide acceptance that the problem is real. This kind of a meeting between the "establishment" and "hackers" is so unprecedented, I can only assume that Microsoft is totally serious about fixing security.

The one thing we do know from the Netscape vs IE war is that when Microsoft puts it mind to it, they are capable of working miracles. The same story goes for the WinCE vs Palm OS war. So I am quite confident that Microsoft will evenually be able to deliver it promise of "secure computing environment".

Maybe Microsoft will have to take some drastic changes to the OS to get there, but then Apple had to do the same to get where they are today with OSX.

In the spirit of full disclosure, I run both WinXP and MAC OSX at home, and own MSFT stock :)

Thanks, we've already met

[SuperKendall]

"Hackers, Meet Microsoft"

Oh, I see you're already well-aquanited!

Btw: Ina Fried...

[mjbkinx]

She also wrote the article from the Apple Making a Spreadsheet? story just three entries down from this one on the /. main page -- congrats!

Trusted Computing

[Quant64]

TFA:"That shift began in earnest with a well-publicized memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities." If getting a more secure "out of the box" system means getting trusted computing along with it I would rather secure Windows myself.

Blue?

[BigLinuxGuy]

OK, so how come we think of IBM as being "Big Blue" and not Microsoft if blue is Microsoft's corporate color? Come to think of it, the only blue that I know of that associated with Microsoft occurs when the OS takes a dump..........

What's really sad

[btarval]

"But *can* MS actually do anything?"

It's really sad that they had several hundred engineers sitting around, getting taught lessons like this. 99% of the so-called hackers out there really aren't that great. And it's unlikely anything earthshattering here was used.

I find it truly surprising that not one single Microsoft Engineer could take it upon himself to discover these flaws beforehand. And that they were surprised by these results.

That tells me a lot about the Engineering talent. Hopefully some small change has been made in the mindset there. It would at least be a good small start; because one key thing about improving security is the mindset.

Re:What's really sad

[bit01]

I find it truly surprising that not one single Microsoft Engineer could take it upon himself to discover these flaws beforehand. And that they were surprised by these results.

That tells me a lot about the Engineering talent. Hopefully some small change has been made in the mindset there. It would at least be a good small start; because one key thing about improving security is the mindset.

Agreed, however it's been my experience that programmers at most large software companies have an inflated view of their own abilities. They are are in an insulated environment, tell each other they are wonderful, and just like academia don't realise there's a sharp edge out there.

This is particularly true in software security where by-the-book standard protocols are broken and misdirected in bizarre ways to get protocol failures and breakin opportunities.

---

zealotry n : excessive intolerance of opposing views.

Blue Hat?

[The+Wooden+Badger]

Is that like Blue Hat of Death?

Alternate answer

[Spectre_03]

Same as with default admin rights arguments:

It is designed with ease of use in mind."Wireless has always been such a pain, but now even a child can compromise...err connect to your laptop and extort...err ummm allow you to surf the web with little to no patching...errr uh, configuration."

A step in the right direction

[ebuck]

Sure, Microsoft is moving in the right direction; however, I would call it more of a shove than a move. Microsoft's not doing the pushing in this case, which makes it so hard to understand without some context.

Microsoft has become synonymous with bad software. Why else would a company as powerful as Microsoft become so desparate as pull off this latest stunt?

This story includes:
1. Uncooperative Black Hats that somehow manage to cooperate with Microsoft to assist in securing the OS, yet remain blacker than india ink.
2. Wiley engineers that manage to out-think the black hat by applying a token of common sense (the off switch).
3. Engineers that become one with the enemy to make a better product for us.
4. Flat out admittance that Microsoft makes a security challenged product, but will do much better because they've been shown that it can be compromised.
5. Direct quotes from Microsoft insiders, implying that press was standing by.
6. A specific agenda of diffusing the security issue by admitting it, then appealing to Microsoft's software genius as having the solution in hand (now that they know what the problem is).

Basically, the article can be summarized:

Microsoft didn't know that Windows XP has problems, but now that someone has shown them, they'll get right on fixing those issues.

Which is nearly the same spin we've been hearing since they first added networking to Win98.

Re:A step in the right direction

Press wasn't standing by at the event, you might have noticed in movies that journalists sometimes do interviews? I believe that is usually how they get quotes - either that or their magic 8 ball, I'm not entirely sure. If the press were eye witnesses to everything they wrote about, well, we'd read a lot more about the guy who spilt hot coffee on his lap at Denny's this morning.

Heh... read the sidebar

[JavaRob]

Yes, it's a puff-piece, and the writeup works pretty darn hard to paint the "hackers" as impressed with the technical know-how of the execs. This is even more poorly executed in the sidebar.

Excerpted for your amusement; pay careful attention and watch to see what deep technical know-how Allchin actually demonstrates beyond "nodding knowingly" (honestly, the guy probably knows what MD5 is, but he comes across as pretty silly here in spite of the praise he's getting).

"Who Was That Guy"

During a recent talk in Redmond, security researcher Dan Kaminsky wasn't sure how geeky to get. After all, he was talking to a bunch of executives on the first day of Blue Hat, not Microsoft's rank-and-file engineers.

So he kept his comments brief when it came to a flaw in something called MD5--a "hashing" algorithm, or a kind of fingerprint used to authenticate documents. He figured it was probably too esoteric for his audience. The rest of his presentation was focused on a different security topic.

But when it came time for questions, "this one guy with a shock of white hair looks straight at me and just says, 'MD5.'" Kaminsky, who said the comment seemed more like an order than a request for information, complied by demonstrating how two Web pages could have the same "hash," as the man listened and nodded knowingly.

A week later, Kaminsky learned that his interrogator was Jim Allchin--one of the highest-ranking executives at Microsoft and, as the person in charge of the Windows operating system, one of the leaders in the technology industry as a whole. Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company.

The brief encounter made a lasting impression on Kaminsky. "I was like, 'Who was that guy?'" he said.

Good Training

[Barkmullz]

As we used to say in the Army: Good training!

wtf?

[Sfing_ter]

I don't believe this, it is 3yrs since XP the all holy mother comes out after thousands, ney 10s of thousands, ney hundreds of thousands of exploits have passed there doors as "to do" lists. And now they are finally "taking this thing seriously"

It's damn good they don't build spaceships... everyone would have a Shuttle in their back yard, or at least a big hunk of metal that use-ta be one :)

I'm not saying that they are not trying, it's that they take their own sweet time, but expect other to respond immediately. "Firefox is broke, na na na nya" Fix your shit Bitch, then come and beg us to test it.

Inovation - doesn't look worth a damn, but when it does it'll do this, and this, and this... and look how shiny it is!!!

Third party support

[MMaestro]

As anyone who plays console video games can tell you, any change in hardware, software or even the controllers can result in serious and unexpected changes in the long run.

How long do you think it took Windows to reach the state its in now? If you looking at just the major changes there have been a LOT compared to other software. (Windows 95, 98, 2000, XP, not counting updates, ME, or versions older than 95 and the unreleased Longhorn). Has there EVER been a major serious of software changes in history on this scale? The answer is a simple, no way.

Throw in the fact that nearly 90-something% of all computer software is designed to fit into a Windows environment, the billions of users who have accustomed themselves to Windows' own quirks and the ever present threat of losing marketshare to Apple or Linux and what you're asking is impossible. There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'

Re:Third party support

[kiljoy001]

There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'

This the crux of Microsoft's problem, such an enviroment leads to stagnation - they can no longer innovate in this area. Unfortunaly (or fortunatly) this means that unless they take a significant risk, there OS is not going to be revelant in a few years. On that note, it makes me wonder, who FOSS programers are going to look to for what passes as "common" items/funtionality in a modern destop enviroment. OS X Perhaps ?

Hat colors...

[jonadab]

Okay, so now we've got black hat crackers, white hat and grey hat security people, a Blue Hat security conference, a Red Hat distro, and of course the Man in the Yellow Hat. What next?

Oh, and I thought IBM was Big Blue. Microsoft's logos have the four colors (red, green, yellow, and blue), last I checked. Does that mean we're going to have Green Hats next?

The underlying motivation for this thread's posts

[I'm+Don+Giovanni]

The funny thing is that the underlying motivation for most of the snide, derrogatory comments made to this thread is, "Please, please, don't let Microsoft improve its security!"

You guys are scared too death that Microsoft will kill off your security argument just like they did the stability argument. All of the negative posts regarding Blue Hat, the comments that it'll do no good, the assertions that only a complete rewrite from scratch will work, blah blah blah, are nothing more than wishful thinking. Many here hope, wish, and even pray for Windows to remain vulnerable, and it's clouding your thinking. Blue Hat (and other measures taken by Microsoft) is a good thing, and many of you just can't stand it. LOL

Comment removed

[account_deleted]

Comment removed based on user account deletion

OT Tangent on Monoculture

[Crazy+Eight]

Bringing in others gave us NT - not bringing in others gave us Outlook...

Pixar recruited Brad Bird because they were "worried about becoming complacent".

Translation from CorporateSpeak

[bockman]

"The security faults we are seeing could end up bringing an end to the era of personal computing,"

We have made all the money we could out of PC market, so there is no reason to keep the market alive. Let's move to something new that be can exploited".

"The ability to customize our computers is under attack from those who are customizing it against our will."

We will never be able to enforce content-protection measures if people expect to be able to tweak their computers as they please. So better start teaching everybody that a computer is just a sealed box to perform specific tasks, an electronic appliance not differen from VCR, cellphones and playstations. The more people accept that, the more easy will be for us to use their computers for our own purposes.

Am I missing something.....

[ArnIIe]

"During a recent talk in Redmond, security researcher Dan Kaminsky wasn't sure how geeky to get. After all, he was talking to a bunch of executives on the first day of Blue Hat, not Microsoft's rank-and-file engineers. So he kept his comments brief when it came to a flaw in something called MD5--a "hashing" algorithm, or a kind of fingerprint used to authenticate documents. He figured it was probably too esoteric for his audience. The rest of his presentation was focused on a different security topic. But when it came time for questions, "this one guy with a shock of white hair looks straight at me and just says, 'MD5.'" Kaminsky, who said the comment seemed more like an order than a request for information, complied by demonstrating how two Web pages could have the same "hash," as the man listened and nodded knowingly. A week later, Kaminsky learned that his interrogator was Jim Allchin--one of the highest-ranking executives at Microsoft and, as the person in charge of the Windows operating system, one of the leaders in the technology industry as a whole. Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company. The brief encounter made a lasting impression on Kaminsky. "I was like, 'Who was that guy?'" he said. --Ina Fried "

Knowing about MD5 means...
"Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company."
WTF ?

Think you need to learn your history...

Read "Competing on Internet Time: Lessons from Netscape and Its Battle with Microsoft"

You'll find Netscape managed to screw it up by themselves (OK so perhaps the pressure from MS didn't help)

Why do you think the Mozilla team threw the Netscape codebase in the trash can - because it was good?

What's Wrong With This Picture?

[Master+of+Transhuman]

"the company now spends $2 billion a year--more than a third of its research budget--on security-related issues."

Management knowledge of technical problems

[johnw]

Back in the early eighties, I used to work on Prestel software (a sort of proprietary forerunner of the web). The software worked by having a large number of processes running on the system, each of which handled one function of the service - i.e. process per function rather than process per user. Each logged-on user was allocated a chunk of memory (about 1k) which was then passed from process to process to handle the user's requests. If one process had a bug and failed to hand on the memory chunk then the user saw the system enter a state where it just failed to respond and the symptom was known as a "stuck port".

The trouble was, just about *any* code error would result in this symptom. My immediate manager had latched on to the term and every time it was reported would say, "Ah! We've had this before haven't we? So you know how to fix it.", or "I thought you said you'd fixed this one?" He didn't seem able to comprehend that it was a common symptom of dozens of totally different bugs.

A little knowledge can be a dangerous thing.

John

hey look!

[circusboy]

"easy remote administration!"

Blue Hat... and the colours of Magic

If you haven't played Magic: The Gathering, here's an explanation of colours:
- White. The magic of the Light and all good-hearted beings. Obviously has a "dark" side: fanatism, zealots, etc.

- Green. The magic of Life. You know, druids, nature powers and beasts... but Nature can go "out of control" too. Tsunamis, earthquakes...

- Black. The magic of Death. No further explanation needed here :)

- Red. The magic of War. Associated with fire too. Fireballs, powerful warriors, blood everywhere...

- Blue. The magic of Mind. You know: telepathy, telekinesis, mind control... oh wait! did I say MIND CONTROL? Run!!!!

(And yep, blue and red are natural enemy colours there, like black and white)

MS take security seriously??

[edxwelch]

"At first, we all laughed."
Sorry, I'm still laughing. Security still has less priority than marketing at MS. That's why you see all those services still switched on by default in SP2:
http://www.theregister.co.uk/2004/09/17/xphome_sp2 /

"Firefox exploits are cropping up at a seemingly greater pace."
Maybe you ment to say security hole rather than exploit?
Firefox get's much more press when a minor security hole is discovered (something that is very hard to actually exploit), because there is an expectaion that Firefox is flawless.
Meanwhile, IE averages about a dozen critical security holes every year and no one says anything.

Re:MS take security seriously??

[kmactane]

Actaully, yes, I did mean to say security hole. Not exploits. I know of no actual exploits for Firefox yet; only security vulnerabilities which haven't actualy been exploited. My mistake.

Hands went up

[MECC]

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

It would have been interesting to have had those 18 write a brief explanation on what a heap overflow was.

Security problems? not here!

[JaySSSS]

I met a MS mid level manager on a flight around '01 and we got to talking. I said "I think the biggest challenge MS will have in the coming years is security" He looked at me like I had two heads. Oh I would love to talk to him now, and see what he has to say.

"Hackers had successfully lured...

[pssldt]

"Hackers had successfully lured a Windows laptop onto a malicious wireless network."

You mean they just turned the laptop on?

Somebody please enlighten me

Was the whole thing staged?

The article mentions that it was a demo of sorts, so it wasn't like this was a surprise. Well, maybe not to the organizers.

Yes but

[KingBahamut]

clearly there is probably little way that any of the "real" black hatter's were there. So if a bunch of GreyHat types were able to do it, what would one have to assume about the "real bad guys" , as M$ would describe them , and how fast they could do it?

Re:Dividend Tax Rates

[GecKo213]

Currently Dividends paid are taxed at a maximum of 15% no matter how much money you make. Regular income can be taxed at anywhere from 10% - 35% depending on the amount of taxable income you generate each year. That doesn't mention state income tax if your state charges it.

Of course they're blue!

[VernonNemitz]

Remember this?
More details here.
And here.
And is it still a viable attack even for WinXP? (I hear they're replacing the Win32 API for Longhorn, so maybe it won't be a problem there...)

And what's up with the test?

[raygundan]

I figured after I finished up my Engineering degree that I'd jump through the hoops so I could call myself a Professional Engineer, but it was pretty silly. I took the first test, and passed, which I think makes me an EIT (it's been a while). But there simply wasn't a test at the time for software engineers. You could take your choice of test from any of the other engineering disciplines, but does it really help certify you as a Computer Engineer to take a Chemical Engineering or Mechanical Engineering test? I think I took ME. Does anybody know if this has actually changed? I'm not about to take the second half of the exam without some sort of reasonable test that is actually applicable to software engineering.

Getting through to Slashdotters is hard

[lenester]

It seems like the single most prevalent fallacy in online debate today is calling "fallacy" when there isn't one. Ad hominem is a fallacy of irrelevance; it is only a fallacy when it is irrelevant.

If a person is claiming to be an expert, and it can be shown that they are not, that person's "expert" testimony is invalidated. Calling a debator on the appeal to false authority fallacy is a perfectly valid tactic, and in fact extremely important for the proliferation of well-vetted ideas. That is what was done here; K. said, essentially, "a majority of engineers are not qualified to make marketing-related design decisions." Debate this if you will. Don't call it an attack, because it isn't; and if you can't see the difference, then you're not qualified to debate anything in the first place (note the conditional on this statement, and apply it to itself).

Even if the false authority and the debator happen to be the same person, by the way, this does not make the statement "you haven't got the foggiest clue what you're talking about" an ad hominem fallacy if it is based on demonstrable grounds.

I haven't felt the need to be this anal with terminology since college. Clearly I should read Slashdot more often: it keeps me on my toes.

ZED

[berbo]

Zero Emotional Defects.

I saw that once on some Star Trek spinoff.

Dubious claim

[sean23007]

"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said.

Probably not. If it gets to the point where personal computing might just die, people will just move to something else that doesn't have the problems. Be that Solaris, Linux, BSD, OS X, BeOS, whatever ... the era of computing isn't going to die. Windows might ... but only if they never fix any of these issues. And it seems like they're trying hard to.

Wow...

[Keamos]

"Are you familiar with memory overflow exploitation?"

O_O SHIT Bob, you'd better raise your goddamn hand. You're the chief security developer on over fifteen projects.

"but I don't..... " DAMMIT Bob, just pretend there's a taco floating over your head!

"mmm yo quiero taco bell"

More marketing - wll you guys ever get it?

[lheal]

Actually, all products undergo a mandatory security review before they are shipped.

That's too little, too late. It's treating security as a feature that if broken causes the product to be delayed or scrapped.

Yes, I'm aware of code reviews, and the open-within-Microsoft source code for the OS. That's all good, but it's not enough.

If you think pushing back a broken product for security flaws is long-term thinking, then you're part of the problem. That's just anticipating what the market will do with a product that doesn't work.

Microsoft is doomed to write insecure software because they're trying to keep their source code a secret. Yeah, they might make more money that way. But the only way to make sure your software is secure is to let people with no interest in its success see its code.

_I_ like men, too...

...but have zero urge to swap semen with them, muddy my dipstick, fence with pork swords or stick my tongue down their, er, throat.

+1, Ironic: NT used to run on PPC

[leonbrooks]

After seeing what deRaadt had to say about Linux, and reading a bit about OpenBSD and security, they'll probably base Shorthorn's successor on that and code name it Mammoth (ie the longest horns ever).

Little realising, of course, that the least secure pieces of ShortHorn weren't the ones they replaced with OpenBSD code.

CRACKERS!

For fuck's sake.

C-R-A-C-K-E-R-S.

Not hackers.