Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers, Meet Microsoft

Posted by CowboyNeal on from the come-together dept.

Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

15 of 496 comments (clear)

  1. "End of an era"? by TripMaster+Monkey · · Score: 3, Informative


    From TFA:


    "The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

    Funny...the Fedora install on my laptop seems fairly customizable and fairly secure all at once...
    --
    ____

    ~ |rip/\/\aster /\/\onkey

  2. a little niggle by JamesD_UK · · Score: 3, Informative

    Can people write, or the editors make sure that article summaries are just that, not cut and pasted paragraphs from the article? The posting makes it look like Mz6 wrote those paragraphs which is only true if she's Ina Fried .

  3. Re:Corporate Color by nachoboy · · Score: 4, Informative

    The blue is actually a reference to the color of the square around your photograph on the Microsoft corporate cardkey. Only full-time employees of Microsoft have blue borders. Contractors and vendors have an orange border. Events for Microsoft employees only are typically referred to as "blue-badge only."

  4. Re:Pay outs by umofomia · · Score: 5, Informative
    They returned over 25 billion to their shareholders via tax free dividends.
    Where'd you get the impression that it was tax free? People who received the dividends still had to pay taxes on it (though it was treated separately from normal income).

    From http://www.microsoft.com/msft/FAQ/faqdividend.mspx :

    What is the tax treatment of the special dividend?
    The special dividend, along with the November 2004 quarterly dividend, was treated as "qualified dividend income" for U.S. federal income tax purposes. These dividends may also be considered "extraordinary" under the U.S. federal income tax rules depending on the facts and circumstances of the stockholder. Treatment as extraordinary may affect a corporate shareholder's basis in its Microsoft stock or, with respect to individual shareholders, may affect the tax characterization of a sale of their Microsoft shares. Thus, we strongly urge each stockholder to consult with their tax advisor regarding their specific tax treatment of these dividends including all applicable state, local, foreign and U.S. federal tax considerations.
  5. Engineers? by HydroCarbon10 · · Score: 5, Informative

    WTF is up with calling programmers engineers now? The term 'engineer' is regulated in all 50 states, and calling yourself an engineer without being licensed is worthy of a fine. There are some exceptions, but these vary from state to state, making it best to completely drop the title 'engineer' unless you're actually licensed in the state you're advertising in.

    --
    The best way to accelerate a windows box is at 9.8 meters per second square.
    1. Re:Engineers? by Anonymous Coward · · Score: 3, Informative

      The title Software Engineer is not regulated.

    2. Re:Engineers? by chapman_164 · · Score: 5, Informative

      Actually, calling yourself an engineer is fine. Calling yourself a "Professional Engineer" is what will get you in trouble unless you are appropriately licensed.

    3. Re:Engineers? by HydroCarbon10 · · Score: 2, Informative

      As an EIT, I can tell you that its actually extremely vague and varies from state to state. You may or may not be able to get away with just 'engineer' depending on which state your in, the phase of the moon, and who happens to be sitting on the regulatory board for your state. At least, that's my understanding of the issue based on a presentation given by someone who sits on the board in Texas and was attempting to clarify the issue.

      --
      The best way to accelerate a windows box is at 9.8 meters per second square.
    4. Re:Engineers? by JohnsonWax · · Score: 2, Informative

      It is in Texas.

      http://www.computer.org/software/articles/Speed.ht m

  6. Re:Can We Get Firefox Developers To Do This, Too? by Kirth · · Score: 3, Informative

    These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

    I don't think so. Of course they are now taking security a bit more serious, but there are so many big conceptual mistakes, so many design flaws, they won't and can't fix, or they would break thousands of applications which you can't just recompile...

    Like:
    - case insensitive but case-preserving filesystem (ambiguities in filenames)
    - active X and other unsafe scripting languages all over the place. Its not just the browser, its also word, excel and lots of other programs.
    - rpc for just about everything.
    - unsafe program interfaces. some application will happily accept any malformed events from some other components.
    - writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

    --
    "The more prohibitions there are, The poorer the people will be" -- Lao Tse
  7. Re:Good start by drsmithy · · Score: 4, Informative
    It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out.

    Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).

    Moreover, since NeXT was actually released for the first time way back in 1989, OS X's codebase is actually around 4 years *older* than Windows NT's.

    Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.

    Microsoft will not create another from-scratch OS in the forseeable future. There is simply no need. Technically and architecturally NT is just as good as any of its contemporaries. 99% of problems in Windows come from legacy support (being phased out with .NET, x86-86 also providing a convenient excuse) and less than ideal default settings (hopefully on the way out with LH).

  8. Re:lured? by Effugas · · Score: 3, Informative

    http://blackhat.com/presentations/bh-europe-05/BH_ EU_05-Kaminsky.pdf

  9. Re:Good start by zbuffered · · Score: 3, Informative

    Like the article, your post contains no commentary on the actual nature of the specific Windows problems demonstrated at "Blue Hat".

    Using tools like void11, you can disconnect wireless clients. Windows automatically attempts to reconnect to the WAP. If you've got an identically-named WAP and you can overpower their WAP, they'll connect to yours instead. They won't be notified, and will think that they are on their own network. Which doesn't matter too much because you could alternately just sniff all their traffic (or even inject your own) without setting up a WAP of your own.

    There's a lot that MS can do about it, and code written 2 decades ago has absolutely no bearing on it.

    --
    Synergy is your friend
  10. Re:An extremely dangerous stunt by Jah-Wren+Ryel · · Score: 2, Informative

    If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall.

    Anyone doing even halfway decent wireless networking in the corporate environment is simply using the wlan as a transport layer for a VPN. Without the VPN you can't get anywhere.

    --
    When information is power, privacy is freedom.
  11. Re:Can We Get Firefox Developers To Do This, Too? by Tim+C · · Score: 2, Informative

    - case insensitive but case-preserving filesystem (ambiguities in filenames)

    How so? You can't create (for example) readme, README and ReAdMe all in the same directory on Windows, so you can't cause ambiguity like that.

    - writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

    Normal users don't have write access to the Windows of Program Files directories. Now, you can argue that MS hasn't exactly made it easy for people to run as normal users, but that's only partly true. NT has had ACLs from the beginning, and was released towards the tail end of the 90s - developers have had what, a decade to get used to the idea of user permissions on Windows? Even only counting from the release of XP, they've had 3 years or so. Yes, user-based security on Win 9x was non-exsitant, but come on.

    --
    It's official. Most of you are morons.