Slashdot Mirror
Hackers, Meet Microsoft
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
But will MS actually do anything?
It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.
So microsoft has what like 50 billion in cash reserves? Why don't they just do a bug bounty and like $50 a bug. Like mozilla did. 50 billion/50 = 1 billion bugs they could find and fix that would hav to make some kind of dent right....................oh wait never mind.
Madre de Dios! Es El Pollo Diablo! -- Captain Blondebeard
First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".
Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.
So what? Maybe they read some document informing them of what a heap overflow is. It's more important that these managers understand what goes into the code and the technical details that make the system operate, not what an "obscure" problem like a heap overflow is. Microsoft's managers can only claim technical know how if they have experience working as developers, because otherwise it's simply too hard to understand the real issues that the engineers have to face.
Programmers actually thought that their code could not be exploited. I don't know if this is collective arrogance or part of the MS culture, but it seems most of the world outside of MS knows how easily code in general can be exploited. With as many security problems MS has had and Bill Gates many public proclaims about security, you would think that they would know there may still be issues in their code.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident.
To me, this is very telling about those engineers' beliefs and attitudes about their own code. It also speaks volumes about their skill (and their personal belief about their own skill levels).
Real engineers fix problems, they don't get emotional.
Contrary to popular belief, most of these developers aren't intentionally releaseing what they know to be insecure code. They test it beforehand, and sign their work. They are making what they believe to be a good effort at security.
Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.
Microsoft has managed to link itself with bad code to a degree that, recently, I spent over 40 minutes convincing a programming team that Code Complete was actually a good book and did not reflect the bad quality of Microsoft software.
Broken Hearts are for Assholes. - Frank Zappa
Is that so entirely unusual? Would you trust yourself to edit a manuscript that you wrote? When you review your own work, you naturally see your intentions instead of your results. That can be true at a personal, team or corporate level so it's not necessarily just a matter of easier.
~Someday, I hope to be an aspiring author.
I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.
It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.
Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.
Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.
In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.
Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?
If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.
Kai MacTane: Web developer for hire in San Francisco
Saving face is exactly the wrong motivation to fix security problems.
If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked.
First they show that (shock!) Windows is insecure, and then after much "deliberation" they will throw their hands up in the air, declare "computers" and "The Internet" to be insecure, and use that as a ploy to get Trusted Computing made mandatory by government.
I firmly believe they allow the virus and spyware problem to happen for this very reason.
That technique is
a) old news
b) not Microsoft specific.
Linux and OSX can also be tricked into connecting to a rogue access point.
Whichever access point is most powerful, or higher priority will be connected to.
The only shocking thing about the article is that the engineers havent seen/heard/tried this before.
The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.
"Don't necessarily focus on security features"? If this is just the reporter making up his own description it's not so bad. But if he's just echoing what he was told by Microsoft or whoever his source was, then they're looking at this backward and probably have been for a long time.
Anyone who touches that code for any reason at all has to keep security in mind every time he does it. It doesn't matter if he's responsible for authentication or whatever else they're including under the rubric of "security features". Any bit of code is a potential vulnerability. It only takes one buffer overflow, one set of bounds that's not checked, one line of code that doesn't validate the terminator on an input text string, to create one. And then it's a security problem for everybody. If making non "security feature" programmers aware of these issues is a new thing at MS, they've been doing this all wrong for years. (As many have suspected, but seeing it possibly confirmed is still a bit of a shock.)
And the brethren went away edified.
Unless Microsoft uses NO wireless on its campus or unless the walls were RF shielded, this was a very dangerous stunt. If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall. Range is no protection as it would be not hard to build a high-gain antenna into the lid of a hacker's laptop and orient it to pickup WiFi elsewhere on the Microsoft campus. If a hacker can gain access to an inside machine, they could plant a backdoor for later exploits including attacks on the the company's codebase.
I'm not a shareholder or a user of their products (except to the extent that the vast majority of the companies I do business with use Microsoft) but I find this an extremely irresponsible act on the company's part. If they want to try this sort of security testing, and they should, it should be done off-site or in a shielded room.
Two wrongs don't make a right, but three lefts do.
Exactly. Not only are outsiders able to look at the software from a clean slate, without the influence of their co-workers or company policies; they're also (relatively) free from retribution.
If they were an inside team doing the "blue hat" work, they'd be about as popular as Internal Affairs officers are to their fellow cops. There would be a lot of pressure to "just overlook that" from their friends, or folks who they feel loyalty to within the company.
I would not be angry I'd be ashamed.
I'm always open to somebody trashing my code. If they can trash it I need to learn what flaws I'm not aware of that I'm coding.
Open Source software is not bulletproof. It suffers from security defects as well. The big difference, however, is we're up front and honest about it. Microsoft can't afford to be that way, as they rely on customer confidence and their monopoly to stay in business.
Microsoft seems to be understanding that their real problem in improving security is people, not so much the technology. By letting the "bad guys" knock the bricks down in front of the programmers who build the stuff, it ouggta sink in pretty deep.
Fix the attitude among the developers and the technical stuff will probably follow. Too bad a lot of slashdotters aren't able to experience the same thing.
Ruby on Rails Screencast
Time for the security guys to SMACK some sense into those MS Engineers! Go Man Go! Your system is like Swiss Cheese and you really really need to freaking fix it! This BlueHat event is literally a smackdown to wake the MS engineers and management up to just how bad it really is. It is critical for the MS Engineers to get shaken out of their MS Corporate boots and have their eyes opened to the truth. Seeing you most recent work getting compromised in seconds must have driven some of these guys completely bonkers!
The invited security experts are familiar with all kinds of expliots even at the latest patch release. However, the really smart ones are not working security for a living they are doing International Corporate Espionage where you don't publish what you find, you use it over and over and guard it as secret so you can get paid as you steal IP from one company and sell to another.
Personally, I don't believe that MS will be able to fix Windows unless they go through a complete rewrite, that means beyond Longhorn before they get it right. They can continue to bandaid it or they can start over and design the way OpenBSD designs. Include security regression testing into their milestone workflow. While they are re-doing things they can also fix all the other broken crap that needs fixin!
...on "security"
uh huh
think about what that sort of cash would do to help out open software in general terms, all the various neato projects done with a few dollars and a lot of skull sweat. Think about if only a fraction of that went to linux kernel development, say something small, like 100 million dollars, 1/20th of what MS spends on "security research"
I am just amazed at this,it is just a staggering sum for those products and their "security features".
What would you think if almost all the code on your system was assembled by Microsoft -- even the third party stuff?
Strange. Bad. Awful.
But it's the reality with RPM, or even Apt/Emerge. The Linux distributions really have limited how much stuff the average user installs randomly from the net. But it's a temporary thing...Spyware for Linux isn't worth developing, because there aren't enough non-geek eyeballs to sell.
It's overall a pretty cool article, but the comparison I had made when talking to Ina was that spyware-assaulted Windows vs. the always-perfect nature of a fresh Knoppix CD is a surprisingly tough contest, and that people may be willing to give up their own ability to customize their system in return for the ability to protect the basic functionality of their system.
--Dan
Remember Microsoft declaring Bug Month?
http://slashdot.org/article.pl?sid=02/02/02/20122
"We are not coding new code as of today for the next month." Richard Purcell, director of the Microsoft's corporate computing office. That was February 2002.
The big shock for me was actually getting contacted by a Microsoft engineer requesting more information on a particularly bad CSS issue in IE6. I hadn't believed Bug Month was anything but PR till that point.
Then nothing got fixed. It's three years later and zero IE6 CSS flaws have been fixed. Zero.
There's no reason to expect better this time.
More like: It is because of the amazing popularity of Windows that we are targets of these attacks.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Why, exactly? If saving face motivates people to solve the problem, then I'm all for it. Frankly, I don't care if they fix the problem because they want to save face, impress their girlfriend or because little green men from the planet Weebo have told them to. I care about results. If the problem is fixed, the problem is fixed. Their motivation doesn't even enter my mind.
It does make sense. You have explicit knowledge of your creation because you participated in its specification, design, testing, field trials, etc. You are bound to the process used to create it so you're likely to overlook omissions or critical flaws in it. Would you do your own code review? Have you ever written an essay or something and discovered word omissions or sentences that appear to be disjoint in some fashion? For each problem that you find, how many do you end up missing? You see what you intended when you concieved the project and not necessarily what is there because you know what's supposed to be there.
That's why it's so useful to get people who are totally detached from the project to have a stab at finding problems. That's also why, when you write a novel or story, you have a friend edit it and likewise why your publisher employs copy editors instead of just taking your word for it.
~Someday, I hope to be an aspiring author.
I've seen a few posts already that are saying Microsoft is getting better. They fail to see the pattern here. Microsoft makes a product, consumers cry and whine, Microsoft fixes it in 5 or so years, happy-happy-joy-joy until...OH another problem. It was the same then, and it'll be the same now and onward with Microsoft. They don't actively work to solve problems before an outcry, they wait for the outcry. This is responsive thinking, and I don't like it one bit. I want a forward thinking company behind the software I use. A company that doesn't just wait until everyone hates their software before fixing it. Let me quote the article "'It kind of hits people up here,' Thomlinson said, pointing to his head. 'Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut.'" Wait...where are you? A Microsoft run event? WOW! Maybe just MICROSOFT programmers are doing this... I don't want someone who acts like this making the software I use/buy. Someone who refuses to believe thier software is broken until they see it. HELLO!! The millions of people being infected as a result of unpatched issues in your software should have been clue enough. "Oh hey, our software really can be exploited! Man...that sucks...think we should do something about it?"
It's really sad that they had several hundred engineers sitting around, getting taught lessons like this. 99% of the so-called hackers out there really aren't that great. And it's unlikely anything earthshattering here was used.
I find it truly surprising that not one single Microsoft Engineer could take it upon himself to discover these flaws beforehand. And that they were surprised by these results.
That tells me a lot about the Engineering talent. Hopefully some small change has been made in the mindset there. It would at least be a good small start; because one key thing about improving security is the mindset.
The best way to predict the future is to create it. - Peter Drucker.
Why, exactly? If saving face motivates people to solve the problem, then I'm all for it.
The problem is that saving face can be accomplished by only hiding the problem, or squelching discussion of it, or pretending it isn't there.
Saving face generally seems to take the path of least resistance, and implies a desire to not face the issue.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
The context really matters here. If my boss sent me a quick e-mail saying, "Hey, I found a NULL pointer dereference in your device driver!" then I would thank him and fix it.
If same boss organized a conference and allowed SOMEONE ELSE to purposely expose my NULL pointer dereference by demonstrating that the mouse locks up or causes a seg fault or whatever, then I would feel that my boss was making a point: I'm an employee who is worth publicly humiliating.
I would find a new job.
Human being (n.): A genetically human, genetically distinct, functioning organism.
How long do you think it took Windows to reach the state its in now? If you looking at just the major changes there have been a LOT compared to other software. (Windows 95, 98, 2000, XP, not counting updates, ME, or versions older than 95 and the unreleased Longhorn). Has there EVER been a major serious of software changes in history on this scale? The answer is a simple, no way.
Throw in the fact that nearly 90-something% of all computer software is designed to fit into a Windows environment, the billions of users who have accustomed themselves to Windows' own quirks and the ever present threat of losing marketshare to Apple or Linux and what you're asking is impossible. There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'