Slashdot Mirror
Hackers, Meet Microsoft
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
In my previous company I tried to communicate with engineers. I was an engineer, but it's still damned hard. Programmers just don't "get it" without hard work. In the end, this kind of smack-in-the-face-by-the-real-world approach is what is needed.
I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?
Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..
Read about this in Cooper's book "The Inmates Are Running The Asylum."
K.
While what you say is certainly true, I'm not sure I buy that as a complete explanation.
Consider Apache vs. IIS...IIS is in the minority there, but which is more secure?
____
~ |rip/\/\aster /\/\onkey
I'm banking that I'm the first one to say this, and that there are at least a few reasonable moderators out there.
This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.
Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).
It's like the old saying - three ways to do things: right way, wrong way, army way. Training recent graduates to the corporate culture only works if there are others coming in to stop it being an exercise in corporate narcissism, which is dangerous in a company like Microsoft that makes money by high volume, low development cost "good enough" software as distinct from the expensive low volume stuff you would trust to handle a stock exchange or air traffic control. If they aimed to be the best they would not be so successful, they would be undercut.
The guys writing the code need to be aware of what is going on in the rest of the world.
Linux these days is generally more secure out of the box. But when you install it, you really need to do a 'netstat -ln' and see what's open. Then set up a reasonable firewall. Your average idiot out there can't do this. (I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.)
Linux can be less secure than Windows. Usually that's accomplished by turning on all sorts of crap that you don't need, not securing it, and not updating it.
Windows, by default, is a typical blackbox. The thing is an absolute mess. Years after they first appeared, we still have Outlook viruses that pop up every day. Web browsing with MSIE is like playing Russian Roulette. At least with Linux you don't have to worry about that as much. With Linux, you set the system up, and it stays set up that way for the most part. So many packages (malicious and legitimate) change settings in Windows, that it's nearly impossible sometimes to have a good picture of what is going on with your system.
I took a Windows system down ony my home network because after one of my family used the thing for a few months I threw a traffic and systems analyzer on the thing and saw so much spyware and so many viruses on it that I couldn't justify letting the thing stay on my network. This was with Norton Antivirus running on it, mind you. As it is, any Windows installation I have is sectioned from the rest of the network for just that reason. They sit on their own subnet, can't talk to each other, can't talk to the LAN, and can only route out to the Internet.
Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing.
Exactly. Working for a major Systems Integrator, our customer actually has a special team of people who do nothing but hack systems, and recommend security changes to the products they buy.
We thought we had locked down our systems pretty well. They turned it out pretty good, and produced a 92-page report. (of course, some of it was gratuitous).
However, the end result: slapping security changes onto an already-developed product, results in a whole lot of breakage. This lesson will benefit our NEXT customer. And it will really, really hurt our current customer. The lesson? Security should be designed-into a system from the start.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
No, it's not. Say you work for Microsoft, and your job deals with the NTFS filesystem. You have done everything in your power to make your system secure, but you still have to depend on other coworkers making their systems secure as well. So someone on the wireless team screws up and has a flaw. The exploit demoed uses the power of NTFS against itself to hide a virus. If I was that NTFS programmer, you're damn right I'd be upset, because you know when that bug hits the virus databases, the exploit description will include something about using a flaw in NTFS, even if the code is working exactly as it is supposed to. My work gets blamed even if it's something else that led to the exploit.
That is the crux of the matter. I have written programs for clients and it is a mega mess of calls and strange crazy links etc. They change things as soon as you learn how to do something usfull. And not really support area they should but dont.
All software has a life cycle. And Windows has reached the end of its life. Any decent software engineer will tell you after awhile if you are patching it this hard. All your doing is patching patches! And deffently doing that will cause more problems. Like a room full of mice traps loaded with ping pong balls. Toss one in and after a while they will all be trigered.
Wonder how much of windows is real code vs patched.
It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out. Which would be that date of 2010 that was floated on a memo a while back. Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.
With Dell making noises about if offered would put OS X on their boxes could force Microsoft to finaly do the correct thing and make a real secure Windows from scratch. It will breake 20 year old software but is it better to do that then be a leaking buckett of patches covering broken code! Thta no one wants to buy or use.
It wasn't so much the question, as the unexpected nature of it. I'd just finished talking about very different things -- video over DNS, backtunnelling through dual-hosted name servers, etc -- and it had been about 20 minutes since I'd mentioned that, *if* someone asked, I'd show what was wrong with MD5.
No matter. This guy -- I had no idea who he was at the time -- heard something he needed to precisely understand, and got his answer at his first opportunity.
It's kind of cool that senior management at Microsoft a) showed up at an internal hacker con and b) knew enough to not only understand what I was talking about, but was interested enough to demand more.
Dude. Have you met anyone in senior management? There's a reason so many people relate to the Dilbert PHB.
nope it's not being phased out.
.NET code that was supposed to be an all new APi is being removed to speed up the deadline. Avalon is being back ported to windows XP. Win FS is being dropped due to it being to big of a concept and MSFT doesn't have anyone to copy off of.
the managed
Longhorn I hoped would of been a complete rewrite. it failed. There is not a single new innovative feature in longhorn now. spotlight searches fast and effective, on all but networked drives. GPU driven displays OSX and a large number of X server's(sgi's)
New remote command shell is a combination of applescript and a python interpreter. It would of been cool but it's been delayed.
Yet somewhere MSFT found the time to make their own Bit torrent P2P client and server setups. I guess it shows where MSFT lays it's priorities. An app that won't bring them cash or their Next Generation OS.
i thought once I was found, but it was only a dream.
There are few motivations as powerful as public humiliation.