Slashdot Mirror


Hackers, Meet Microsoft

Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

6 of 496 comments (clear)

  1. HEY TIMOTHY! SUCK ANY MORE COCK TODAY! FAGGOT! by Anonymous Coward · · Score: -1, Troll

    *_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
    g_______________________________________________g
    o_/_____\_____________\____________/____\_______o
    a|_______|_____________\__________|______|______a
    t|_______`._____________|_________|_______:_____t
    s`________|_____________|________\|_______|_____s
    e_\_______|_/_______/__\\\___--___\\_______:____e
    x__\______\/____--~~__________~--__|_\_____|____x
    *___\______\_-~____________________~-_\____|____*
    g____\______\_________.--------.______\|___|____g
    o______\_____\______//_________(_(__>__\___|____o
    a_______\___.__C____)_________(_(____>__|__/____a
    t_______/\_|___C_____)/______\_(_____>__|_/_____t
    s______/_/\|___C_____)_______|__(___>___/__\____s
    e_____|___(____C_____)\______/__//__/_/_____\___e
    x_____|____\__|_____\\_________//_(__/_______|__x
    *____|_\____\____)___`----___--'_____________|__*
    g____|__\______________\_______/____________/_|_g
    o___|______________/____|_____|__\____________|_o
    a___|_____________|____/_______\__\___________|_a
    t___|__________/_/____|_________|__\___________|t
    s___|_________/_/______\__/\___/____|__________|s
    e__|_________/_/________|____|_______|_________|e
    x__|__________|_________|____|_______|_________|x
    *_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*

    In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twis

  2. Re:well, it's a start, but a late one by Anonymous Coward · · Score: -1, Troll

    fag

  3. Re:Can We Get Firefox Developers To Do This, Too? by zifferent · · Score: 0, Troll

    What kind of FUD is this?

    Astroturf isn't going to be unanswered on my Slashdot!

    Make no mistake. This is a stunt, and I'm not going to stand for it!

    M$ doesn't really care about security, and if they didn't have Linux and Firefox breathing down their neck their security record would keep getting worse.

    Mark my words M$ products will continue to writhe in the secuurity dumps, because they are a closed source company at the end of their upgrade rope. They can't even get ppl to switch to XP! How the heck are they going to get ppl to switch to Longhorn?

    I'll tell you how. By heaping on pointless features and adding cruft, and blathering on about how important the new widget is. That's the only way to sell the next generation OS and office suite.

    But while M$ continues to rebuild much of their code from scratch (and introduce plenty of new bugs and security flaws in the process), Linux and BSD will continue to build upon stable code bases and will only become more stable.

    From here on in the Cathedral model of OS development is going to fail them.

    Onward LINUX soldiers!

    --
    cat sig > /dev/null
  4. Re:Can We Get Firefox Developers To Do This, Too? by kosmosik · · Score: 0, Troll

    > And let's not forget that Netscape
    > provided Microsoft with some much-
    > appreciated help in taking over the Web,
    > by screwing up their own release schedule
    > so badly that there never was a Netscape
    > 5.0.

    Lets not forget that MS laveraged their monopoly on operating systems to give their browser away for free and still being able to operate (financialy). Netscape was just killed by MS. The lack of 5 version release was an effect, not a cause.

    > They are aiming to be the top of the heap
    > in security, and they've got drive, ambition
    > and aggression.

    Too bad still they have serious problems here. Like things got better inside corporate networks etc. (but not like it is MS-only achievement - entire market was generated around windows lack-of-security). But it still *is* an issue.

    > Make no mistake, this kind of event is
    > exactly what a company that wants to get
    > secure should be doing.

    No, publishing some marketing stuff with phrases like "hackers are hacking Windows and everybody is happy" is like PR/marketing bullshit.

    Face it - now the real crackers (I mean virus writing etc.) are working for profit - under wings of multinational organizations. This is no longer underapriciated-geek-thing - this whole security business is about money. Not some "blue hats" (WTF are they?) - it is like - you crack a system -> you get profit from it. Marketing stupid names like "blue hats" is not going to change much.

    (...)
    > These things say to me that, within a few
    > years, we're going to see some really damn
    > secure stuff coming out of Microsoft.

    Yeah - like say it gazilllion times and it will become truth. It is not like MS has not made any secure product. The opinion (MS -> insecure) comes from the fact that MS had done some unsecure products before. Yelling "WEEE ARE ALL ABOUT SECURITY DADADADA ETC." wont change much unless there will be noticable changes with their security practices. Right now I see a problem with MSIE (in general - entire system) - when you ask the video driver to draw very huge bitmap the system hangs... It works for +/-50% of systems (my research, even if it would be 5% it is still an issue). And guess what - you wont find MS talking about this *problem*. So how do they handle security?

  5. ... and I am an alcoholic ... by xqcom · · Score: 0, Troll
    The first step to fixing a problem is an organization wide acceptance that the problem is real. This kind of a meeting between the "establishment" and "hackers" is so unprecedented, I can only assume that Microsoft is totally serious about fixing security.

    The one thing we do know from the Netscape vs IE war is that when Microsoft puts it mind to it, they are capable of working miracles. The same story goes for the WinCE vs Palm OS war. So I am quite confident that Microsoft will evenually be able to deliver it promise of "secure computing environment".

    Maybe Microsoft will have to take some drastic changes to the OS to get there, but then Apple had to do the same to get where they are today with OSX.

    In the spirit of full disclosure, I run both WinXP and MAC OSX at home, and own MSFT stock :)

    --
    Denial is not a river in Egypt
  6. Re:Can We Get Firefox Developers To Do This, Too? by Daniel+Phillips · · Score: -1, Troll

    Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

    Microsoft did not beat Netscape on product quality as much as illegal monopolizing tactics. Your argument by analogy breaks down here. This time, Microsoft does not have any obvious way to fix its problems by gaming the system, which may help explain why, two years after promises that everything was going to change, Microsoft is still flopping around like a fish out of water in the security space.

    --
    Have you got your LWN subscription yet?