Hackers, Meet Microsoft

Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

So, uh, during that hushed silence

[Neil+Blender]

What were they thinking? "Oh, shit our OS isn't secure?"

Re:So, uh, during that hushed silence

[halltk1983]

I think it was more along the lines of "I hope the boss doesn't get this or he'll find my pr0n stash on the corporate laptop"

Re:So, uh, during that hushed silence

[WillAffleckUW]

What were they thinking? "Oh, shit our OS isn't secure?"

More likely:

"How can we spin this from bad to good?"

Re:So, uh, during that hushed silence

[Anonymous+Writer]

Answer:

"That is a feature, not a bug"

Re:So, uh, during that hushed silence

[Lord+Ender]

More like: It is because of the amazing popularity of Windows that we are targets of these attacks.

Re:So, uh, during that hushed silence

[dtfinch]

Now spin that from bad to good.

Re:So, uh, during that hushed silence

[Infinityis]

Probably something along the lines of "At least our TCO is lower..."

Re:So, uh, during that hushed silence

[Junior+J.+Junior+III]

It's true. Total Cost of 0wnz0rship is much less with MS Windows. Ask any black hat and they'll tell you, the tools and training necessary to take over a box running Windows is much less than a box running BSD or Linux.

Corporate Color

[DavidLeblond]

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Must... not... make... obvious... BSOD comment.... aughhh!

Re:Corporate Color

[nachoboy]

The blue is actually a reference to the color of the square around your photograph on the Microsoft corporate cardkey. Only full-time employees of Microsoft have blue borders. Contractors and vendors have an orange border. Events for Microsoft employees only are typically referred to as "blue-badge only."

Re:Corporate Color

[LifesABeach]

I'm a little concerned about the hackers 'invited' to attend this conference. You see, school is still in session, and did the parents, or legal guardians of the 'invited' ones sign a 'parent permission' slip? Just a thought, but would any of these hackers happly admit to still wearing super hero underwear?

How about 'Blue Screen' ?

[bani]

To me, it's a far more fitting name.

Re:Blue?

[nxtr]

Come to think of it.... BLUE screen!

Good start

[Jason1729]

But will MS actually do anything?

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

Re:Good start

[StupidHelpDeskGuy]

True, but I am sure you have a few arrogant coders at your place of business. A few senior level coders certainly have an over inflated sense of self where I work. An experience like this would probably be beneficial in and of itself.

Re:Good start

[dpilot]

> But will MS actually do anything?

But *can* MS actually do anything?

Given the bowl of spaghetti called nearly 2 decades of Windows, how much freedom of action do they really have to clean things up? Tug at a strand here to fix it, and who knows where the other end is? How many side effects will there be from that one fix? Yet at the same time, their market power is based on Windows and their code base. Force too big a migration, too much retraining, and it might well turn into a different kind of migration - to someone else's platform.

They've got a ticklish and tough job ahead. But then again, they did it to themselves.

Re:Good start

[still_sick]

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

I think it's a matter of levels. Sure, they doubtless know about all the holes in the code or whatever (being the ones that, y'know, PATCH it) - but it's a totally different understanding than that of an expert user.

It's like an Automotive Engineer and a Mechanic. They both "know" essentially the same things about any specific car. But it's their viewpoints and specific backgrounds that make their individual understandings both unique and useful.

Re:Good start

[dbIII]

Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

Possibly not. Isn't it the policy at Microsoft to almost exclusively hire recent graduates that haven't worked elsewhere? Even a monoculture of the best graduates is still a monoculture, and it is quite likely that they are not aware of things that are common knowlege elsewhere. Bringing in others gave us NT - not bringing in others gave us Outlook, IE in a state of near abandonment for years, ping so far off standard you could use it to crash servers and a whole lot of software in which it is obvious that little thought of security or even networking was involved.

It's like the old saying - three ways to do things: right way, wrong way, army way. Training recent graduates to the corporate culture only works if there are others coming in to stop it being an exercise in corporate narcissism, which is dangerous in a company like Microsoft that makes money by high volume, low development cost "good enough" software as distinct from the expensive low volume stuff you would trust to handle a stock exchange or air traffic control. If they aimed to be the best they would not be so successful, they would be undercut.

The guys writing the code need to be aware of what is going on in the rest of the world.

Re:Good start

[SWTP_OS9]

That is the crux of the matter. I have written programs for clients and it is a mega mess of calls and strange crazy links etc. They change things as soon as you learn how to do something usfull. And not really support area they should but dont.

All software has a life cycle. And Windows has reached the end of its life. Any decent software engineer will tell you after awhile if you are patching it this hard. All your doing is patching patches! And deffently doing that will cause more problems. Like a room full of mice traps loaded with ping pong balls. Toss one in and after a while they will all be trigered.

Wonder how much of windows is real code vs patched.

It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out. Which would be that date of 2010 that was floated on a memo a while back. Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.

With Dell making noises about if offered would put OS X on their boxes could force Microsoft to finaly do the correct thing and make a real secure Windows from scratch. It will breake 20 year old software but is it better to do that then be a leaking buckett of patches covering broken code! Thta no one wants to buy or use.

Re:Good start

[drsmithy]

It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out.

Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).

Moreover, since NeXT was actually released for the first time way back in 1989, OS X's codebase is actually around 4 years *older* than Windows NT's.

Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.

Microsoft will not create another from-scratch OS in the forseeable future. There is simply no need. Technically and architecturally NT is just as good as any of its contemporaries. 99% of problems in Windows come from legacy support (being phased out with .NET, x86-86 also providing a convenient excuse) and less than ideal default settings (hopefully on the way out with LH).

Re:Good start

[peragrin]

nope it's not being phased out.

the managed .NET code that was supposed to be an all new APi is being removed to speed up the deadline. Avalon is being back ported to windows XP. Win FS is being dropped due to it being to big of a concept and MSFT doesn't have anyone to copy off of.

Longhorn I hoped would of been a complete rewrite. it failed. There is not a single new innovative feature in longhorn now. spotlight searches fast and effective, on all but networked drives. GPU driven displays OSX and a large number of X server's(sgi's)

New remote command shell is a combination of applescript and a python interpreter. It would of been cool but it's been delayed.

Yet somewhere MSFT found the time to make their own Bit torrent P2P client and server setups. I guess it shows where MSFT lays it's priorities. An app that won't bring them cash or their Next Generation OS.

Re:Good start

[zbuffered]

Like the article, your post contains no commentary on the actual nature of the specific Windows problems demonstrated at "Blue Hat".

Using tools like void11, you can disconnect wireless clients. Windows automatically attempts to reconnect to the WAP. If you've got an identically-named WAP and you can overpower their WAP, they'll connect to yours instead. They won't be notified, and will think that they are on their own network. Which doesn't matter too much because you could alternately just sniff all their traffic (or even inject your own) without setting up a WAP of your own.

There's a lot that MS can do about it, and code written 2 decades ago has absolutely no bearing on it.

Re:Good start

[Fallen_Knight]

Not to mention todays grads don't have the skill of the former.

used to be you loved CS to go into it, now many do just for a quick buck or a job.

i'm in 3rd year at SFU, and most poeple i know can't program worth a damn. pointers, multi threaded stuff, assembler confuses many of them. Some never used anything but java untill this year! and then here i am sitting in CMPT 300 as the teacher tried to teach C++ to most of the class and THEN theach OS OS and threads. sad.

Skill level has come way down. there are some good ones i've met, but when i look at some teaches code and find errors, and see the general lack of skill... Most of the skilled people i know are still only skilled in application level and usualy with java. So very few who know asm/C and hwo to do low level on the metal stuff.

best teacher i had was one who did work in alot of companies, he knew his shit. then i got a new young guy next sem, just got out of school and did research, he code sucked. He just didn't know things.

The guys writeing the core code of a operating system should be old vertrens, because they know what works, and they've been around forever and seen it all. I dont' care what school anyones come from, or how smart you think you are.

I work on windows device drivers, I know how hard it is to even do low level work, let alone do it right. My dads been doing drivers for 20+ years now, i'll see something and think, oh, in school, or this way is better, and most of the time, hes like no, the school way is wrong because XXXX and such. Stuff you wouldn't know unless you'd seen it done, and fail.

Experiance is worth way more then any school. Sad that the people who hire don't relize that.

Re:Good start

[SuperDuperMan]

Microsoft can't put every single one of there thousands of programmers on a single task like working on Windows.

And it's not like they are understaffed on the OS team. Adding more programmers to a project does not ensure success and may actually make the process take longer.

Re:Good start

Idiot. MS *Research* wrote a *paper* about some peer-to-peer technology. They have near free reign; indeed, it's one of the only research labs left that do. This has nothing to do with corporate priorities.

Slashdot responses about MS and BitTorrent are just FUD.

Re:Good start

[peragrin]

Very true, but when your cutting features that you have promised for the past 6 years just to get the product out the door something is seriously wrong.

Since XP was released.
OS X has matured into a great product getting faster and better with each release.

Linux has gone from hard to install for the average person to being easy.

Beos has come back from the dead.

Sky OS was competely written by a lone programmer(1999-2005)including drivers and a full GUI.

Now MSFT out numbers all those companies/people by 10 to 1 in the case of apple. why can smaller companies produce more unique software faster than MSFT can? The size of the apps is the same. They can do similar things to MS offerings. yet MSFT can't keep up.

Puzzled: why get angry?

[shm]

From TFA, "... some of the engineers were turning red, becoming obviously angry at the demo hacking incident ..."

I would think they would be looking at their shoes.

Re:Puzzled: why get angry?

[Hockney+Twang]

Contrary to popular belief, most of these developers aren't intentionally releaseing what they know to be insecure code. They test it beforehand, and sign their work. They are making what they believe to be a good effort at security.

Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.

Re:Puzzled: why get angry?

[bani]

Saving face is exactly the wrong motivation to fix security problems.

If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked.

Re:Puzzled: why get angry?

[Usquebaugh]

I would not be angry I'd be ashamed.

I'm always open to somebody trashing my code. If they can trash it I need to learn what flaws I'm not aware of that I'm coding.

Re:Puzzled: why get angry?

[Nobody+You+Know]

No. Its stupid and immature to be angry. Embarrassed and apologetic would be more appropriate. It would then be a good idea to ask for help and admit that you made a big mistake.

No, it's not. Say you work for Microsoft, and your job deals with the NTFS filesystem. You have done everything in your power to make your system secure, but you still have to depend on other coworkers making their systems secure as well. So someone on the wireless team screws up and has a flaw. The exploit demoed uses the power of NTFS against itself to hide a virus. If I was that NTFS programmer, you're damn right I'd be upset, because you know when that bug hits the virus databases, the exploit description will include something about using a flaw in NTFS, even if the code is working exactly as it is supposed to. My work gets blamed even if it's something else that led to the exploit.

Re:Puzzled: why get angry?

[Nobody+You+Know]

Saving face is exactly the wrong motivation to fix security problems.

Why, exactly? If saving face motivates people to solve the problem, then I'm all for it. Frankly, I don't care if they fix the problem because they want to save face, impress their girlfriend or because little green men from the planet Weebo have told them to. I care about results. If the problem is fixed, the problem is fixed. Their motivation doesn't even enter my mind.

Re:Puzzled: why get angry?

[GT_Alias]

There are few motivations as powerful as public humiliation.

Re:Puzzled: why get angry?

[SteeldrivingJon]

Why, exactly? If saving face motivates people to solve the problem, then I'm all for it.

The problem is that saving face can be accomplished by only hiding the problem, or squelching discussion of it, or pretending it isn't there.

Saving face generally seems to take the path of least resistance, and implies a desire to not face the issue.

SLow but steady, Microsoft rises from the ashes...

[nugneant]

...like a Phoenix. Slowly, people are catching on. I mean, this HAD to raise some eyebrows.

It's one thing to read about this on the internet - people say all sorts of things on the internet and you learn to tune it out ater a while.

But seeing it in front of your own very eyes, watching the hack attack commence in the blink of an eye, the pulse of a heartbeat, the shiver of a twitch, the essence of a raindrop, the flash of an instant, with the click of flint before it ignites the gunpowder in a Civil War era cannon-- etc-- it's shocking.

And so, ten years later, after learning from the hackers, their once-sworn enemies, the Great Microsoft rose to became Operating System: NWO. And that, my children, is the story of how Herr Syrs Bill Gates and Al Gore created and patented the internet.

Hey!

[Mr2cents]

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Hey, IBM is Mr. Blue! Microsoft is Mr. Pink!

Pay outs

[1967mustangman]

So microsoft has what like 50 billion in cash reserves? Why don't they just do a bug bounty and like $50 a bug. Like mozilla did. 50 billion/50 = 1 billion bugs they could find and fix that would hav to make some kind of dent right....................oh wait never mind.

Re:Pay outs

[umofomia]

They returned over 25 billion to their shareholders via tax free dividends.

Where'd you get the impression that it was tax free? People who received the dividends still had to pay taxes on it (though it was treated separately from normal income).

From http://www.microsoft.com/msft/FAQ/faqdividend.mspx :

What is the tax treatment of the special dividend?
The special dividend, along with the November 2004 quarterly dividend, was treated as "qualified dividend income" for U.S. federal income tax purposes. These dividends may also be considered "extraordinary" under the U.S. federal income tax rules depending on the facts and circumstances of the stockholder. Treatment as extraordinary may affect a corporate shareholder's basis in its Microsoft stock or, with respect to individual shareholders, may affect the tax characterization of a sale of their Microsoft shares. Thus, we strongly urge each stockholder to consult with their tax advisor regarding their specific tax treatment of these dividends including all applicable state, local, foreign and U.S. federal tax considerations.

I was sure it was green

[djKing]

M$'s corporate color is blue? Could have sworn it was green.

- Peace

well, it's a start, but a late one

[yagu]

The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".

Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.

Re:well, it's a start, but a late one

[tktk]

Yeah...but did anyone actually test them? If I were a senior manager, I would have raised my hand too.

Too bad about the other two. I guess they don't have enough guile to be promoted any further.

Re:well, it's a start, but a late one

[TripMaster+Monkey]

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

Anyone can say that they have knowledge of a particular issue...how many of these vice-presidents actually went on to demonstrate that knowledge? I'm guessing zero.

Re:well, it's a start, but a late one

[njcoder]

When questioned further... "Oh! I thought you meant SHEEP attacks. That damn Chupacabra!"

Re:well, it's a start, but a late one

[neil.pearce]

how many of these vice-presidents actually went on to demonstrate that knowledge?

Give them credit.

How many of 'em have sat in their lounge, constructing
a heap of crisp $100 bills from their annual bonus,
only to find it "overflowing" into the kitchen.

Re:well, it's a start, but a late one

[lheal]

While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line

To Microsoft, security is about features. A builtin "firewall", VPN, encryption of this or that, trusted something or other. Applets and wizards.

They're basically stuck in that position, too. The cash cow is actually layer upon layer of such features, fundamentally designed for a different, and far less ambitious, job than it's now asked to perform.

I'd better stop, or I'll go into full-on rant mode. Oops, too late.

Windows needs a complete rewrite, but that's not enough. If they did that now, they'd wind up with the same sorts of problems they currently have.

Even a total refocus on security is not enough. They have to change who they are as a company. They have to change the mindset that says that software's value is determined solely by how much revenue it produces.

To a software business the value of a product can be measured by how much money it makes, but it's an unholy error of the stupidest freshman sort to value individual parts of the design by how much they'll bring in. Some parts are so essential, and some phases of design so vital, that without them the overall product falls on its face.

The marketplace doesn't know enough about the inner workings of your product to tell you what value to place on any particular phase of design. The market (eventually) tells you how well it likes the finished product versus your competitor's, but hidden design processes aren't part of the comparison.

Security has got to be considered at every step of the design process. It follows along with robustness, portability, scalability, and overall algorithmic soundness.

I have a suggestion for you Microsoft design managers out there, for the next time your boss says, "Hey, let's make [X] really easy - that would really sell!". Don't just nod. Look at them and say, "Maybe, but it would also be simple to exploit."

The response will tell you how far the focus has really shifted.

"End of an era"?

[TripMaster+Monkey]

From TFA:

"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

Funny...the Fedora install on my laptop seems fairly customizable and fairly secure all at once...

Re:"End of an era"?

[TripMaster+Monkey]

While what you say is certainly true, I'm not sure I buy that as a complete explanation.

Consider Apache vs. IIS...IIS is in the minority there, but which is more secure?

Re:"End of an era"?

[Randseed]

It depends. That seems to usually be the bottom line in this kind of thing.

Linux these days is generally more secure out of the box. But when you install it, you really need to do a 'netstat -ln' and see what's open. Then set up a reasonable firewall. Your average idiot out there can't do this. (I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.)

Linux can be less secure than Windows. Usually that's accomplished by turning on all sorts of crap that you don't need, not securing it, and not updating it.

Windows, by default, is a typical blackbox. The thing is an absolute mess. Years after they first appeared, we still have Outlook viruses that pop up every day. Web browsing with MSIE is like playing Russian Roulette. At least with Linux you don't have to worry about that as much. With Linux, you set the system up, and it stays set up that way for the most part. So many packages (malicious and legitimate) change settings in Windows, that it's nearly impossible sometimes to have a good picture of what is going on with your system.

I took a Windows system down ony my home network because after one of my family used the thing for a few months I threw a traffic and systems analyzer on the thing and saw so much spyware and so many viruses on it that I couldn't justify letting the thing stay on my network. This was with Norton Antivirus running on it, mind you. As it is, any Windows installation I have is sectioned from the rest of the network for just that reason. They sit on their own subnet, can't talk to each other, can't talk to the LAN, and can only route out to the Internet.

Re:"End of an era"?

[Effugas]

What would you think if almost all the code on your system was assembled by Microsoft -- even the third party stuff?

Strange. Bad. Awful.

But it's the reality with RPM, or even Apt/Emerge. The Linux distributions really have limited how much stuff the average user installs randomly from the net. But it's a temporary thing...Spyware for Linux isn't worth developing, because there aren't enough non-geek eyeballs to sell.

It's overall a pretty cool article, but the comparison I had made when talking to Ina was that spyware-assaulted Windows vs. the always-perfect nature of a fresh Knoppix CD is a surprisingly tough contest, and that people may be willing to give up their own ability to customize their system in return for the ability to protect the basic functionality of their system.

--Dan

Silence of the Lambs

[WillAffleckUW]

would be more appropriate than Blue Hat conference.

Wait for it, Wait for it...

[kryogen1x]

How many Red Hat jokes are going to be made now?

And a fatal error...

[CPNABEND]

Resulted in the BLUE screen of death!

Technical Competence

[ronark]

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

So what? Maybe they read some document informing them of what a heap overflow is. It's more important that these managers understand what goes into the code and the technical details that make the system operate, not what an "obscure" problem like a heap overflow is. Microsoft's managers can only claim technical know how if they have experience working as developers, because otherwise it's simply too hard to understand the real issues that the engineers have to face.

Colors explication:

[ratta]

White hats do white magic

Black hats do black magic

Blue hats do blue screens of death

Some things to note

[UnknowingFool]

Programmers actually thought that their code could not be exploited. I don't know if this is collective arrogance or part of the MS culture, but it seems most of the world outside of MS knows how easily code in general can be exploited. With as many security problems MS has had and Bill Gates many public proclaims about security, you would think that they would know there may still be issues in their code.

"visibly angry"

[bani]

Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident.

To me, this is very telling about those engineers' beliefs and attitudes about their own code. It also speaks volumes about their skill (and their personal belief about their own skill levels).

Real engineers fix problems, they don't get emotional.

Re:"visibly angry"

[gordgekko]

That's right, real engineers aren't human beings who would be upset to have their work publicly shown to be lacking. They're supremely efficient human beings who engineered their own feelings out.

Real engineers are human beings and it's quite acceptable for someone to get mad before they tackle a problem they helped create.

Re:"visibly angry"

[Shanep]

Real engineers fix problems, they don't get emotional.

This is so true. I've worked with many people in IT and communications over the past 17 years, in financial, military and educational institutions from desktop support to reverse engineering. People who get emotional when challenged or proven wrong are putting their ego before the problem. Their ego becomes the biggest problem and the real problem they're getting paid to fix tends to get fixed in a way that makes them look good, which might not actually be the technically better way.

The most exceptional people I have worked with, shrugged failure off and carried on with fixing things or making them better. The loudest people don't know shit and cover it up with fast talking. It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.

Unfortunately, in the past 17 years, only two people in my mind stand out to be the exceptional people, the rest are all competing in a bullshit competition with each other or are otherwise mediocre.

Re:"visibly angry"

[ebuck]

Yes, we are human, but then again, not all engineers are equal.

I once worked for a company that hired an outside consultant to ask how they could get their product into a "better place". It was nasty code that contained snippets of Fortran, C, C++, and three other scripting languages. Some of the newer portions were being developed in JAVA with a database as the "inter-system" communication protocol. It compiled on one specific version of UNIX and threw memory alignment errors.

The consultant did an excellent job, and he really should be commended for identifying key weaknesses in the product; however, when he presented his findings, most of the managers grew visibly upset, and a few raised their voices (but I wouldn't call it yelling). People defend their collections of bad ideas, and rationalize that it's much more costly to fix problems than to just live with them a little longer.

I enjoyed my time there, but I moved on because I couldn't stand to see good ideas replaced with bad.

Re:"visibly angry"

[William+Robinson]

Real engineers fix problems, they don't get emotional.

I have been developing since more than 15 years and have worked for great organizations. You could get emotional if corporate process and stratagies do not permit you to develop quality code. Have you ever worked in a marketing driven company where dirty work is appreciated by clueless managers, because it is fast and they wanted everything yesterday? Have you ever worked for an organization that puts more priority to marketing gymmics?

M$ is not an exception, and many good practices of Software Engineering are bypassed there. The developers are expected to code and pray ( I am exagareting, but it is not far from reality).

Organization process is very important. It brings the best out of individual. Real engineers feel suffocated with lot of marketing shit around.

Re:"visibly angry"

[dsci]

People who get emotional when challenged or proven wrong are putting their ego before the problem.

I have to disagree. I've fixed/solved some majorly complicated problems in the past 20 years. In many cases, I've gone through periods of frustration that got vented as 'anger.' Once vented, I settled down to the task at hand.

The most exceptional people I have worked with, shrugged failure off

It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.

Perhaps. But that itself does not prove (or even suggest) that some exceptional people are not also 'passionate.'

You probably should not make such sweeping generalizations. There are many personality types among people who are very effective at very complex tasks.

Microsoft Security

[jfonseca]

Microsoft has managed to link itself with bad code to a degree that, recently, I spent over 40 minutes convincing a programming team that Code Complete was actually a good book and did not reflect the bad quality of Microsoft software.

Kind of old...

[Dunbal]

From TFA...

The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target...

We're in what, mid June now? Slashdot: "olds" and recycled duplicate articles for nerds, I guess...

Still it's nice to know that Microsoft at least acknowledges that there is a problem they aren't addressing properly.

Car Jokes?

[LiquidCoooled]

fta: Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.
"I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?"

I wonder if Bill actually laughed the first time he read the microsoft car joke?

You mean to tell me...

[doswarrior]

"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."

So you mean to tell me, that Microsoft employs *no* hackers of any hat or has ever known one? They make it seem like it was the first Thanksgiving all over again. Puh-leaase.

Today's lesson is: Hire hackers if you want to build a secure OS.

Re:for Microsoft it is easer...

[Humorously_Inept]

Is that so entirely unusual? Would you trust yourself to edit a manuscript that you wrote? When you review your own work, you naturally see your intentions instead of your results. That can be true at a personal, team or corporate level so it's not necessarily just a matter of easier.

Can We Get Firefox Developers To Do This, Too?

[kmactane]

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.

Re:Can We Get Firefox Developers To Do This, Too?

[Mingco]

They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Ironically, once they reach the top of the heap in security, they'll discover that it has been overwritten by overflowing buffers.

Re:Can We Get Firefox Developers To Do This, Too?

[Kirth]

These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

I don't think so. Of course they are now taking security a bit more serious, but there are so many big conceptual mistakes, so many design flaws, they won't and can't fix, or they would break thousands of applications which you can't just recompile...

Like:
- case insensitive but case-preserving filesystem (ambiguities in filenames)
- active X and other unsafe scripting languages all over the place. Its not just the browser, its also word, excel and lots of other programs.
- rpc for just about everything.
- unsafe program interfaces. some application will happily accept any malformed events from some other components.
- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

Re:Can We Get Firefox Developers To Do This, Too?

[marcosdumay]

"Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security."

That is the problem, security can't be achieved the same way that browser market domination was. To fix security, MS will need the following:

A lot of rewritting, that is expensive. But can be done.

A lot of testing, that FOSS gets for free and MS pays a lot. But can be done.

Also, they'll need to modify the relationship they have with their customers. That is a hard one, MS will need to respect their clients. They'll need a complete reestruturation, but can be done.

And, finaly, the problem: MS will need to discontinue bad projects, breaking past compatibility.

Lets face it, Windows, IE and Office are kept on top because of the net effect. The advantage that people get when running those products is to get something that is compatible with everything else, so they don't need to care about that. If MS suddenly break past compatibility, they'll see their market suddenly vanish.

This is why MS will not develop secure products so soon, their software projects are flawed and they can't correct it. Those events are good PR, but will not make MS programs better than FOSS.

Re:Can We Get Firefox Developers To Do This, Too?

[jafac]

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing.

Exactly. Working for a major Systems Integrator, our customer actually has a special team of people who do nothing but hack systems, and recommend security changes to the products they buy.

We thought we had locked down our systems pretty well. They turned it out pretty good, and produced a 92-page report. (of course, some of it was gratuitous).

However, the end result: slapping security changes onto an already-developed product, results in a whole lot of breakage. This lesson will benefit our NEXT customer. And it will really, really hurt our current customer. The lesson? Security should be designed-into a system from the start.

Re:Can We Get Firefox Developers To Do This, Too?

First, MS did not get IE right. They used thier dominant desktop position to squeeze out other players. The failure of netscape was due equally to the netscape problems and the fact that MS sabotaged Navigator. I have used nearly every major browser since Mosaic. To this day IE does not provide the expected overall functionality one would expect in a web browser, but exists merely to support a few, mostly lame, MS features.

Second, most of MS problems are caused by the fact they miss nearly every boat, and then come up with half-assed solutions to catch up. Security is not somehting that can be tacked on later, like a GUI or browser or RSS feed. It must be designed into the infrastrucutre. It is quite unreasonable to allow untrusted agents unlimited access to the file system, and then set up optional limits on that access and call it security.

Firefox is not comparable because firefox is not a component of the OS. It is not, as is IE, an application front end, but a standard stand alone web browser. The critical nature of firefox bugs cannot reach that of IE becuase they are not, by definition, OS level faults.

Finally, these 'try to break into my house' kind of tests are king of useless. If nothing happens then the vendor unfairly claims security. If something happens, it is either spinned to a nonevent or the particular problem is fixed, and, agian, security is unfaily claimed. It is a PR stunt.

I am sure you will tell your clients to go with MS no matter what, as you likely make most of your money fixes the MS problems, and an effecient OS would mean that you would be forced to find a real job.

Re:Can We Get Firefox Developers To Do This, Too?

[CPUGuy]

I hate to break the news to you, but IE3 was on par with Netscape 3, and IE4 just blew Netscape out of the water. MS only 'sabtaged' Netscape because IE was simply a much better browser at the time.

Hell, for the longest time, IE was THE browser to use because of it's standards compliance, features, etc...

Also, the only security advantage Firefox has with not being integrated is that it's not shipped with the OS. The fact is, is that IE is shipped with every single Windows computer, and as such anyone can be exploited by it. IE is NOT part of the OS, except that the rendering engine is used to render some OS componants, however, it is no more integrated than Firefox.
Firefox is also just a front-end, just that it is a front-end to a different rendering engine (Gecko).

Re:Can We Get Firefox Developers To Do This, Too?

[drsmithy]

Firefox is not comparable because firefox is not a component of the OS. It is not, as is IE, an application front end, but a standard stand alone web browser. The critical nature of firefox bugs cannot reach that of IE becuase they are not, by definition, OS level faults.

IE has no greater ability to do damage to the system than Firefox does.

Re:Can We Get Firefox Developers To Do This, Too?

[GISGEOLOGYGEEK]

You dont have a clue whether or not there are any 'conceptual mistakes', 'design flaws', or 'thousands of applications' that would be broken, that can't just be recompiled. No Idea At All. Your just repeating what all the other linux sheep keep saying, and the sheep reward you with 'informative' mod points.

Get out of your chair, go out into the world, and try to create an original thought.

Re:Can We Get Firefox Developers To Do This, Too?

[Tim+C]

- case insensitive but case-preserving filesystem (ambiguities in filenames)

How so? You can't create (for example) readme, README and ReAdMe all in the same directory on Windows, so you can't cause ambiguity like that.

- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..

Normal users don't have write access to the Windows of Program Files directories. Now, you can argue that MS hasn't exactly made it easy for people to run as normal users, but that's only partly true. NT has had ACLs from the beginning, and was released towards the tail end of the 90s - developers have had what, a decade to get used to the idea of user permissions on Windows? Even only counting from the release of XP, they've had 3 years or so. Yes, user-based security on Win 9x was non-exsitant, but come on.

Getting through to engineers is hard

[kt0157]

In my previous company I tried to communicate with engineers. I was an engineer, but it's still damned hard. Programmers just don't "get it" without hard work. In the end, this kind of smack-in-the-face-by-the-real-world approach is what is needed.

I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?

Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..

Read about this in Cooper's book "The Inmates Are Running The Asylum."

K.

Re:Getting through to engineers is hard

[kt0157]

Stop arguing about clinical definitions and just change the goddamn font.

K.

Invite outsiders or hire insiders?

[dozek]

I find it is interesting that a company with record cash in hand and well documented employee benefits would not have their own 'blue hat team' on staff. I mean, why invite outsiders in to reveal the exploits? Surely MS can afford an elite team of their own...especially when 1/3 of the R&D budget is going to security matters.

Re:Invite outsiders or hire insiders?

[Kesh]

Exactly. Not only are outsiders able to look at the software from a clean slate, without the influence of their co-workers or company policies; they're also (relatively) free from retribution.

If they were an inside team doing the "blue hat" work, they'd be about as popular as Internal Affairs officers are to their fellow cops. There would be a lot of pressure to "just overlook that" from their friends, or folks who they feel loyalty to within the company.

Re:2002 WTF? O.o or Why I Love SR-520

[WillAffleckUW]

Sheesh! It's 2005 and there are still unpatched vulnerabilities. Damn hackers, they're always faster than us! (/sarcasm)

Heck, they just released a bug fix for an IE bug that was already fixed, put back in by mistake (since it was still in IE), and refixed in Firefox ... today.

Wow, it's like watching paint dry.

Luckily for them hackers just go away on vacation in the intervening years between bug fixes ... right?

Give Microsoft Its Due

[MrNonchalant]

I'm banking that I'm the first one to say this, and that there are at least a few reasonable moderators out there.

This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.

Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).

Re:Give Microsoft Its Due

[dustmite]

Microsoft always catch up after being behind everyone else after roughly ten years, in everything they do. The same is true for their current drive towards security, where they are starting to catch up to, say, the seriousness with which 1980's UNIX vendors approached security.

The underlying problem though is that Microsoft only ever develop anything reactively, never proactively. Every move they've ever made has been kind of like: "hey look, company XYZ has produced this excellent product ABC, and everyone loves it, let's also start working on something like that and release a semi-decent version five years from now". This will never change.

So it's all fine and well that Longhorn 2006/7 will be the first MS OS ever actually built with a serious company-wide intention of being secure, but the question is, do you want to always be at least "ten years behind" like that? Do you think it's good to keep putting your money into the company that only knows how to "catch up", in an industry that really runs much better when there is leadership and innovation?

Old problem, not Microsoft specific

[sublimespot]

That technique is

a) old news
b) not Microsoft specific.

Linux and OSX can also be tricked into connecting to a rogue access point.

Whichever access point is most powerful, or higher priority will be connected to.

The only shocking thing about the article is that the engineers havent seen/heard/tried this before.

It was just silent...

[kmortelite]

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

And then some guy in the back stands up and starts yelling "Developers! Developers! Developers..."

Behold, the problem

[CaptainCarrot]

Or at least part of it anyway. From the article:

The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.

"Don't necessarily focus on security features"? If this is just the reporter making up his own description it's not so bad. But if he's just echoing what he was told by Microsoft or whoever his source was, then they're looking at this backward and probably have been for a long time.

Anyone who touches that code for any reason at all has to keep security in mind every time he does it. It doesn't matter if he's responsible for authentication or whatever else they're including under the rubric of "security features". Any bit of code is a potential vulnerability. It only takes one buffer overflow, one set of bounds that's not checked, one line of code that doesn't validate the terminator on an input text string, to create one. And then it's a security problem for everybody. If making non "security feature" programmers aware of these issues is a new thing at MS, they've been doing this all wrong for years. (As many have suspected, but seeing it possibly confirmed is still a bit of a shock.)

Re:Behold, the problem

[Effugas]

That's the point -- there weren't just network programmers, or compiler writers, or the reps from the security business unit who'd go to Black Hat anyway. People from across the organization showed up.

Chill. I was there. You'd have liked it.

a little niggle

[JamesD_UK]

Can people write, or the editors make sure that article summaries are just that, not cut and pasted paragraphs from the article? The posting makes it look like Mz6 wrote those paragraphs which is only true if she's Ina Fried .

An extremely dangerous stunt

[G4from128k]

Unless Microsoft uses NO wireless on its campus or unless the walls were RF shielded, this was a very dangerous stunt. If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall. Range is no protection as it would be not hard to build a high-gain antenna into the lid of a hacker's laptop and orient it to pickup WiFi elsewhere on the Microsoft campus. If a hacker can gain access to an inside machine, they could plant a backdoor for later exploits including attacks on the the company's codebase.

I'm not a shareholder or a user of their products (except to the extent that the vast majority of the companies I do business with use Microsoft) but I find this an extremely irresponsible act on the company's part. If they want to try this sort of security testing, and they should, it should be done off-site or in a shielded room.

Re:An extremely dangerous stunt

[Jah-Wren+Ryel]

If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall.

Anyone doing even halfway decent wireless networking in the corporate environment is simply using the wlan as a transport layer for a VPN. Without the VPN you can't get anywhere.

Pride comes before a fall

[Ridgelift]

FTA: Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation.

Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated Metasploit--a tool that system administrators can use to test the reliability of their systems to intrusion. But Metasploit also includes a fair number of exploits, as well as tools that can be used to develop new types of attacks.

"You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case.

"We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'"

Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.

Wow. This is great (and about time too). What really seems clear to me from all this is the problem with Microsofties is the same problem a lot of slashdot readers suffer from: hubris.

Open Source software is not bulletproof. It suffers from security defects as well. The big difference, however, is we're up front and honest about it. Microsoft can't afford to be that way, as they rely on customer confidence and their monopoly to stay in business.

Microsoft seems to be understanding that their real problem in improving security is people, not so much the technology. By letting the "bad guys" knock the bricks down in front of the programmers who build the stuff, it ouggta sink in pretty deep.

Fix the attitude among the developers and the technical stuff will probably follow. Too bad a lot of slashdotters aren't able to experience the same thing.

FINALLY!!!

[Whatchamacallit]

Time for the security guys to SMACK some sense into those MS Engineers! Go Man Go! Your system is like Swiss Cheese and you really really need to freaking fix it! This BlueHat event is literally a smackdown to wake the MS engineers and management up to just how bad it really is. It is critical for the MS Engineers to get shaken out of their MS Corporate boots and have their eyes opened to the truth. Seeing you most recent work getting compromised in seconds must have driven some of these guys completely bonkers!

The invited security experts are familiar with all kinds of expliots even at the latest patch release. However, the really smart ones are not working security for a living they are doing International Corporate Espionage where you don't publish what you find, you use it over and over and guard it as secret so you can get paid as you steal IP from one company and sell to another.

Personally, I don't believe that MS will be able to fix Windows unless they go through a complete rewrite, that means beyond Longhorn before they get it right. They can continue to bandaid it or they can start over and design the way OpenBSD designs. Include security regression testing into their milestone workflow. While they are re-doing things they can also fix all the other broken crap that needs fixin!

two BILLION a year...

[zogger]

...on "security"

uh huh

think about what that sort of cash would do to help out open software in general terms, all the various neato projects done with a few dollars and a lot of skull sweat. Think about if only a fraction of that went to linux kernel development, say something small, like 100 million dollars, 1/20th of what MS spends on "security research"

I am just amazed at this,it is just a staggering sum for those products and their "security features".

Engineers?

[HydroCarbon10]

WTF is up with calling programmers engineers now? The term 'engineer' is regulated in all 50 states, and calling yourself an engineer without being licensed is worthy of a fine. There are some exceptions, but these vary from state to state, making it best to completely drop the title 'engineer' unless you're actually licensed in the state you're advertising in.

Re:Engineers?

The title Software Engineer is not regulated.

Re:Engineers?

[chapman_164]

Actually, calling yourself an engineer is fine. Calling yourself a "Professional Engineer" is what will get you in trouble unless you are appropriately licensed.

Re:Engineers?

[HydroCarbon10]

As an EIT, I can tell you that its actually extremely vague and varies from state to state. You may or may not be able to get away with just 'engineer' depending on which state your in, the phase of the moon, and who happens to be sitting on the regulatory board for your state. At least, that's my understanding of the issue based on a presentation given by someone who sits on the board in Texas and was attempting to clarify the issue.

Re:Engineers?

[JohnsonWax]

It is in Texas.

http://www.computer.org/software/articles/Speed.ht m

What REALLY happned...

[chia_monkey]

Yeah...M$ MEANT for that to happen. Here's the real story:

M$ Exec 1: "Oh sh*t!!! We've got a security problem. One of our computers has been lured to a baaaaad network"

M$ Exec 2: "Crap. Wait, I know. Get MarComm on the phone. We'll tell the world we were running a test. We're finding flaws so we can fix them. Yeah, that's the ticket."

M$ Exec 1: "Good thinking! Maybe we should tell them to also release a statement that the BSOD is actually Microsoft's commitment to employee health. A soothing blue screen comes up, gently reminding employees to get up, stretch their legs, refocus their eyes..."

MS Coders Ignorant?

[redhatkingpin]

"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."

Maybe its just me, but I would assume these guys would actually have spent time securing their own computers, dealing with spyware and warms, etc. Maybe even attempting to hack their own computers to test it. More so, do they not keep up on the latest techie news given that they are geeks?

Maybe if all MS programmers signed up to receive slashdot digests every day and took the time to read the articles and comments, they would learn from others' experiences with MS products and use those critiques to improve their products.

Do these people live in a hole or something?

what does this have to do with windows...

[rcamera]

maybe i missed something, but what does connecting to a malicious network have to do with an operating system? could os x have connected to the same wireless network? how about linux? this is as much an os flaw as 'click yes to install spyware'

user idiocy is not an os flaw. end of story.

Knows about MD5?

[DevanJedi]

So in the right column of the article there is a little 'anecdote' from the conference that says that some guy called Allchin (god of Windows OS) asked a 'blue hat' about MD5 and the article goes on to say:

Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company.

Knowing about MD5 makes a software guru 'deeply knowledgable'? What kind of an article is this?

Re:Knows about MD5?

[Effugas]

It wasn't so much the question, as the unexpected nature of it. I'd just finished talking about very different things -- video over DNS, backtunnelling through dual-hosted name servers, etc -- and it had been about 20 minutes since I'd mentioned that, *if* someone asked, I'd show what was wrong with MD5.

No matter. This guy -- I had no idea who he was at the time -- heard something he needed to precisely understand, and got his answer at his first opportunity.

It's kind of cool that senior management at Microsoft a) showed up at an internal hacker con and b) knew enough to not only understand what I was talking about, but was interested enough to demand more.

Dude. Have you met anyone in senior management? There's a reason so many people relate to the Dilbert PHB.

Re:Knows about MD5?

[Effugas]

Lesse...I was there, Dug Song was there, K2, Shok, and Dino were there...a hacker con it most certainly was, just with a rather different audience than normal.

Re:for Microsoft it is easer...

[Humorously_Inept]

It does make sense. You have explicit knowledge of your creation because you participated in its specification, design, testing, field trials, etc. You are bound to the process used to create it so you're likely to overlook omissions or critical flaws in it. Would you do your own code review? Have you ever written an essay or something and discovered word omissions or sentences that appear to be disjoint in some fashion? For each problem that you find, how many do you end up missing? You see what you intended when you concieved the project and not necessarily what is there because you know what's supposed to be there.

That's why it's so useful to get people who are totally detached from the project to have a stab at finding problems. That's also why, when you write a novel or story, you have a friend edit it and likewise why your publisher employs copy editors instead of just taking your word for it.

Re:lured?

[Effugas]

http://blackhat.com/presentations/bh-europe-05/BH_ EU_05-Kaminsky.pdf

Wrong Thinking

[Morrog]

I've seen a few posts already that are saying Microsoft is getting better. They fail to see the pattern here. Microsoft makes a product, consumers cry and whine, Microsoft fixes it in 5 or so years, happy-happy-joy-joy until...OH another problem. It was the same then, and it'll be the same now and onward with Microsoft. They don't actively work to solve problems before an outcry, they wait for the outcry. This is responsive thinking, and I don't like it one bit. I want a forward thinking company behind the software I use. A company that doesn't just wait until everyone hates their software before fixing it. Let me quote the article "'It kind of hits people up here,' Thomlinson said, pointing to his head. 'Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut.'" Wait...where are you? A Microsoft run event? WOW! Maybe just MICROSOFT programmers are doing this... I don't want someone who acts like this making the software I use/buy. Someone who refuses to believe thier software is broken until they see it. HELLO!! The millions of people being infected as a result of unpatched issues in your software should have been clue enough. "Oh hey, our software really can be exploited! Man...that sucks...think we should do something about it?"

Thanks, we've already met

[SuperKendall]

"Hackers, Meet Microsoft"

Oh, I see you're already well-aquanited!

What's really sad

[btarval]

"But *can* MS actually do anything?"

It's really sad that they had several hundred engineers sitting around, getting taught lessons like this. 99% of the so-called hackers out there really aren't that great. And it's unlikely anything earthshattering here was used.

I find it truly surprising that not one single Microsoft Engineer could take it upon himself to discover these flaws beforehand. And that they were surprised by these results.

That tells me a lot about the Engineering talent. Hopefully some small change has been made in the mindset there. It would at least be a good small start; because one key thing about improving security is the mindset.

A step in the right direction

[ebuck]

Sure, Microsoft is moving in the right direction; however, I would call it more of a shove than a move. Microsoft's not doing the pushing in this case, which makes it so hard to understand without some context.

Microsoft has become synonymous with bad software. Why else would a company as powerful as Microsoft become so desparate as pull off this latest stunt?

This story includes:
1. Uncooperative Black Hats that somehow manage to cooperate with Microsoft to assist in securing the OS, yet remain blacker than india ink.
2. Wiley engineers that manage to out-think the black hat by applying a token of common sense (the off switch).
3. Engineers that become one with the enemy to make a better product for us.
4. Flat out admittance that Microsoft makes a security challenged product, but will do much better because they've been shown that it can be compromised.
5. Direct quotes from Microsoft insiders, implying that press was standing by.
6. A specific agenda of diffusing the security issue by admitting it, then appealing to Microsoft's software genius as having the solution in hand (now that they know what the problem is).

Basically, the article can be summarized:

Microsoft didn't know that Windows XP has problems, but now that someone has shown them, they'll get right on fixing those issues.

Which is nearly the same spin we've been hearing since they first added networking to Win98.

Re:Constructive criticism

[cagle_.25]

The context really matters here. If my boss sent me a quick e-mail saying, "Hey, I found a NULL pointer dereference in your device driver!" then I would thank him and fix it.

If same boss organized a conference and allowed SOMEONE ELSE to purposely expose my NULL pointer dereference by demonstrating that the mouse locks up or causes a seg fault or whatever, then I would feel that my boss was making a point: I'm an employee who is worth publicly humiliating.

I would find a new job.

Third party support

[MMaestro]

As anyone who plays console video games can tell you, any change in hardware, software or even the controllers can result in serious and unexpected changes in the long run.

How long do you think it took Windows to reach the state its in now? If you looking at just the major changes there have been a LOT compared to other software. (Windows 95, 98, 2000, XP, not counting updates, ME, or versions older than 95 and the unreleased Longhorn). Has there EVER been a major serious of software changes in history on this scale? The answer is a simple, no way.

Throw in the fact that nearly 90-something% of all computer software is designed to fit into a Windows environment, the billions of users who have accustomed themselves to Windows' own quirks and the ever present threat of losing marketshare to Apple or Linux and what you're asking is impossible. There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'

Re:Third party support

[kiljoy001]

There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'

This the crux of Microsoft's problem, such an enviroment leads to stagnation - they can no longer innovate in this area. Unfortunaly (or fortunatly) this means that unless they take a significant risk, there OS is not going to be revelant in a few years. On that note, it makes me wonder, who FOSS programers are going to look to for what passes as "common" items/funtionality in a modern destop enviroment. OS X Perhaps ?

The underlying motivation for this thread's posts

[I'm+Don+Giovanni]

The funny thing is that the underlying motivation for most of the snide, derrogatory comments made to this thread is, "Please, please, don't let Microsoft improve its security!"

You guys are scared too death that Microsoft will kill off your security argument just like they did the stability argument. All of the negative posts regarding Blue Hat, the comments that it'll do no good, the assertions that only a complete rewrite from scratch will work, blah blah blah, are nothing more than wishful thinking. Many here hope, wish, and even pray for Windows to remain vulnerable, and it's clouding your thinking. Blue Hat (and other measures taken by Microsoft) is a good thing, and many of you just can't stand it. LOL