Slashdot Mirror
Hackers, Meet Microsoft
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
What were they thinking? "Oh, shit our OS isn't secure?"
The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.
Must... not... make... obvious... BSOD comment.... aughhh!
Come to think of it.... BLUE screen!
From TFA, "... some of the engineers were turning red, becoming obviously angry at the demo hacking incident ..."
I would think they would be looking at their shoes.
The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.
Hey, IBM is Mr. Blue! Microsoft is Mr. Pink!
"It's too bad that stupidity isn't painful." - Anton LaVey
So microsoft has what like 50 billion in cash reserves? Why don't they just do a bug bounty and like $50 a bug. Like mozilla did. 50 billion/50 = 1 billion bugs they could find and fix that would hav to make some kind of dent right....................oh wait never mind.
Madre de Dios! Es El Pollo Diablo! -- Captain Blondebeard
M$'s corporate color is blue? Could have sworn it was green.
- Peace
Free as in "the Truth shall set you..."
First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".
Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.
Microsoft has managed to link itself with bad code to a degree that, recently, I spent over 40 minutes convincing a programming team that Code Complete was actually a good book and did not reflect the bad quality of Microsoft software.
Broken Hearts are for Assholes. - Frank Zappa
Is that so entirely unusual? Would you trust yourself to edit a manuscript that you wrote? When you review your own work, you naturally see your intentions instead of your results. That can be true at a personal, team or corporate level so it's not necessarily just a matter of easier.
~Someday, I hope to be an aspiring author.
I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.
It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.
Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.
Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.
In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.
Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?
If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.
Kai MacTane: Web developer for hire in San Francisco
> But will MS actually do anything?
But *can* MS actually do anything?
Given the bowl of spaghetti called nearly 2 decades of Windows, how much freedom of action do they really have to clean things up? Tug at a strand here to fix it, and who knows where the other end is? How many side effects will there be from that one fix? Yet at the same time, their market power is based on Windows and their code base. Force too big a migration, too much retraining, and it might well turn into a different kind of migration - to someone else's platform.
They've got a ticklish and tough job ahead. But then again, they did it to themselves.
The living have better things to do than to continue hating the dead.
That's right, real engineers aren't human beings who would be upset to have their work publicly shown to be lacking. They're supremely efficient human beings who engineered their own feelings out.
Real engineers are human beings and it's quite acceptable for someone to get mad before they tackle a problem they helped create.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
In my previous company I tried to communicate with engineers. I was an engineer, but it's still damned hard. Programmers just don't "get it" without hard work. In the end, this kind of smack-in-the-face-by-the-real-world approach is what is needed.
I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?
Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..
Read about this in Cooper's book "The Inmates Are Running The Asylum."
K.
I'm banking that I'm the first one to say this, and that there are at least a few reasonable moderators out there.
This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.
Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
And then some guy in the back stands up and starts yelling "Developers! Developers! Developers..."
It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.
I think it's a matter of levels. Sure, they doubtless know about all the holes in the code or whatever (being the ones that, y'know, PATCH it) - but it's a totally different understanding than that of an expert user.
It's like an Automotive Engineer and a Mechanic. They both "know" essentially the same things about any specific car. But it's their viewpoints and specific backgrounds that make their individual understandings both unique and useful.
...Also, I didn't know Buggalo could fly.
It's like the old saying - three ways to do things: right way, wrong way, army way. Training recent graduates to the corporate culture only works if there are others coming in to stop it being an exercise in corporate narcissism, which is dangerous in a company like Microsoft that makes money by high volume, low development cost "good enough" software as distinct from the expensive low volume stuff you would trust to handle a stock exchange or air traffic control. If they aimed to be the best they would not be so successful, they would be undercut.
The guys writing the code need to be aware of what is going on in the rest of the world.
Linux these days is generally more secure out of the box. But when you install it, you really need to do a 'netstat -ln' and see what's open. Then set up a reasonable firewall. Your average idiot out there can't do this. (I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.)
Linux can be less secure than Windows. Usually that's accomplished by turning on all sorts of crap that you don't need, not securing it, and not updating it.
Windows, by default, is a typical blackbox. The thing is an absolute mess. Years after they first appeared, we still have Outlook viruses that pop up every day. Web browsing with MSIE is like playing Russian Roulette. At least with Linux you don't have to worry about that as much. With Linux, you set the system up, and it stays set up that way for the most part. So many packages (malicious and legitimate) change settings in Windows, that it's nearly impossible sometimes to have a good picture of what is going on with your system.
I took a Windows system down ony my home network because after one of my family used the thing for a few months I threw a traffic and systems analyzer on the thing and saw so much spyware and so many viruses on it that I couldn't justify letting the thing stay on my network. This was with Norton Antivirus running on it, mind you. As it is, any Windows installation I have is sectioned from the rest of the network for just that reason. They sit on their own subnet, can't talk to each other, can't talk to the LAN, and can only route out to the Internet.
WTF is up with calling programmers engineers now? The term 'engineer' is regulated in all 50 states, and calling yourself an engineer without being licensed is worthy of a fine. There are some exceptions, but these vary from state to state, making it best to completely drop the title 'engineer' unless you're actually licensed in the state you're advertising in.
The best way to accelerate a windows box is at 9.8 meters per second square.
Real engineers fix problems, they don't get emotional.
This is so true. I've worked with many people in IT and communications over the past 17 years, in financial, military and educational institutions from desktop support to reverse engineering. People who get emotional when challenged or proven wrong are putting their ego before the problem. Their ego becomes the biggest problem and the real problem they're getting paid to fix tends to get fixed in a way that makes them look good, which might not actually be the technically better way.
The most exceptional people I have worked with, shrugged failure off and carried on with fixing things or making them better. The loudest people don't know shit and cover it up with fast talking. It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.
Unfortunately, in the past 17 years, only two people in my mind stand out to be the exceptional people, the rest are all competing in a bullshit competition with each other or are otherwise mediocre.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Yes, we are human, but then again, not all engineers are equal.
I once worked for a company that hired an outside consultant to ask how they could get their product into a "better place". It was nasty code that contained snippets of Fortran, C, C++, and three other scripting languages. Some of the newer portions were being developed in JAVA with a database as the "inter-system" communication protocol. It compiled on one specific version of UNIX and threw memory alignment errors.
The consultant did an excellent job, and he really should be commended for identifying key weaknesses in the product; however, when he presented his findings, most of the managers grew visibly upset, and a few raised their voices (but I wouldn't call it yelling). People defend their collections of bad ideas, and rationalize that it's much more costly to fix problems than to just live with them a little longer.
I enjoyed my time there, but I moved on because I couldn't stand to see good ideas replaced with bad.
Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).
Moreover, since NeXT was actually released for the first time way back in 1989, OS X's codebase is actually around 4 years *older* than Windows NT's.
Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.
Microsoft will not create another from-scratch OS in the forseeable future. There is simply no need. Technically and architecturally NT is just as good as any of its contemporaries. 99% of problems in Windows come from legacy support (being phased out with .NET, x86-86 also providing a convenient excuse) and less than ideal default settings (hopefully on the way out with LH).
nope it's not being phased out.
.NET code that was supposed to be an all new APi is being removed to speed up the deadline. Avalon is being back ported to windows XP. Win FS is being dropped due to it being to big of a concept and MSFT doesn't have anyone to copy off of.
the managed
Longhorn I hoped would of been a complete rewrite. it failed. There is not a single new innovative feature in longhorn now. spotlight searches fast and effective, on all but networked drives. GPU driven displays OSX and a large number of X server's(sgi's)
New remote command shell is a combination of applescript and a python interpreter. It would of been cool but it's been delayed.
Yet somewhere MSFT found the time to make their own Bit torrent P2P client and server setups. I guess it shows where MSFT lays it's priorities. An app that won't bring them cash or their Next Generation OS.
i thought once I was found, but it was only a dream.
People who get emotional when challenged or proven wrong are putting their ego before the problem.
I have to disagree. I've fixed/solved some majorly complicated problems in the past 20 years. In many cases, I've gone through periods of frustration that got vented as 'anger.' Once vented, I settled down to the task at hand.
The most exceptional people I have worked with, shrugged failure off
It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.
Perhaps. But that itself does not prove (or even suggest) that some exceptional people are not also 'passionate.'
You probably should not make such sweeping generalizations. There are many personality types among people who are very effective at very complex tasks.
Computational Chemistry products and services.