Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Consults Ethical Hackers at Blue Hat

Posted by samzenpus on from the dare-you-to-break-it dept.

linumax writes "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see.Blue Hat V2 was held on Thursday and Friday and teamed noted "white hat" hackers with Microsoft employees to break into and expose security weaknesses in the company's products. Over 1,000 Microsoft developers, managers and security experts attended, including Microsoft brass Jim Allchin and Kevin Johnson, co-presidents of the company's Platforms, Products & Services Division."

18 of 162 comments (clear)

  1. Good thing by Sinryc · · Score: 5, Insightful

    This is a good thing. It always is good to get someone to try and break your software, that way you know what you can do to fix it. Lets be honest here, Microsoft is number 1 in sales, so I hope they can make a better product, for the saftey of everyones computer.

    --
    Yay, I have a sig.
    1. Re:Good thing by geekoid · · Score: 5, Insightful

      Except this way they can keep the vulnerabilities to the selves and fix them with less PR issues.

      Hiring outside security people to break a system is not uncommon.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    2. Re:Good thing by Captain+Splendid · · Score: 3, Insightful
      A small invited group is hardly representative of the resources global hacker community. They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.

      Well, yeah, but this is Microsoft, so let's be thankful for small mercies, eh? Baby steps, my friend, baby steps.

      --
      Linux, you magnificent bastard, I read the fucking manual!
  2. Typical /. response by Anonymous Coward · · Score: 0, Insightful

    Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see

    Of course if this were an OSS project, the code would be there for all to see and try to crack instead of 'select' few.

    Still, I'm sure it's a useful PR exercise.

    1. Re:Typical /. response by notasheep · · Score: 5, Insightful

      If you'd RTFA you'd understand that they were invited there to show techniques that hackers use so MS developers can have a better understanding of what to think about when they code. They weren't there to do a line-by-line security review.

      --
      Your mind looks a little cramped. Why don't you stretch it a little?
  3. It's about time... by bypedd · · Score: 4, Insightful
    Kaminsky and others have spent years sounding alarm bells about holes in the security defenses of Microsoft's software, including the Windows operating system and the Internet Explorer browser. As a sign of how times have changed, he and other presenters were treated to a lunch with retiring Windows chief Allchin and Johnson...

    A sign of changing times, indeed. It seems pretty clear that Microsoft has needed to buddy up more with the people who can break their software, because it's going to happen anyways, at least now they might have a head start. I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.

  4. Yawn, nothing to see here -- move along... by merc · · Score: 3, Insightful

    I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities". Of course there are always proper ethical ways of dealing with the discovery of serious security flaws in software--that doesn't mean they have always had Microsoft's business or PR interests in mind.

    This is just a publicity stunt, a pretense that Microsoft is taking security research seriously.

    If I'm wrong, then it would be interesting to know what security vulnerabilities were "uncovered" at their event. Are they going to be disclosing the details of such flaws? What do you, as a security researcher, have to "sign away" to participate?

    --
    It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
  5. Adgenda indeed by oztiks · · Score: 3, Insightful

    This type of this stuff happened upon the realese of XP, everyone thought it was secure and i remember geeks and business people alike preaching how great and secure XP is and how there arnet any problems. A year later the problems a rose, now its time for everyone to go out an by Vista so lets peddle how we as microsoft care about our users security to get them to by Vista, then we'll do what we did before... let it get out of control so when it comes to the next version after vista we can look like the heros again

    Why on earth would they want to secure an OS, if it gets too secure there is less of a reason for people to spend hundreds of dallors on the next version..

  6. I could have saved them a lot of trouble by Weaselmancer · · Score: 4, Insightful

    If they wanted to have their boxes 0wned, they don't have to hold a conference and invite a bunch of hackers over. I know a better way.

    Just plug the suckers straight into the net. And wait about three minutes. Done deal.

    --
    Weaselmancer
    rediculous.
    1. Re:I could have saved them a lot of trouble by I'm+Don+Giovanni · · Score: 2, Insightful

      Unfortunately (or fortunately), this wouldn't work with XP SP2. ;-)
      Recall the studies that appeared some months ago (around February, I believe) showing that XP SP2, Mac OSX, and Ubunto Linux all resisted being compromised over a two week period of being connected to the net. XP SP2 was attacked much more, but resisted the attacks. XP SP1 was also part of the study, and it got owned within 12 minutes. :p

      --
      -- "I never gave these stories much credence." - HAL 9000
  7. Can't Expect Improvements by putko · · Score: 2, Insightful

    You can't expect much in the way of security improvements at Microsoft -- MicroSoft does things to make money. If security costs money for them, or causes the support desks of their customers to take a lot of bullshit calls, they won't do it.

    Furthermore, if they were to start prioritizing security (or just plain old "quality") over the task of "making money", their shareholders would be very unhappy.

    I think the only thing that could cause them to take it seriously would be some sort of PC-aids: a worm that would linger, damaging business data and hardware -- such that customers would decide to finally junk Windows.

    This is very different from other businesses. E.g. if Paypal screws up their security, they will go out of business. So Paypal probably has some awesome security.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  8. Definition hacker? by azatht · · Score: 3, Insightful

    Isn't the definiton of a hacker not a cracker?

    --
    ------- In the end there are no begining
  9. Re:On the internet by smittyoneeach · · Score: 2, Insightful

    Aw, c'mon: I have seen exactly one BSOD on XP. I was actually impressed to have done something stupid enough with the hardware to make it happen. Come to think of it, that was pre-Nervous Pack #1: it's been solid ever since. On the rare occasions I boot it, that is.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  10. I guess that's good and all by RiotXIX · · Score: 2, Insightful

    But from the article I got the impression of 2 things:

    1. This is currently some sort of annual peepshow extravaganza: these ties should be kept all the time, pay them, it's important.

    2. More critically -
    they're proabably going to invest more on stuff like Digital Rights Management, because they're more wary of people hacking MS content. By that I mean they might see things like illegal tranfer of media as a bigger issue, because it affects their reputation/their content protection schemes/their standards. I hope it doesn't sideline what business company users are worried about (things that affect their company, like virii, trojans), and not Microsoft's business model/vision of more trivial things (like preventing media copying) - which is they've been investing a lot in recently. Home Windows != Business windows, or at least it shouldn't be.

    That was a dull post.

    --
    "You know you don't act like a scientist, you're more like a game show host." Dana Barret
  11. MS does something interesting by Anonymous Coward · · Score: 1, Insightful

    and /. has 60 comments of flamebait for every 3 decent comments. Grow up linux zealots.

  12. Re:PR Stunt. by Nevo · · Score: 2, Insightful

    You apparently haven't read up on Microsoft's Secure Development Lifecycle. Microsoft is now designing security into their products from the ground up. (http://msdn.microsoft.com/msdnmag/issues/05/11/SD L/default.aspx)

    Tell me... what are other software companies doing to improve their product security?

    Microsoft is leaps and bounds ahead of most software vendors when it comes to product security. Go ahead, flame away at Microsoft. I'll agree there have been some colossal security screwups in Microsoft products.

    At least they have a plan (and it's currently in place and working) to improve their product quality. What is your software vendor doing in that arena?

  13. Honeypots anybody? by betasam · · Score: 2, Insightful

    With so many security holes cropping up in the past, it would be more prudent for Microsoft to have a honeypot setup. This event (article) is closer to a marketing show (call in white hats, black hats, anybody) for a new release. Microsoft does have the resources to put up such a "Challenge" machine and try to keep it online by fixes, lure the real black hats to crack it. Fixing that would really help them work on their security (if they are truly concerned.) There are reports of independent Honeypot projects setup for assessing network security. It's high time Microsoft tried it at their expense for the benefit of their customers.

    --
    No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
  14. Re:Stupid by Tim+C · · Score: 5, Insightful

    When can we look forward to IE being moved to user space? Never?

    IE has never been anywhere but in user space. "Integrated into the OS" doesn't mean "runs in kernel space".

    When can we look forward to an O/S that doesn't have a re-ocurring fee every three years?

    Woah, thanks for letting me know - I'm well overdue on my payment!

    Seriously, what the hell is that supposed to mean? MS generally supports its OSes for about 10 years, which is a damn sight longer than any of the Linux distributions. It's also been longer than three years since XP was released. Finally, just because the OS is no longer supported doesn't mean that it spontaneously stops working. Sure, there are no more security patches for it, but you can still use it, if you feel you're sufficiently secure. A well-controlled PC or network behind a firewall used by savvy people is at almost no risk of being owned.

    Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?

    The same reason you have to agree to a licence to use the original software - because of the fiction that you need permission to install the software and load it into RAM, as that constitutes copying. In order to maintain the fiction, MS has to licence its patches, too. (In fact, I can't remember the last (commercial) patch that didn't require a licence click-through)

    For that matter, I installed some GPLed software yesterday (Squirrel SQL client) and it required me to agree to the LGPL on installation. MS aren't the only ones with crazy licence agreement requirements...

    --
    It's official. Most of you are morons.