Slashdot Mirror
Microsoft Consults Ethical Hackers at Blue Hat
linumax writes "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see.Blue Hat V2 was held on Thursday and Friday and teamed noted "white hat" hackers with Microsoft employees to break into and expose security weaknesses in the company's products. Over 1,000 Microsoft developers, managers and security experts attended, including Microsoft brass Jim Allchin and Kevin Johnson, co-presidents of the company's Platforms, Products & Services Division."
This is a good thing. It always is good to get someone to try and break your software, that way you know what you can do to fix it. Lets be honest here, Microsoft is number 1 in sales, so I hope they can make a better product, for the saftey of everyones computer.
Yay, I have a sig.
I wonder how many items covered this year, were rehashes of last year, and "we told ya so!"
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
Every day is Blue Hack day.
A sign of changing times, indeed. It seems pretty clear that Microsoft has needed to buddy up more with the people who can break their software, because it's going to happen anyways, at least now they might have a head start. I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.
this segregation cannot continue!!!!!
Okay I don't like either of these terms for hackers with morals.. Lets think of something new:
-Deeks (decent geeks?)
-Prerds (Principled Nerds?)
-Fairackers (fair hackers?)
Also remember that the term hacker is not always seen as negative in of itself: From: http://www.smoothwall.net/support/glossary.html "A highly proficient computer programmer who seeks to gain unauthorised access to systems without malicious intent."
~jennifer.k~
I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities". Of course there are always proper ethical ways of dealing with the discovery of serious security flaws in software--that doesn't mean they have always had Microsoft's business or PR interests in mind.
This is just a publicity stunt, a pretense that Microsoft is taking security research seriously.
If I'm wrong, then it would be interesting to know what security vulnerabilities were "uncovered" at their event. Are they going to be disclosing the details of such flaws? What do you, as a security researcher, have to "sign away" to participate?
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
If they are ethical, why are they working with Microsoft?
I'm an American. I love this country and the freedoms that we used to have.
Black Hat = Cool Hackers, mostly under age 18, can not be prosecuted as an adult.
Grey Hat = Hackers transitioning from Black to White.
White Hat = A hacker over the age of 18, who rattles door knobs and probes security, but has stopped defacing websites.
Blue Hat = WTF? Blue hats? Are these smurfs?
Red Hats = Hackers with an RHCE, very, very dangerous.
This type of this stuff happened upon the realese of XP, everyone thought it was secure and i remember geeks and business people alike preaching how great and secure XP is and how there arnet any problems. A year later the problems a rose, now its time for everyone to go out an by Vista so lets peddle how we as microsoft care about our users security to get them to by Vista, then we'll do what we did before... let it get out of control so when it comes to the next version after vista we can look like the heros again
Why on earth would they want to secure an OS, if it gets too secure there is less of a reason for people to spend hundreds of dallors on the next version..
What did they find, hmmmm?
Coderz 4 Life
belly chuckles.
How we know is more important than what we know.
Why do I feel this is nothing more than a marketting move to show MS in a brighter light. After all, they are releasing a new Windows, Office, etc next year...
If they wanted to have their boxes 0wned, they don't have to hold a conference and invite a bunch of hackers over. I know a better way.
Just plug the suckers straight into the net. And wait about three minutes. Done deal.
Weaselmancer
rediculous.
ummmmm ... DUH!!!!!
No, I don't think so. They are playing catch up no matter what they do. We all know that there have been cases of exploits that have been found, use, and not reported.
At least they seem to be responding to pressure to do someting proactive about it now.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Microsoft is ok with "white hat" hackers, but when asked about the "Red Hat" crackers, Microsoft confirmed that these malicious coders only hurt Windows.
Heh, yeah, thats the point of Linux.
You can't expect much in the way of security improvements at Microsoft -- MicroSoft does things to make money. If security costs money for them, or causes the support desks of their customers to take a lot of bullshit calls, they won't do it.
Furthermore, if they were to start prioritizing security (or just plain old "quality") over the task of "making money", their shareholders would be very unhappy.
I think the only thing that could cause them to take it seriously would be some sort of PC-aids: a worm that would linger, damaging business data and hardware -- such that customers would decide to finally junk Windows.
This is very different from other businesses. E.g. if Paypal screws up their security, they will go out of business. So Paypal probably has some awesome security.
http://www.thebricktestament.com/the_law/when_to_
Just like with Windows 2000 (the unbreakable) this is just a publicity stunt. Real security comes from good design, not slap together crap and let 1000 monkeys throw random bits at it.
HTTP/1.1 400
Isn't the definiton of a hacker not a cracker?
------- In the end there are no begining
Black Hat = Cool Hackers, mostly under age 18, can not be prosecuted as an adult.
Grey Hat = Hackers transitioning from Black to White.
White Hat = A hacker over the age of 18, who rattles door knobs and probes security, but has stopped defacing websites.
Blue Hat = WTF? Blue hats? Are these smurfs?
Red Hats = Hackers with an RHCE, very, very dangerous.
You forgot brown hats = hackers with their heads up their asses.....
Lavender Hat = A hacker afraid to come out of the closet.
Rainbow Hat = He's a hacker and he's proud! 2 Snaps and an @ symbol!
Yellow Hat = A White Hat hacker who's just been pissed on.
Green Hat = A novice who is just learning how to hack. (also known as a n00b, FNG, Script-Kiddie).
In related news, Playboy Inc. invited a small group of whackers to their office to check out next year's calendar girls.
Afterwards everyone had lunch with Natalie Portman.
They are aiding Microsoft, the Great Darkness which is called Abomination, Destroyer of the Earth, the Gates of Hell.
Collaboration with the followers of Mammon results in eternal damnation!
Remember folks, slashdot doesn't have a -1 "disagree" moderation!
RHCE flings pen-filled pocket protector at the lcd panel of the Windows Server 2003 box' monitor
yup, dangerous :)
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
But from the article I got the impression of 2 things:
1. This is currently some sort of annual peepshow extravaganza: these ties should be kept all the time, pay them, it's important.
2. More critically -
they're proabably going to invest more on stuff like Digital Rights Management, because they're more wary of people hacking MS content. By that I mean they might see things like illegal tranfer of media as a bigger issue, because it affects their reputation/their content protection schemes/their standards. I hope it doesn't sideline what business company users are worried about (things that affect their company, like virii, trojans), and not Microsoft's business model/vision of more trivial things (like preventing media copying) - which is they've been investing a lot in recently. Home Windows != Business windows, or at least it shouldn't be.
That was a dull post.
"You know you don't act like a scientist, you're more like a game show host." Dana Barret
Apparently Microsoft has become more internationally-oriented since the EU lawsuits, and decided to allow UN peacekeeping forces to test their software.
English is easier said than done.
If you'd RTFA you'd understand that they were invited there to show techniques that hackers use so MS developers can have a better understanding of what to think about when they code. They weren't there to do a line-by-line security review.
Your mind looks a little cramped. Why don't you stretch it a little?
That's freakin' hilarious! Mod funny!
Your mind looks a little cramped. Why don't you stretch it a little?
and /. has 60 comments of flamebait for every 3 decent comments.
Grow up linux zealots.
How many seconds into the conference did it take for them to get royally pwned?
"For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see."
Admiral Ackbar sez...
IT'S A TRAP!
Education is the silver bullet.
So what your saying is, they've nearly completed an operating system which is now past beta stage and is almost ready to be shipped and sold in stores around the world and will be used by millions if not billions of people. Now all of sudden they've decided to sit down and think about how they should of coded it ...
... *rolls eyes*
..
Right, perfectly logical
What is it with people looking at these dumb ass articals and thinking this blatently stupid behaviour is actually positive it really does amazes me
This does nothing towards Mom and Dad surfing the internet using IE. Getting owned is simple.
XP/SP2 and 2003 Server are pretty much secure out of the box. When can we look forward to
IE being moved to user space? Never? When can we look forward to an O/S that doesn't have a re-ocurring fee every three years? Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?
If it weren't for Quicken, Mom and Dad would be using SuSE by now.
Enjoy,
It's just the normal noises in here.
So blue hats are hackers that actually admire Microsoft? Am I the only one who sees a contradictory here? Not a single architect appreciates a building that is built built from the top-down. Just like no true hacker appreciates M$ or their design and data structures. Adults are to good for "hats" or anything material of the sort anyways.
With so many security holes cropping up in the past, it would be more prudent for Microsoft to have a honeypot setup. This event (article) is closer to a marketing show (call in white hats, black hats, anybody) for a new release. Microsoft does have the resources to put up such a "Challenge" machine and try to keep it online by fixes, lure the real black hats to crack it. Fixing that would really help them work on their security (if they are truly concerned.) There are reports of independent Honeypot projects setup for assessing network security. It's high time Microsoft tried it at their expense for the benefit of their customers.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
I thought Smurfs have white hats. Except for Papa Smurf, who wears a red hat. Too bad it isn't a fedora.
No one cares what your captcha was
Houston TX, USA
Not blue hats.
Hackers? Or Feature Finders?
You're an idiot, you think this is the first they've thought of security?
Well it was blue hat v2 so i guess it would be the 2nd time they've thought about it.XP SP2 has yet to have any worms, so obviously they've been thinking about security for a while. What amazes me is how people make opinions without the facts.
We'll see, a large percentage of this type of stuff stays private amoungst hackers and crackers, when it become public is the real issue. But i guess you would no nothing about that. Throw down the gauntlet and challengers will appear.. never under estimate the hacking community, that was microsofts 1st mistake.
No, no, you have to go to the authoritative source to understand the colors:
Black = Destructive, mostly damage-causing.
White = Healing and protective.
Red = A combination of Black and White.
Blue = Learns from watching others.
Blue would also be known as a "Script Kiddie". It's appropriate that Microsoft is focusing on Blue Hats.
Brian "Psychochild" Green
MMO developer's blog
They've been focusing on security for a while now, why make comments when you're totalling ignorant?
In the scheme of things, No they havent thats why we have big big companies called symantech and NAI and TrendMicro because they had a plenty big gap to make lots and lots of money out of the fact windows has ignored security for such a long time.. Thank you next please.
Obviously they're learning from the OSS movement, which is good.
Will they still make money... of course. This doubles as a great PR stunt.
when you are drive a bus and got hit by a falling brick, you'll think gee, we need a tank. Ok, put an armour here, put an armour there, voila, we have a tank. And that's the tank running on almost every desktop.
A strange analogy but a correct one, for windows anyway. For myself secuirty has always been a customised 'thing' ive always done myself to ensure my home pc or the servers that i run a safe from harm, doesnt mean they cannot be broken into but they stand a good chance from 99.9% of the things that are out there that could possibly cause problems and provided i keep them regulararly patched i feel safe knowing that its going to be tough for anyone to get in. Now not to blow my own horn and rant on about how long ive been doing this and how long ive been doing that, i do have experience with pcs a good solid decade mind you and during that expeirence linux security is something that has been evolving during the time ive been using pcs, ive seen it by watching such sites as bugtraq, neworder, packetstorm, phrack... the list is endless and what do all these places have in common? continuous evolution of bugs and information of secruity flaws, linux has had PLENTY of them and as result it has founded a strong base for security during this time. On these sites windows is looked at as a bit of a haha JOKE because its behind the rest of these multiuser os' in this evolution process. Read the last issue of phrack PERFECT example, there is a chapter about smashing windows stack to get into the system whereas in linux there is an artical about tricking the stack protection patches to then smash the stack/heap. Some silly little conference inviting a bunch of geeks who subscribe to bugtraq and perhaps write these articals for phrack, a) they wont tell ms the real nasty tricks b) its a much bigger issue then a conference once a year. Yes im ignorant, sure whatever, i suggest the silly little wise asses who go "your ignornat, your an idiot" should go and learn something about secruity before commenting about how its wonderful that microsoft decided to devote a WHOLE DAY into learning about secuirty from the very people who are most likley on the other end causing the problems for them ....
Yep, good measure of cluelessness out and about these days ...
...putting a division of M1A2s up against the Brink's Armored Car man. But you're still apt. Apt!
Facts do not cease to exist because they are ignored. - Aldous Huxley
If you'd RTFA you'd understand that they were invited there to show techniques that hackers use so MS developers
So like most Microsoft events it is staged. This is why other events like Black Hat are far more credible... inviting anyone who wants to sign up. Demonstration of DMA with USB is old news, Microsoft developers knew it was a problems many years ago and it still remains a problem. In fact they participated in it's design.
The questions I have are
1. Why don't they hire these guys to play around and do this all of the time?
2. If they have people finding holes for them, why are there still holes?
"Blue Hat" is just a cute name for an internal training/conference at Microsoft. Very few of us from the "Community" (Which seems to be the polite way to say "hacker") were invited, and most of them (not myself) are speakers. Outside of "community" members, it is only MSFT staff there. So, no one really thinks of themselves as "Blue Hats" (or at least, god I hope not!).
______
Once: you're a philosopher. Twice: a pervert.
CRACKERS, dammit! The hacker community is getting mighty pissed at being brought down to their level!
Now, where'd I put those security codes...
Goten Xiao