Microsoft Consults Ethical Hackers at Blue Hat

linumax writes "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see.Blue Hat V2 was held on Thursday and Friday and teamed noted "white hat" hackers with Microsoft employees to break into and expose security weaknesses in the company's products. Over 1,000 Microsoft developers, managers and security experts attended, including Microsoft brass Jim Allchin and Kevin Johnson, co-presidents of the company's Platforms, Products & Services Division."

Good thing

[Sinryc]

This is a good thing. It always is good to get someone to try and break your software, that way you know what you can do to fix it. Lets be honest here, Microsoft is number 1 in sales, so I hope they can make a better product, for the saftey of everyones computer.

Re:Good thing

[SycoCowz]

A small invited group is hardly representative of the resources global hacker community. They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.

Re:Good thing

This is a good thing. Finally someone with ethics on the Micro$oft campus.

Re:Good thing

[geekoid]

Except this way they can keep the vulnerabilities to the selves and fix them with less PR issues.

Hiring outside security people to break a system is not uncommon.

Re:Good thing

[Captain+Splendid]

A small invited group is hardly representative of the resources global hacker community. They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.

Well, yeah, but this is Microsoft, so let's be thankful for small mercies, eh? Baby steps, my friend, baby steps.

Re:Good thing

[rob_squared]

In related news, 1000 marine snipers were asked to John Smith's community farm and challenged them to hit the broad side of his barn.

I wonder...

[CygnusXII]

I wonder how many items covered this year, were rehashes of last year, and "we told ya so!"

On the internet

[aussie_a]

Every day is Blue Hack day.

Re:On the internet

[smittyoneeach]

Aw, c'mon: I have seen exactly one BSOD on XP. I was actually impressed to have done something stupid enough with the hardware to make it happen. Come to think of it, that was pre-Nervous Pack #1: it's been solid ever since. On the rare occasions I boot it, that is.

It's about time...

[bypedd]

Kaminsky and others have spent years sounding alarm bells about holes in the security defenses of Microsoft's software, including the Windows operating system and the Internet Explorer browser. As a sign of how times have changed, he and other presenters were treated to a lunch with retiring Windows chief Allchin and Johnson...

A sign of changing times, indeed. It seems pretty clear that Microsoft has needed to buddy up more with the people who can break their software, because it's going to happen anyways, at least now they might have a head start. I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.

Ethical Hackers.. White Hat Hackers..

[jkind]

Okay I don't like either of these terms for hackers with morals.. Lets think of something new:

-Deeks (decent geeks?)
-Prerds (Principled Nerds?)
-Fairackers (fair hackers?)
Also remember that the term hacker is not always seen as negative in of itself: From: http://www.smoothwall.net/support/glossary.html "A highly proficient computer programmer who seeks to gain unauthorised access to systems without malicious intent."

Re:Ethical Hackers.. White Hat Hackers..

[neonstz]

Whackers

Yawn, nothing to see here -- move along...

[merc]

I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities". Of course there are always proper ethical ways of dealing with the discovery of serious security flaws in software--that doesn't mean they have always had Microsoft's business or PR interests in mind.

This is just a publicity stunt, a pretense that Microsoft is taking security research seriously.

If I'm wrong, then it would be interesting to know what security vulnerabilities were "uncovered" at their event. Are they going to be disclosing the details of such flaws? What do you, as a security researcher, have to "sign away" to participate?

Re:Yawn, nothing to see here -- move along...

[pookemon]

I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities".

Yes, the rest of the world would call them Testers.

Ethical?

[frovingslosh]

If they are ethical, why are they working with Microsoft?

Re:Is it me? -- Hacker Color Codes

Black Hat = Cool Hackers, mostly under age 18, can not be prosecuted as an adult.
Grey Hat = Hackers transitioning from Black to White.
White Hat = A hacker over the age of 18, who rattles door knobs and probes security, but has stopped defacing websites.
Blue Hat = WTF? Blue hats? Are these smurfs?
Red Hats = Hackers with an RHCE, very, very dangerous.

Adgenda indeed

[oztiks]

This type of this stuff happened upon the realese of XP, everyone thought it was secure and i remember geeks and business people alike preaching how great and secure XP is and how there arnet any problems. A year later the problems a rose, now its time for everyone to go out an by Vista so lets peddle how we as microsoft care about our users security to get them to by Vista, then we'll do what we did before... let it get out of control so when it comes to the next version after vista we can look like the heros again

Why on earth would they want to secure an OS, if it gets too secure there is less of a reason for people to spend hundreds of dallors on the next version..

Marketting move?

[elfguygmail.com]

Why do I feel this is nothing more than a marketting move to show MS in a brighter light. After all, they are releasing a new Windows, Office, etc next year...

I could have saved them a lot of trouble

[Weaselmancer]

If they wanted to have their boxes 0wned, they don't have to hold a conference and invite a bunch of hackers over. I know a better way.

Just plug the suckers straight into the net. And wait about three minutes. Done deal.

Re:I could have saved them a lot of trouble

[I'm+Don+Giovanni]

Unfortunately (or fortunately), this wouldn't work with XP SP2. ;-)
Recall the studies that appeared some months ago (around February, I believe) showing that XP SP2, Mac OSX, and Ubunto Linux all resisted being compromised over a two week period of being connected to the net. XP SP2 was attacked much more, but resisted the attacks. XP SP1 was also part of the study, and it got owned within 12 minutes. :p

Re:I could have saved them a lot of trouble

[oztiks]

Anyone care to explain to me how you get spyware on a computer without browsing to 'not-so-decent-sites' or installing junk software from the Internet?

install windows

Re:I could have saved them a lot of trouble

[waamaral]

Let's just say the last time I installed a plain Win2k (i.e. no SP) I got the Blaster Worm 2 minutes after the first boot, and I didn't even started ANY program, including iE (I was trying to prove to myself the point that user interaction wasn't needed to compromise your system).
The Windows I have now is XP-SP2, but I have not run into this, as I unplugged the network before installing, and only plugged again after I got a firewall installed.
And, of course, any decent firewall will block this type of thing - that's precisely what the firewall is made for.

So what hat does this leave?

[electrosoccertux]

Microsoft is ok with "white hat" hackers, but when asked about the "Red Hat" crackers, Microsoft confirmed that these malicious coders only hurt Windows.

Heh, yeah, thats the point of Linux.

Can't Expect Improvements

[putko]

You can't expect much in the way of security improvements at Microsoft -- MicroSoft does things to make money. If security costs money for them, or causes the support desks of their customers to take a lot of bullshit calls, they won't do it.

Furthermore, if they were to start prioritizing security (or just plain old "quality") over the task of "making money", their shareholders would be very unhappy.

I think the only thing that could cause them to take it seriously would be some sort of PC-aids: a worm that would linger, damaging business data and hardware -- such that customers would decide to finally junk Windows.

This is very different from other businesses. E.g. if Paypal screws up their security, they will go out of business. So Paypal probably has some awesome security.

PR Stunt.

[miffo.swe]

Just like with Windows 2000 (the unbreakable) this is just a publicity stunt. Real security comes from good design, not slap together crap and let 1000 monkeys throw random bits at it.

Re:PR Stunt.

[Nevo]

You apparently haven't read up on Microsoft's Secure Development Lifecycle. Microsoft is now designing security into their products from the ground up. (http://msdn.microsoft.com/msdnmag/issues/05/11/SD L/default.aspx)

Tell me... what are other software companies doing to improve their product security?

Microsoft is leaps and bounds ahead of most software vendors when it comes to product security. Go ahead, flame away at Microsoft. I'll agree there have been some colossal security screwups in Microsoft products.

At least they have a plan (and it's currently in place and working) to improve their product quality. What is your software vendor doing in that arena?

Definition hacker?

[azatht]

Isn't the definiton of a hacker not a cracker?

Re:Is it me? -- Hacker Color Codes

[vicgolgo13]

You forgot a few:

Lavender Hat = A hacker afraid to come out of the closet.
Rainbow Hat = He's a hacker and he's proud! 2 Snaps and an @ symbol!
Yellow Hat = A White Hat hacker who's just been pissed on.
Green Hat = A novice who is just learning how to hack. (also known as a n00b, FNG, Script-Kiddie).

Related Story

In related news, Playboy Inc. invited a small group of whackers to their office to check out next year's calendar girls.

Afterwards everyone had lunch with Natalie Portman.

Re:Is it me? -- Hacker Color Codes

[joelleo]

Red Hats = Hackers with an RHCE, very, very dangerous.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\administrator>ifconfig
'ifconfig' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\administrator>man ifconfig
'man' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\administrator>cd /

C:\Documents and Settings\administrator>grep /etc/passwd
'grep' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\administrator>man wtf
'man' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\administrator>GAHH!
'GAHH!' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\administrator>

RHCE flings pen-filled pocket protector at the lcd panel of the Windows Server 2003 box' monitor

yup, dangerous :)

I guess that's good and all

[RiotXIX]

But from the article I got the impression of 2 things:

1. This is currently some sort of annual peepshow extravaganza: these ties should be kept all the time, pay them, it's important.

2. More critically -
they're proabably going to invest more on stuff like Digital Rights Management, because they're more wary of people hacking MS content. By that I mean they might see things like illegal tranfer of media as a bigger issue, because it affects their reputation/their content protection schemes/their standards. I hope it doesn't sideline what business company users are worried about (things that affect their company, like virii, trojans), and not Microsoft's business model/vision of more trivial things (like preventing media copying) - which is they've been investing a lot in recently. Home Windows != Business windows, or at least it shouldn't be.

That was a dull post.

Re:Typical /. response

[notasheep]

If you'd RTFA you'd understand that they were invited there to show techniques that hackers use so MS developers can have a better understanding of what to think about when they code. They weren't there to do a line-by-line security review.

So...

[Liam+Slider]

How many seconds into the conference did it take for them to get royally pwned?

obligatory response

[Viking+Coder]

"For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see."

Admiral Ackbar sez...

IT'S A TRAP!

Stupid

[NullProg]

This does nothing towards Mom and Dad surfing the internet using IE. Getting owned is simple.

XP/SP2 and 2003 Server are pretty much secure out of the box. When can we look forward to
IE being moved to user space? Never? When can we look forward to an O/S that doesn't have a re-ocurring fee every three years? Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?

If it weren't for Quicken, Mom and Dad would be using SuSE by now.

Enjoy,

Re:Stupid

[Tim+C]

When can we look forward to IE being moved to user space? Never?

IE has never been anywhere but in user space. "Integrated into the OS" doesn't mean "runs in kernel space".

When can we look forward to an O/S that doesn't have a re-ocurring fee every three years?

Woah, thanks for letting me know - I'm well overdue on my payment!

Seriously, what the hell is that supposed to mean? MS generally supports its OSes for about 10 years, which is a damn sight longer than any of the Linux distributions. It's also been longer than three years since XP was released. Finally, just because the OS is no longer supported doesn't mean that it spontaneously stops working. Sure, there are no more security patches for it, but you can still use it, if you feel you're sufficiently secure. A well-controlled PC or network behind a firewall used by savvy people is at almost no risk of being owned.

Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?

The same reason you have to agree to a licence to use the original software - because of the fiction that you need permission to install the software and load it into RAM, as that constitutes copying. In order to maintain the fiction, MS has to licence its patches, too. (In fact, I can't remember the last (commercial) patch that didn't require a licence click-through)

For that matter, I installed some GPLed software yesterday (Squirrel SQL client) and it required me to agree to the LGPL on installation. MS aren't the only ones with crazy licence agreement requirements...

Honeypots anybody?

[betasam]

With so many security holes cropping up in the past, it would be more prudent for Microsoft to have a honeypot setup. This event (article) is closer to a marketing show (call in white hats, black hats, anybody) for a new release. Microsoft does have the resources to put up such a "Challenge" machine and try to keep it online by fixes, lure the real black hats to crack it. Fixing that would really help them work on their security (if they are truly concerned.) There are reports of independent Honeypot projects setup for assessing network security. It's high time Microsoft tried it at their expense for the benefit of their customers.