Microsoft to Publish Blue Hat Findings

An anonymous reader wrote to mention an InfoWorld article about Microsoft's plan to publish some of the findings from last week's Blue Hat conference. From the article: "'Everything was fair game,' wrote SQL Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.' The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus." They have descriptions of some of the sessions up on the site for your perusal.

Blank passwords

[dedazo]

I'm sure the executives started the whipping sessions with the person responsible for allowing SQL Server to function happily with a blank 'sa' password.

Re:Blank passwords

[AKAImBatman]

Are you kidding me? That's Microsoft "innovation" at it's finest! Customers always complain to Microsoft that they can't remember their password. So Microsoft created an innovative new way to remember your password: Don't use one!

Only Microsoft can bring you incredible innovation like this.

Re:Blank passwords

[absinthminded64]

Those vending machines that sell green paper were not working very well that day!

Stranded and hungry . stuck in own little xp_cmdsHELL

Re:Blank passwords

[dedazo]

Only Microsoft can bring you incredible innovation like this.

I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!) but your comment tells me you have probably no idea how commercial software works.

I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it. A lot of functionality in Microsoft products come from big business feedback and most of the time it's appropriate because enterprise clients are the ones that really put the products through its paces. But it's not there because someone at Microsoft is stupid or because of "innovation" (or the lack thereof).

You pays your money and you take your chances. In this case it came back to bite them, like most "security relaxation features" their products tend to be afflicted with. As much as the "Microsoft is just stupid" line gets play, things are usually a bit more complicated than that.

The key is that it's an option that you (as the DB admin) can choose to turn off. The MySQL root account will also run with a blank password when you first install it from, say, Synaptic. It's up to you to tighten it down.

Re:Blank passwords

[AKAImBatman]

I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!)

Good to know.

but your comment tells me you have probably no idea how commercial software works.

I'm not quite sure how this statement follows from your first. Do you like a joke or not? Maybe, just maybe, I was only joking?

The key is that it's an option that you (as the DB admin) can choose to turn off. The MySQL root account will also run with a blank password when you first install it from, say, Synaptic. It's up to you to tighten it down.

The reason why the root/sa passwords start blank is so you can configure the server immediately after installation. Using a default username/password of some sort (ala Oracle) wouldn't change the security situation to any appreciable degree, and only serves to force the DB administrator to look up the default every time he does an installation. (Which is likely to be rare enough to prevent him from memorizing it.)

Yeash. Way to spoil a joke.

Re:Blank passwords

And using the contraction for "it is" when you wanted the possessive "its" is AKAImBatman "innovation" at its finest!

Re:Blank passwords

I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it. A lot of functionality in Microsoft products come from big business feedback and most of the time it's appropriate because enterprise clients are the ones that really put the products through its paces. But it's not there because someone at Microsoft is stupid... [emphasis mine]

Doing something stupid is not stupid? Stupid is as stupid does.

Re:Blank passwords

We'll, thats you're opinion. The rest of Slashdot probably has they're own opinion's on what your saying. Many of them probably think you're statement is rediculous. It's too bad you ain't agreeing with them.

Re:Blank passwords

[__michikal]

Don't like it, don't cry about it.

Re:Blank passwords

[plague3106]

Its also worth noting that this isn't even an option anymore in Sql Server 2005.

Re:Blank passwords

[Heembo]

If you deploy a database durectly on the internet or in an area of your LAN where folks can easily attempt to log into it, you deserve to be breached. Most smart app/network designers will place their database(s) behind layers of firewalls so only the application servers in question have access. In this situation, having a blank system admin password (although stupid) is not so much a risk - only your production deployment crew should even HAVE access - it's called defense in depth.

Re:Blank passwords

[ednopantz]

yeah, it's not like any other database product ships with a weak password you are supposed to change.

-Scott Tiger

Re:Blank passwords

The reason why the root/sa passwords start blank is so you can configure the server immediately after installation.

Last time I installed Windows, it made me set an administrator password as part of the installation process. The same thing happened last time I installed Linux. In neither case did it simply install with a blank password and expect me to configure anything after installation.

Is there any reason why this would be more difficult for a database than for an operating system?

Re:Blank passwords

Fuxing brilliant.... You must have your Security+

Re:Blank passwords

[JasonKChapman]

it's called defense in depth.

"Defense in depth" does not mean that because you live in a gated community you can leave your front door unlocked. It means you lock your front door and you live in a gated community.

Substituting one layer for another does absolutely nothing to increase the depth of your security.

Re:Blank passwords

[Heembo]

I agree with you 100%. What I was trying to say was, if you live in a gated community, and you have a private gate around your house, and then another private gate around your safe-room, and then another gate around your desk and someone breaks into your safe that is in your desk, then I ask, how the hell did that happen?

But in general, leaving your su password blank is stupid beyond words so I should have shut my mouth at the start of this thread! look out!: )

Re:Blank passwords

[Heembo]

No, I already ate my words, that was far from fuxing brilliant. I'm going back to coding where I belong! :)

Re:Blank passwords

[Paradise+Pete]

I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it.

It's left over from when they bought it from Sybase. They never changed it. Intentionally, I presume.

Re:Blank passwords

[Paradise+Pete]

It's too bad you ain't agreeing with them.

Shirley, you meant to write "to" there.

Re:Blank passwords

[soulhuntre]

Its also worth noting that this isn't even an option anymore in Sql Server 2005.

No one cares. Hell, they still make BSOD jokes on this site. The trick to hating MS seems to be never recognize an improvement and always remember a mistake.

Re:Blank passwords

[GodBlessTexas]

If Microsoft is so serious about security, could they please start by bringing their logging out of the dark ages and to what has been available on UNIX for some times. A UNIX system will log the difference between a bad username and a username with a bad password to the auth.error or auth.info facility, even if it delivers the same generic "Bad username or password" message to the user trying to log in. That's the information Windows actually logs, which makes realtime security monitoring a joke if you're looking to determine if someone is grinding through usernames or actually trying to brute force a password for a single account with a realtime security solution.

It would also be nice if MS SQL server actually logged the remote IP/hostname of failed SQL sessions for SQL standalone authentication. When some user tries to violate policy by attempting to log in as the Admin user in the DB and then fails, I can't go correct the problem. It makes auditing access impossible if shared accounts are used (they shouldn't, but it still happens, even when people should know better).

Re:Blank passwords

[rtb61]

Well that is an interesting idea. As a customer if I get ripped off, lied to and insulted, I should forget it and just go back to the supplier because they say they won't do it any more. Not that admittedly, I was silly enough to believe this supplier in the past, the forgiving fool that I was, but gee, give me a break, after the fifth or sixth time, do you seriously expect me to keep forgiving and spending more money with B$=M$ (I don't have to tell you what that stands for, you can decipher the symbolism because you know patterns of sociopathic behaviour of that company and it's management)

A mistake, a mistake, you surely jest when you say "a mistake", I have seen their software with bugs (mistakes in computer jargon) listed in the tens of thousands for just one version of one program, not even the complete line up over the last decade, give me a break, we are talking hundreds of thousands of mistakes ;-). And when it comes to telling porky pies, is it one lie when you tell it to millions of people or is it millions of lies.

Re:Blank passwords

[DerWulf]

what did they tell you that was a lie? How did they insult you? How have you been ripped off?

Re:Blank passwords

It doesn't seem to be more difficult for a database. When I installed an Oracle DB server the other day it asked for a password for the sys and system accounts as part of the install.

Re:Blank passwords

[DrSkwid]

Grown-ups have a saying : "Secure by default"

> It's up to you to tighten it down.

Thanks, that's a real help.

Even with the knowledge of the damage that caused, you are still in favour of that design philosophy; you're hired !

Re:Blank passwords

[bogado]

Maybe there should be some kind of restriction in the server while in this passwordless state. If the server refused to create a new database while the password is not setted, there would be no problem for instance.

Re:Blank passwords

[dedazo]

Heh, I love how you get modded up like that. Simply amazing.

Re:Blank passwords

[plague3106]

As a customer if I get ripped off, lied to and insulted

What exactly were you lied to about? When did they insult you? If you feel ripped off, that's certainly your right. Did someone break into your sql server because you left the sa password blank? Sorry, but even a retarded db admin should know to put a password in for the sa account.

Not that admittedly, I was silly enough to believe this supplier in the past, the forgiving fool that I was, but gee, give me a break, after the fifth or sixth time, do you seriously expect me to keep forgiving and spending more money

Perhaps you should evaluate their products. I wouldn't buy anything just based on what the company said about it. I'd evaluate it first. Obviously though you just let your emotions run your life, or you would know that WinXP SP 2 is a pretty secure OS, Win2k3 DOES install with a minimal surface area to attack (indeed, IIS by default disables ASP, ASP.Net, CGI, Server side includes and all other extensions it comes with). Sql Server 2005 actually DOES include a lot of good changes security-wise (disallowing a blank sa password is just a small one).

Blame MS if you want, but people chose their software for a reason, and for a while, they demanded ease of use over security. Now they are demanding security, and MS is moving toward that goal.

A mistake, a mistake, you surely jest when you say "a mistake", I have seen their software with bugs (mistakes in computer jargon) listed in the tens of thousands for just one version of one program, not even the complete line up over the last decade, give me a break, we are talking hundreds of thousands of mistakes ;-).

Which products are you refering to? Add up all versions of linux, bsd, etc and I'm sure the list gets quite long as well.

Re:Blank passwords

[AnObfuscator]

The reason why the root/sa passwords start blank is so you can configure the server immediately after installation. Using a default username/password of some sort (ala Oracle) wouldn't change the security situation to any appreciable degree, and only serves to force the DB administrator to look up the default every time he does an installation. (Which is likely to be rare enough to prevent him from memorizing it.)

Here's an interesting anecdote regarding this... A friend of mine is an IT manager for a multi-million dollar corporation, which shall remain nameless for obvious reasons.

Shortly after taking this position, he discovered that the root/sa password for their MS SQL Server database was BLANK. Understandably, he was incensed, and called up his predecessor. This fellow then informed my friend that a rather critical, extremely expensive, supposedly "enterprise" software module deployed by *his* predecessor expected and REQUIRED a blank sa password to operate -- and the company responsible had not bothered to write a fix.

While this is not Microsoft's fault, I do think "enterprise" database products *should* require, upon setup, the creation of a non-blank password, instead of some sort of "default" password to be changed... sometime.

Could it be...?

[filesiteguy]

Could MS actually be taking security seriously?

Naaahh...

I'm sure this was a very interesting conference - nice to see names like Johnny Long there ( Google Hacking for Penetration Testers ) http://books.slashdot.org/article.pl?sid=05/04/11/ 1750217&from=rss and other notables. I'm curious if MS will ever really look at what it is that causes so much to go wrong with their departmental OS.

All the same, I'm sure the findings will be taken back, discussed among those who know and forgotten or buried by marketing executives.

Re:Could it be...?

[Savage-Rabbit]

Could MS actually be taking security seriously?

Naaahh...

I think Microsoft takes anything seriously that they can make money off, especially if it involves charging you for protection against the results of Microsoft's own cockups.

Re:Could it be...?

[tpgp]

Could MS actually be taking security seriously?

Yes - yes they are.

You see - MS's customers are demanding it - and MS is trying to deliver - after all, their competition (mostly) is delivering. (See, this is why F/OSS is good for you even if you dont use it:)

Anyway, I do think MS is making an attempt to take security seriously, but security needs are ultimately outshadowed by their marketing needs.

Anyway, to bring things (mildly) back on topic, I'll repeat myself:

Note to Microsoft

We have more then enough hat colours as things stand.

Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)

Re:Could it be...?

[filesiteguy]

We have more then enough hat colours as things stand.
Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)

LOL!! Next thing you know they'll have a bunch of old ladies in a Red Hat conference...
http://www.redhatsociety.com/

...my 64-year-old mother, who's a member, could attend. (Of course, she DOES use SuSE, so the Fedora-types might reject her.)

Re:Could it be...?

Great PR spin - and I'm sure the usual suspects (read NYT, Wash Post etc)
will give M$ some oxygen.
For the real picture look here: Security is not a PR problem

Re:Could it be...?

[ozmanjusri]

Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)

Yeah, a Microsoft hat should be blue with bright green trim.

Re:Could it be...?

[fatphil]

"""
Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.
"""

i.e. All researchers will be gagged/censored.

That's not taking security responsibly - that's marketting spin pretending to be addressing security.

So basically it's the SOSO from M$, they've been spinning that yarn for nearly a decade.

FP.

Description please?

[Mindcry]

Way to quote some random guy and talk about blue badges and go on for four sentences without giving any indication of what the conference is actually about.

Re:Description please?

Way to quote some random guy and talk about blue badges and go on for four sentences without giving any indication of what the conference is actually about.

and yet, somehow the rest of us knew what the article was about.

Re:Description please?

[Tackhead]

> Way to quote some random guy and talk about blue badges and go on for four sentences without giving any indication of what the conference is actually about.

We could tell you, but we'd have to throw a chair at you.

(It's really a conspiracy against Red Hat)
/ducks chair
//adjusts tinfoil hat.

Re:Description please?

In Soviet Russia tinfoil hat adjusts you!

Anyone ask why SSL still doesn't do AES?

[xxxJonBoyxxx]

Anyone ask why SSL still doesn't do AES? I mean it's 2006 and Microsoft is really the only vendor who DOESN'T do AES or 256-bit encryption in SSL. (I know, they said they'd put it in Vista, but that doesn't help the millions of Windows XP users or Windows 2003 administrators out there.)

Re:Anyone ask why SSL still doesn't do AES?

[SCHecklerX]

And also 3des, which we require for managing our Nokias. Gives me a good excuse to run Firefox at work, when the director asks why I can't use our standard browser :)

Re:Anyone ask why SSL still doesn't do AES?

IE doesn't do AES or 256-bit encryption in SSL because we were asked to hold off on that from a certain 3 lettered US government agency (hint: starts with N).
That's all I'm going to say on the matter, back to lurking.

Re:Anyone ask why SSL still doesn't do AES?

[way0utwest]

Can't speak for SSL, but SQL Server 2005 has AES, RC4 (128 bit) RSA, and Triple DES built in for it's internal encryption possibilities.

Re:Anyone ask why SSL still doesn't do AES?

In the unlikely event this is true, there you have your irrefutable proof that Microsoft cannot be trusted with computer security - because they put other people's needs ahead of their own customers.

Not exactly a startling revelation, but I suspect any real employee of MSFT who stated they deliberately kept stronger encryption out of their products due to government (or other) requests would be summarily executed.

obligatory

[endrue]

The 'Blue' part comes from the color of screens that Microsoft staffers see on campus.

Someone had to say it, folks!

- Andrew

Re:obligatory

[pigs,3different1s]

Wow, and I thought I was a cynic. Cynicism has a new king! Long live King endrue!!!

Re:obligatory

[EraserMouseMan]

Yep, that along with the fact that every MS program, every employee, every line of code is infested with pure evil and 100% eaten up with lies and greed. So this group of "blue hats" are just undercover MS public-relations employees trying to make a believable report that attempts to brainwash everybody to think that MS really does care about security. Zealots are so entertaining!

blue hat findings?

"Well, we've learned that the hat is, in fact, blue."

Putting an Axe to Innovation

[Nuclear+Elephant]

I want the people responsible for those features in my office early next week

With quotes like that, it's no wonder Vista's long list of features has been dwindled down to a new Media Player and better video drivers.

Re:Putting an Axe to Innovation

>I want the people responsible for those features in my office early next week

With quotes like that, it's no wonder Vista's long list of features has been dwindled down to a new Media Player and better video drivers.

Ok, now Im confused. I thought the current /. theory about delays and feature cancellations in Vista was that the development team were to busy dodging chairs to get any coding done?

Re:Putting an Axe to Innovation

[jandrese]

Frankly, I'd rather have only a new media player and better video drivers if it means not having yet more security holes in the base OS.

The message shouldn't be: Don't implement new features. It should be: Think about security when implmenting new features. Remember that attacks come from below your level of abstraction as well.

Re:Putting an Axe to Innovation

[Nuclear+Elephant]

Frankly, I'd rather have only a new media player and better video drivers if it means not having yet more security holes in the base OS.

Sounds like you want a mac!

Re:Putting an Axe to Innovation

[ArsenneLupin]

With quotes like that, it's no wonder Vista's long list of features has been dwindled down to a new Media Player and better video drivers.

You mean, like video drivers that won't crash if you visit certain web sites?

Re:Putting an Axe to Innovation

All kidding aside, I think this is a ridiculous thing for a high-ranking executive at Microsoft to say. The entire company has been arguably slipshod on security for years, and to publicize the fact that some subset of poor slobs who are currently running divisions that have been broken for years (probably since before they came along) are going to get called onto the carpet is silliness. You can't fix it overnight, and to pretend that hollering about it WILL fix it is childish. And exactly what I'd expect from professional executives (as opposed to tech professionals, I mean). Blech - how many seamy underbellies does this company have?

Re:Putting an Axe to Innovation

[jandrese]

But I already run BSD.

Black Hats or...?

[Roadkills-R-Us]

And maybe they want to make sure when everyone thinks "$color hat" they *don't* think of "Red Hat".

MS plays that sort of game a lot.

Re:Black Hats or...?

[endrue]

I think you may be right. They should try to stand apart though, maybe through a whole new article of clothing. "Blue Shoe" has a nice ring to it.

- Andrew

Re:Black Hats or...?

[drinkypoo]

Makes sense, but using blue is utterly wrong from a marketing standpoint, for two reasons. First, a lot of us still remember IBM as the "Blue Suit" company. Blue is their color. Even their logo is still blue. Second, blue is the color of your screen when you run Windows [into the ground]. Well, unless you run XP. Then it just reboots without showing you the [useless] blue screen. I wouldn't be surprised if people started just calling Windows "Blue Hat Linux", sort of a pun indicating both the fact that Windows has been following Linux (or Unix in general) for some time now, and the blue screen thing.

Re:Black Hats or...?

[Chrispy1000000+the+2]

It's not hard to get a BSOD in Xp, you just have to be persistant.

Re:Black Hats or...?

All you have to do is disable the automatic rebooting. XP defaults to rebooting when it BSOD (which is something I generally disable, cause if my computer dies I wanna know why, and a BSOD error is better than /nothing/ at all, at least you know its not supposed to be 'normal' operation).

Re:Black Hats or...?

[nasch]

Your computer reboots without being told to, and you're not sure if it's a normal operation?

Re:Black Hats or...?

Wrong!! IBM was a white shirt and Brown suit company in the day.

Re:Black Hats or...?

All you have to do is disable the automatic rebooting.

Uh, and then you have to trigger a kernel error, too. Which is not quite so simple. I've seen such a thing maybe twice or three times in five years, and in every case the computer was pretty messed up. In the same space of time, I've seen two OS X kernel panics and one in Linux, so considering how frequently I actually use computers of each type, Windows is coming out as statistically more stable than the competition, in my meaningless-anecdotal-and-non-representative experience.

Re:Black Hats or...?

You won't go outside for fear of alien abduction will you? You scan every room you enter for bugs and you are absolutely positive that there is a wiretap on your telephone. Who are you?

*WACKO CONSPIRACY THEORIST*
Seriously, life will be much more enjoyable if you stop worrying about Microsoft trying to brain wash you into thinking blue hat instead of a red hat. It really sounds like a bad movie - "Enemy of the Gates" or something.

Re:Black Hats or...?

[Jesus_666]

You obviously have not used Windows XP before Creative released XP drivers. The Win2k drivers worked but tended to cause BSODs... Early Windows XP either ran without sound or with a mean time between crashes similar to that of Windows 98.

Re:Black Hats or...?

[fatphil]

Rewind to the 80s.
    IBM = "Big Blue"
3 syllables vs. 2 - everyone I know always used the short form.

Re:Black Hats or...?

[drinkypoo]

Well, I certainly have had blue screens in XP, but none since sp2. Just reboots :P

Pretty optimistic, isn't he?

[Weaselmancer]

Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.'

I'd be a little more worried if I was Brad. That feature your boss wants to know who's responsible for..what if it's 'Clippy'???

Re:Pretty optimistic, isn't he?

We already KNOW that, it's old news. "Clippy" and the rest of his undead cohorts came from Microsoft "BOB". And "BOB" was the "brainchild" *snort* of Mrs. Bill Gates.

Re:Pretty optimistic, isn't he?

[Amouth]

i know that if i was the one that was responsible for Clippy i sure as hell wouldn't sign my name at the top of that code...

but it does make you wonder why the manager doesn't know whom is responsible for the code

Re:Pretty optimistic, isn't he?

[FireIron]

I'd be a little more worried if I was Brad. That feature your boss wants to know who's responsible for..what if it's 'Clippy'???

Worse...Brad cops to being responsible for the component in SQL Server exploited by the Slammer worm. It's not clear if he actually wrote the buffer code vulnerable to overrun, or he just owns fixing it now.

F/OSS Replies

[Quirk]

"The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus."

"Badges?"

"We don't need no stink'n badges!"

Re:F/OSS Replies

[gardyloo]

"Badges?"

"We don't need no stink'n badges!"

      Badges, badges, badges, mushroom! mushroom! Snaaake!

Re:F/OSS Replies

[maelstrom]

You suck.

Re:F/OSS Replies

You blow.

Nobody Expects

[gurutc]

the Seattle Inquisition!!!

Which is it?

[$RANDOMLUSER]

> Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

Does that mean domesticated or tame?

Re:Which is it?

They've had their hacking genius neutered by M$

Red Hat vs. Blue Hat

[digitaldc]

This is your last chance. After this, there is no turning back.
You put on the blue hat - the story ends, you wake up in your bed and believe whatever you want to believe.
You put on the red hat - you stay in Wonderland and I show you how deep the security-hole goes.

Re:Red Hat vs. Blue Hat

you are a god amongst men

Re:Red Hat vs. Blue Hat

The choice is obvious - take the tin foil hat!

Re:Red Hat vs. Blue Hat

Aight, let's take that further with a few more one-liners...

You know what Windows is? It's a virus...

No wonder they hate the Oracle.

You're saying I can prevent BSODs? No, Neo, I'm saying when you run Linux, you wouldn't have to.

Link would start with HTTP and Cypher will only speak in GnuPG

Press Any Key To Get Out of The Matrix

I see you're trying to break into the mainframe. Clippy is here to help!

I know Script Fu

Re:Red Hat vs. Blue Hat

[kadathseeker]

That's beautiful. I love it.

Senior executive?

I want the people responsible for those features in my office early next week

No problem, he's already sitting there.

The People Responsible

[gurutc]

Now just how do they expect to get Steve Jobs in their office?

Re:The People Responsible

[kpat154]

Perhaps you meant Merzouga Wilberts? People forget that Jobs just stole the idea from Xerox before Gates stole it from him.

Re:The People Responsible

[Drizzt+Do'Urden]

They bought it from Xerox, but they were unhappy with the terms of the contract seeing what Apple did with it.

This is why Apple won in court against Xerox. It is a urban legend that Apple stole it from Xerox.

Re:The People Responsible

[kpat154]

Well, not really. Apple gave Xerox stock in exchange for allowing the devs to see what was going on at Parc with the express understanding that Apple was attempting to create a UI. Xerox didn't expect Apple to completely rip off their work (which was stupid) and they later sued Apple for that fact. This is almost exactly what MS did to Apple.

Also, Apple didn't win in court. When Apple sued MS for theft Xerox sued Apple for the same thing. Once Apple lost the suit against MS they simply settled out of court w/ Xerox.

Re:The People Responsible

[Drizzt+Do'Urden]

Well.. according to Wikipedia, it is false to say that Apple stole it from Xerox, because it extended a lot from the work done at Parc.

Re:The People Responsible

[kpat154]

Sigh... I did not mean that they literally dawned black ski-masks, snuck into Xerox Parc at night, and stole the idea. My previous post should have clarified this for you.

Re:The People Responsible

[Jesus_666]

Hire him, then fire him. After a while he will buy Microsoft for a negative amount of money.

Re:The People Responsible

[GaryPatterson]

I've seen video footage of the machines in Xerox PARC, and while some concepts made it to Apple, there's little similarity between the two systems. Apple extended the GUI far beyond what Xerox created, actually making it usable.

You stretch things too far by saying Apple completely ripped of Xerox' work.

Re:The People Responsible

[ancientt]

I'm with you and even wrote a short note on it for a school project back in the day. (See it here.)

In a nutshell, Apple did a lot of work and only then made money with something Xerox couldn't figure out how to make commercially viable. It would be more reasonable to say Xerox (PARC) inspired Apple.

Posturing

[EmbeddedJanitor]

Yawn... Heard all of these "I'm going to fix that Monday morning" stuff before so many times from so many companies, and seen so little action.

This is a pretty standard way for companies to handle lynch mobs of unhappy people: Put an exec up on a stage and have everyone yell their guts out and promise to investigate it thoroughly. This is not done just for software security, but just about everything.

Undoubtedly one or two simple, yet highly visible, things (eg. the password check) will be fixed to show that some action was taken.

Re:Posturing

[segedunum]

Agreed. That was the first thing I thought when I saw that "in my office on Monday morning" bollocks.

Re:Posturing

[Rimbo]

It doesn't matter how much an exec huffs and puffs if the developers don't respect the priorities he sets for them.

Re:Posturing

[thetoastman]

Ummm . . . an executive responsible for a product offering doesn't know (or can't find out) who is responsible for a product feature set?

Is there any wonder why Microsoft has such a terrible product?

I bet if they asked marketing who is responsible for a particular line in an advertisement, the answer would be almost instantly known.

Microsoft - the greastest marketing company in the world.

Re:Posturing

Ummm . . . an executive responsible for a product offering doesn't know (or can't find out) who is responsible for a product feature set?

Um, he said that he wants them in his office on Monday.... Sounds like he'll find out on Monday....

Re:Posturing

[biglig2]

What's more, why is he only finding out about this problem now?

Hats went out in the 40's

[Thud457]

whaddya tryin' to do, cover a bald spot?!!!

With MS, Blue is secure!

[EmbeddedJanitor]

BSOD is the special secure mode for a Windows computer.

Re:Nobody Expects the Seattle Inquisition!

[WillAffleckUW]

our chief weapons are:

Fear
Torturous OS
and a distinct desire for coffee, preferably espresso con lattee, although I'll settle for a mocha

Confusion cleared up here.

[hey!]

Ok, now Im confused. I thought the current /. theory about delays and feature cancellations in Vista was that the development team were to busy dodging chairs to get any coding done?

OK, it's time to have mercy on you guys who haven't figured it out.

There is no Microsoft.

It's all a MMOG/interactive fiction thing where geeks pretend to be code monkeys in service to the evil empire. C'mon, the Gates was a bit subtle, I admit; you could almost believe he existed. But Ballmer should have clued you in. No real board would hire a guy like that unless they were running a side show and needed a "Wild Man of Borneo".

The coolest part of the hack was when they started sending out boxes of their "product", complete with CDs and manuals (look closely -- a lot of it's just "ipsum lorem"). That was sheer brilliance. I picked one myself as a souveneir, I'm looking at the box up on my book shelf right now, it's very well done. Just the other I had to keep my elderly father-in-law, who was an engineer back in the day and no dummy, from "borrowing" my copy. Boy would he have been surprised.

Oh... God Gad.

You didn't actually install any of that shit, did you?

Re:Confusion cleared up here.

That was the most insightful thing I've read all week. Mad Props to you sir, and Mod this guy UP.

(This was insightful, for the love of bits and bytes, not funny!)

Re:Could it be...? or why Blue Hat is useless

[WillAffleckUW]

well, I think that there's nothing wrong with a Blue Hat conference, it can even be useful, but trying to pretend that Blue Hatters will be attacking one's weak points is as disasterous as attacking Iraq or Iran and not expecting an ever-changing homebrewed guerilla warfare that adapts faster than one can plan.

the reality is that the attackers will be Black Hats. Blue Hats may be useful, but they aren't the ones attacking you.

Re:Confusion cleared up here. (MOD PARENT UP)

[ZachPruckowski]

That was the funniest thing I've read all week. Mad Props to you sir, and Mod this guy UP

Microsoft SSL already does do 3DES.

[xxxJonBoyxxx]

I believe Microsoft DOES support 3DES on SSL. My "FIPS 140-1" configurations require it. Look for this key in your windows registry - if you have this key, your SSL does 3DES:

HHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\SecurityProviders\SCHANNEL\ciphers\Triple DES 168/168

ignoring the noise this is good...

[Teunis]

Large company actually paying attention to what it's seeing
yes we can all feel cynical based on many other similar stories.

but every now and again a company will surprise it and attempt to actually <i>solve</i> problems.
A lot of Microsoft's problems date from interesting "for the user" support features. This could be interesting to follow...

And The Big News Is....

[Stephen+Samuel]

Microsoft is happy to let us know the stuff that they're happy to let us know about the Blue Hat conference.
(can you tell I've just been watching Red Vs Blue?

I do hope that nobody actually paid for this news.

"All researchers at the BlueHat are responsible,"

guh.

Re:And The Big News Is....

[Thuktun]

can you tell I've just been watching Red Vs Blue?

Hmm, Blue Hat...does that mean Microsoft is Caboose?

Re:And The Big News Is....

[Stephen+Samuel]

Nah. I'd say that Micorosft is more like Wyoming than caboose. Just getting Blues to do all of their dirty work.

Re:And The Big News Is....

[Urusai]

The word they were looking for is "culpable".

Blame to Go Around

[vjmurphy]

"Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"

Ah, good to know the culture of blame is still a backbone of American industry. Likely that those senior executives are the ones that requested said features originally. But that's okay, I'm sure they'll find some scapegoats.

Re:Blame to Go Around

[JaredOfEuropa]

"Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"

"I want the people responsible for those features in my office early next week; I want to get to the bottom of this" is management-speak for "not it!".

Re:Blame to Go Around

I find it more telling that the executives didn't know about the lack of security!

Re:Blame to Go Around

[biglig2]

Of course, the correct thing to do in this situation is to take the executive aside and whisper "You're responsible for these features..."

Careful what you wish for

[955301]

"I want the people responsible for those features in my office early next week"

The features with security issues? Isn't he risking a fire hazard by doing this? I thought buildings had maximum occupancy ratings?

*ducks*

Re:Careful what you wish for

[dfsmith]

OTOH, if (s)he's the executive responsible, then (s)he may get lonely there.

Corporate Goonspeak...

[GeneralEmergency]

Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

Translation: All presenters know what side of their bread is buttered and by whom.

Let's celebrate our new openness by censoring ourselves!

Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.

Re:Corporate Goonspeak...

[PitaBred]

I'll kick ya in the shin, but I don't think this is a dream :(

Re:Corporate Goonspeak...

[stefanb]

Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.

Before you wake up, please tell us how you managed to leave it. Please?

Re:Corporate Goonspeak...

[sharkey]

I must be asleep and dreaming that I'm stuck on that Moron Planet again.

If it's any consolation, the dolphins are still here.

What Blue Hat Means...

[benjamin_pont]

The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus.

Actually the Blue Hats are a symbolic salute to their employer's greatest technical accomplishment: The Blue Screen of Death

Re:What Blue Hat Means...

[SEWilco]

The Blue Badges of Death.

Blog link

The blog talked about in the article is here: http://blogs.technet.com/bluehat

Poor executives.

[miffo.swe]

I find it perticulary funny that executives want to smack the ones resonsible for random features. From what i have read and understand the executives is the ones who constantly have demanded more features and not security.

Im sure the staff at Redmond is eagerly awaiting the executives bitchslapping eachother and themselves to the next monday. Im sure most of the marketing department will call in sick.

Re:Poor executives.

[AutopsyReport]

I find it perticulary funny that executives want to smack the ones resonsible for random features.

Oh it's very typical for management to put the heat on individuals, but problems like this come about because of an extremely poor process. While one may argue that an individual has a responsibility to follow standards, it is also management's responsibility to ensure everyone else does, too.

So when something like this leaks, you can blame management, not the programmer. He made the mistake, but the even larger mistake is that the process didn't catch it. There will be no success when the course of action is for an executive to call out a programmer, but it is strongly indicative that these problems will be repeated.

Re:Poor executives.

[ziggy_travesty]

Process? When I think "process", I think IBM. Process stifles innovation. Yes, you need a balance between process and wrecklessness, but process isn't the answer. Seriously -- what talented, creative devs want to walk into a place where they have to produce 10 lines of documentation for every line of code? Nobody -- that's why startups are cool and MS, Google, and Amazon still try to retain a startup culture.

In the Office..For Target Practice

[k1980pc]

'I want the people responsible for those features in my office early next week'

Somebody is going to practice throwing chairs during the weekend..and many others are gonna practice ducking them...

NSA asked Microsoft to not put AES in?

[xxxJonBoyxxx]

So, you claim the NSA asked Microsoft to not put AES in IE? This doesn't make much sense either. Like I said, almost every other browser, client or server already supports AES on SSL (including those offered by IBM). It's just weird that Microsoft lags so far behind.

Re:NSA asked Microsoft to not put AES in?

But the real question is, will these variations on the theme of the Nuremberg Defense work for Scooter Libby?

Re:Nobody Expects the Seattle Inquisition!

Don't forget Kurt Cobain's ashes. :P

Your question answers itself

but that doesn't help the millions of Windows XP users or Windows 2003 administrators out there

That's exactly why it's not there. It creates more incentive to upgrade to Vista. The fact that you are paying more money for features that you should already have is lost on M$ target audiences.

Yeah, AES went into core crypto, but not SSL.

[xxxJonBoyxxx]

Yeah, Microsoft finally added AES to its core crypto stuff back in 2003 (I think), but for some odd reason they didn't extend support into the areas that would have used it most: SSL for IIS and SSL for IE. (Dunno if Outlook Express would have used it...probably.)

Reminds me of a story...

[gregarican]

'I want the people responsible for those features in my office early next week'

I recall maybe 8-9 years ago at my large former employer. There were some screw-ups going on coming from an IT subdepartment at corporate headquarters. After trying in vain to work around things on my end I finally picked up the phone and called up the person in charge. Before I could launch into my tirade the person said, "I'm in charge, but I'm not responsible." Reminds me of what will happen Monday morning amidst the chair-littered corridors of Redmond. Lots of finger pointing and ducking...

Re:Reminds me of a story...

[GaryPatterson]

"I'm in charge, but I'm not responsible."

I love phrases like that. I read it and immediately translated using my CorpTruthSpeak device to "I'm an excess headcount," although if it was said with slightly different intonation it might be "I cannot manage, and need to be trained or replaced."

Not so weird

[abb3w]

So, you claim the NSA asked Microsoft to not put AES in IE? This doesn't make much sense either. Like I said, almost every other browser, client or server already supports AES on SSL (including those offered by IBM). It's just weird that Microsoft lags so far behind.

Not that weird. Yes, every other browser/client/server supports it. IE still has comfortably more than half of the browser market, even though it's in decline. So, if the NSA can't break AES, they ask M$ not to put it in, and a large chunk of the traffic remains readily readable.

"But," you may say, "anyone who knows what they're doing will use something more secure." True. However on one hand, crooks and terrorists are often (albeit not always) stupid, and might not always do so; and on the other hand, the easily broken traffic can be quickly sorted out, leaving a smaller quantity of harder-to-break traffic where content analysis is neglected but traffic analysis approaches become profitable. Limiting the capabilities of the drooling-luser set is helpful, because it makes it easier to pick out the bad guys who hide by leaving a smaller set of both the good and the bad guys who can hide. Rather than struggling to separate all the good from the bad, they can first quickly separate the smart from the stoooopid.

Of course, there's no proof the AC's assertion is true... but it doesn't matter much for the sake of arguement.

Re:Not so weird

"But," you may say, "anyone who knows what they're doing will use something more secure." True. However on one hand, crooks and terrorists are often (albeit not always) stupid, and might not always do so

I agree with you and I like your analysis, but the crooks and especially the terrorists aren't stupid. But on the other hand, they are not looking for them... ;)

Re:Not so weird

[ednopantz]

>especially the terrorists aren't stupid.

Yeah, there so smart they would never swap confuse different SIM cards for different mobile phones, ensuring their capture.. Face it, these dudes are dumb. dumb. dumb. Possibly, even dumber than the FBI.

Re:Not so weird

[abb3w]

the crooks and especially the terrorists aren't stupid

Martin Bishop : Organized crime?
Cosmo : Hah. Don't kid yourself. It's not that organized.

There's a bell curve, as with a lot of things. Some of the bad guys are extremely well educated, and experienced in their business. Some are dumb as bricks, and thereby keep some news(?) reporters in beer money.

Re:Nobody Expects the Seattle Inquisition!

Need Moderator Points. Must mod parent +1 Funny.

Re:Nobody Expects the Seattle Inquisition!

[WillAffleckUW]

either that or a good Tully's espresso maker ... (also Seattle, probably used by Blue Hatters)

Who Cares? No Raises Anyway

Yell if you like, but your only choice is to hire me or fire me. You stopped giving out raises years ago.

Engineering

[minorproblem]

"SQL Server engineer Brad Sarsfield" Since when was SQL programming classified as a field of engineering...

Apply the NATA analogy

Blue team are the good guys, Red team are the communists

Irresponsible responsibility

[redelm]

Comments like "I want those people on my carpet" are just foolish. The beatings will continue until morale improves.

People do things for reasons. Hammering them for things that turn out badly just produces CYA, fear and paralysis. Red in tooth-and-claw management always devours itself.

A tribute to Dr. Seuss, Microsoft-styled

[Dark+Coder]

Red Hat, White Hat,
Grey Hat, Too!

Black Hat, Blue Hat,
Orange Hat, Who?

Hey... When is Microsoft going to respect the orange (MS temporary) grunts and their 1337 skills? Of all the MS workers I've talked with, only the Orange ones have appeared to be been finding all the undisclosed vulnerabilities.

Sounds like it may be career-threatening to be a Blue and while reporting in an undisclosed vulnerability within Redmond campus.

Blue Hat, bah! Just a forum to mock the blue workers, and perhaps, justifiably so.

Why is this news

> An anonymous reader wrote to ..

Security is... whose responsibility?

[joel.neely]

From a description of one of the sessions (names changed to protect... somebody):

... it is often the case that developers expect a core technology to provide one security assertion, when in fact it provides a whole set of unrelated assertions. X and Y have found that many security flaws ... are the result of a fundamental misunderstanding of a core security technology.

This talk covered the security technologies in Windows that ...[are]... almost without exception, misused. ... X and Y discussed how to find out if your application is making silly security assumptions or whether you have truly mitigated risks against it.

So, security is the responsibility of the application? Does anybody remember the old song: "I beg your pardon! I never promised you a rose garden!" Or is there a new winner of the Not My Job award ( http://www.nickh.org/pix/notmyjob.jpg ) this year?

Red Hats

[Marce1]

Does this make me a Red Hat, for being constantly annoyed by M$ products?
(There are other reasons, of course, but I thought I'd stick with their analagy).

Can You Build Secure Solutions Built on Microsoft

[smallguy78]

Can You Build Secure Solutions Built on Microsoft Core Technologies? The shortest of the Blue Hat seminars