Slashdot Mirror
Microsoft Invites Black Hats into Vista
gtzpower writes "Microsoft is inviting hackers to 'Take Your Best Shot' at Vista. 'You need to touch it, feel it,' Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. 'We're here to show our work.'" From the article: "A security team with oversight of every Microsoft product — from its Xbox video game console to its Word program for creating documents — has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks." Essentially a tie-in with an article we discussed yesterday.
aren't they already freaking there?!
ed
...I was going to point out the dupe, but now the editors have started doing it for us!
"Essentially a tie-in with an article we discussed yesterday."
Argh.
They invite hackers to take their best shot?
Why not just PAY the hackers to do their best at breaking it?
What this world is coming to - is for you and me to decide.
It could be a trap, you know. Bring in the black hats, and then brainwash them en masse so they don't want to use computers anymore but still buy many copies of MS products. No more security problems!
-mrxak
Onions Will Kill You
------------Now-----------
MS: "Have it Vista, hackers -- see if you can find any exploits"
BHs: *they go to it* "Nope, we don't have any security holes to report to you, it looks like Vista is impenetrable."
------------Vista is released-----------
MS: "What the heck? How can there be over twelve-thousand viruses for Vista on the day it's released?!"
BHs: "All your Vistas are belong to us! Thanks for your help Microsoft!"
A computer once beat me at chess, but it was no match for me at kick boxing.
A home users' edition licence?
The real black hats want it to be widely deployed before they start exploiting it.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Please. Wash your hands after. We don't need those Vista cooties infecting everything else when you get back.
body massage!
Say, wait. If you've just given prerelease test copies of Vista to 3,000 "black hats"... and you're hoping they'll find bugs in them and report them back to you before Vista ships... I mean... how do you know that's what they're actually going to do?
What if some of these "black hats" look over Vista, find security bugs, keep them secret, go back to Microsoft and say "Whelp! Looks like Vista doesn't have any security holes at all!"; then wait for Vista to be released, and once it's out have a 0-day exploit that they can use in their offshore spam/spyware businesses and that no one else will even know exists until two years from now when a gray hat independently finds and publishes it and Microsoft finally fixes it?
I mean, of course that's a worst case scenario. But still, sometimes I think the old thinking on how the world of hackers works no longer really applies now that the primary motivating force is not pride, but money (in the form of sweet, sweet herbal viagra).
This seems like a HORRIBLE idea. I plan to follow the news on this :)
Consider: Microsoft gets to ride free hacks this time-->before the OS gets released. All that nice work, and they don't spend a dime. Interesting also because the release they gave out isn't a 'community-style' release. It makes one wonder if there's a 'Vista-call-home' component to it, too. Might be nice to know which of the coders actually tried to boot the thing, and then note their IP for future reference (or maybe to turn over to the NSA).
Still, with many noted reviewers in full belief that it's swiss cheese, it ought to be fun to see who eats it with crackers.
---- Teach Peace. It's Cheaper Than War.
Security expert at Microsoft: "delay shipping Vista! We know it's ready otherwise, and people are clamoring for it, and stock prices depend on it, but I've discovered a security hole that is very serious!" Bill Gates: "I think you need a career change. Don't you have an assistant that says it's ready to ship as is? Let me talk to him..."
Currently hooked on AMP
Way to give the hackers a head start in probing the vulnerabilities of yet another microsoft product. Now we will be minmizing the time vista is out before MS recieves all these complaints of new viruses for their new OS.
Until MS figures out that permissions should be based on tasks, roles, and objects instead of who you log in as, all the stupid human tricks inthe world won't help them. It looks to me as though security in vista has the same thinking underpinning its design as NT/2K/XP - log in as admin to do admin things, and have permission to to anything.
"We are all geniuses when we dream"
- E.M. Cioran
Step #1. No open ports.
Step #2. No services running that are not absolutely essential.
The idea is to reduce the number of available avenues for attacks. Then you can focus on protecting/hardening the apps that are running. Such as (on Linux) putting them in a chroot jail.
"Now Vista, can you show us on this doll where the hacker touched you?
"Let the record show that the victim pointed to the KERNEL!"
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
r00t access?
Badass Resumes
Isn't there a saying or something about foxes and henhouses? Do foxes wear black hats?
Just how good would a black hat look on a red fox? Or do foxes come in black, too? That'd look pretty good...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
It's one thing to invite hackers to "take their best shot" at breaking Vista. Even if you could trust them to report what they found (and hey, these black-hatters seem like nice, trustworthy guys, right?), how should they really know what the source contains?
...unless M$ is letting them look at the source itself -- but since I haven't heard any reports of Hell freezing over, I'm guessing that isn't happening.
Paleotechnologist and connoisseur of pretty shiny things.
To quote Bush to terrorists: "Bring it on!"
Result: We're getting our asses kicked.
To quote MS to Blackhats: "Bring it on!"
Result: Look at XP and they didn't invite anybody.
MS has enough problems with BHs already. To invite them? WTF? Lot's of people at MS are already saying they wont make it in time and that the code is bad to begin with. Do they not listen to their own people?
"A security team with oversight of every Microsoft product [...] has broad authority to block shipments until they pass security tests"
Of course! That explains why there are so few bugs and holes in MS products. Oh wait..
Microsoft does not want black-hats to be cracking Vista, unless they're visiting a honeypot; for black-hats will keep what they know to themselves, and maybe create false trails. Rather, MS is indicating the grey- and white-hats that they're legally in the clear.
"Black Hat" is simply the name of the conference organiser, a cool name to be sure, but not an indication of who MS is reaching out to.
Wikileaks, no DNS
Invite the non-yet-assimilated into the cube, as to save on expenses.
Where were you when the voynix came?
Why not just invite the hackers to do their best at breaking it? (Before electing to pay them.)
Join Tor today!
Knowing how bad security actually is in Microsoft products (a company with such resources should have come up with somthing like Tripwire combined with ACLs and maybe even better things a long time ago) the blurb sound like out of this world.
I say good for them. At least Microsoft is attempting to release a secure product. Sure, it may still have its holes, but this is possibly the most constructive thing they could've done to increase the security of this OS. It's nice to see Microsoft actually paying attention to security as opposed to ignoring it and thinking all the [spy|mal|ad]ware will go away as we've seen them do for 20 years now.
I am sure microsoft is not stupid. I am sure you need to give them your name address, phone, social, first born and everything else before they give the black hat the pre release copy. Also are they having them try at this conference and not at home? Maybe with a mobile lab with vista on it setup ?
So.. Have they been on a 10 year vacation or something?
End of line..
Imagine if this is a special version of Vista that keeps detailed logs that can somehow find their way back to MS. This could give them a nice window (no pun intended) into the black hats' methods. Probably the black hats would be all over that, though.
Or, imagine that the Vista they get is not the one the rest of us will get -- MS could, for example, purposely insert a bunch of security problems of varying severity and type to see how sophisticated the black hats are.
The more you regulate a company, the worse its products become.
When I saw the headline "Microsoft Invites Black Hats into Vista :-)
", I thought: "With all the security holes in it, didn't they invite Black Hats into Win XP too?"
Coder's Stone: The programming language quick ref for iPad
...run Linux
The title has created some incredibly +5 funny comments, which is great for cheap entertainment, but the title is completely fucking wrong and now the flamethrowers must be unleashed.
From TFA:
After suffering embarrassing security exploits over the past several years, Microsoft Corp. is trying a new tactic: inviting some of the world's best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.
Black hats are the bad guys, the guys actually hacking the computers for the sake of getting money and identities. The security experts are the good guys!
Maybe I'm overreacting, but that little change in the title rather important. It turns the story from "Microsoft showing all the efforts it is making to improve security" to "Microsoft so desperate to improve security they invite convicted hackers/spammers/international mafia to come hack vista!"
Of course, without said change, we have no +5 funny comments, and thus no real story to make fun of, because there's not much material to make fun of here, and nothing to critize about Microsoft because what they are doing in the article is what they should be doing. Nice Job Slashdot.
"All great wisdom is contained in .signature files"
1: Find holes in Vista Beta
2: Don't Disclose Them
3: ??
4: Profit
Where ?? = Wait til Vista is Released
Can Microsoft every recreate the excitement that accompanied releases like Windows 3 or 95? Back then a large segment of the population, at least in the US, was still transitioning from no or limited personal computing to having and using their own machine, and they usually ran about $2000 for a leading edge one. Nowadays, just about anybody who can cough up $600 to Dell can have one on their doorstep in a few days, up and running, internet connected, and have been there, done that either before or at work. I can remember some year in the late 80's they called the ms-dos christmas, probably about when 386sx's became affordable.
Since there's nothing really new, just more of the same, can Microsoft do ANYTHING to recreate the old stock pumping marketing splashes of yore?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Sort of like what these guys are doing to the bunny?
It seems to me that this is a sure way to delay the release indefinitely: they must know how f... well, insecure... the Vista is - now they have a good excuse to miss the promised shipment dates once again :) "Oh, black hats have found yet another hole in our system! Bummer - we have to postpone the relase for another 6 years"...
Bad title.
Blame the user, not the software.
IIRC, didn't Microsoft do something like this when they were getting Windows 2000 ready for release? This looks very familiar.
... Just wait until its released and break its face upon release.
members are seeing something, your seeing an ad
Agreed. "I double dog dare you" says nothing of what the article is about. While the accepted title isn't too accurate, it at least lets you know what to expect: Vista, Security. "I Double dog dare you" isn't very RSS friendly, and less likely to garner as many clicks.
A rose by any other name probably wouldn't sound as sweet. Unless it was called sweetflower or something.
and probably never did.
/. and are on their way to try to F me up personally for sliming them. Most of them, however, are security officers or functionaries in various corps that are there because they're paranoid, not because they like the 115F Las Vegas Sun. And a few are nice people, good coders, good hackers and bretheren. Most are not. That's why CMP bought DefCon.
What incredible hubris to believe that Microsoft's cadre of bounds-checking idiots could write their way out of a wet paper bag. Sure, Microsoft tests code. And we've found enormous root-rendering bugs in it. One of them is published.
This is all PR. And the NSA thing was a joke, dude. See my other reply: most of the people that go to BH and DefCon are NOT coders, but will probably try it. Some are very clever. A few have hacked
---- Teach Peace. It's Cheaper Than War.
they love challenges especially when it's a huge corporation like Microsoft daring them to poke holes in their new operating system. i'm sure MS will have no issues finding a group that will be more than happy to prove that they are better than the rest.
Oh, to be on the list of employees whose code was hacked to bits by the (Mad) Black Hatters.
Layoffs, anyone?
Putting the 33k in G33k.
only someone who's not that good would bother attacking a beta before it ships installed on a massive scale.
-- Tigger warning: This post may contain tiggers! --
There definitely are some fun days ahead !!!
Read radical news here
The "copy" the hackers are givin probably will contain trojans and all kinds of monitoring processes so they can see what they are actually doing. This way, they get the information even if they don't report it, and become familiar with their processes.
"has broad authority to block shipments until they pass security tests."
Did this strike anyone else as an excellent scheme to both test their security AND an excuse for delays in shipment of Windows Vista?
Microsoft is making billions of dollars off of their products and will make future billions. If they are really so interested in vista security they should put a 10 Million dollar prize to be given to the person or persons who can discover, document, and submit the most new and distinct vulnerabilities in Vista in a 1 year time span. For all of the billions M$ makes this would be a worthwhile investment because even the losers will be giving you many vulnerabilities to fix.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
Wouldn't it be better to invite/pay White Hat hackers? Black Hat hackers don't help people. They just help themselves and exploit others.
\
Sounds more like they are looking to get the Grey and Whites involved. Which wouldn't be a bad thing. You just have to hope they're as good as the Blacks. Because as sure as you have a herd of people step up to test this there will be at least a few who get a copy for nefarious purposes.
I will have to agree that Zonk and the greelighters here might want to read the articles then re-read the headlines to make sure they aren't just fanning the flamewars.
I'm just sayin...
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Am I the only one that sees this as a well-contained and rigged attempt at advertising security in high-control situations?
OF COURSE it's going to be difficult/improbably to hack the Vista box that MS provides to Black Hat. It's running no unnecessary processes and has all known security checks locked down.
What really matters (to consumers) is the following is whether or not it will be as secure when 15 different unnecessary and unupdated programs are running in the background.
No? Somehow, I'm not surprised.
What species is this guy, anyway?
In the 90's, Linux advocates used "stability" as their main argument against Windows. Microsoft took that argument away with XP (regardless of the idiotic BSOD comments tossed around these parts).
From 2001 to now, Linux advocates have used "security" as their main argument against Windows. Microsoft is in the process of taking that argument away.
Soon, Linux advocates will be left with "price" as their main argument (glossing over the fact that startup price is insignificant compared to total cost of ownership), which the public really doesn't care about (they'll just think that Linux is free because it's not worth paying for).
-- "I never gave these stories much credence." - HAL 9000
I beleive the biological term is "blackus hatis hacksaloti".
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
He won't be reproducing.
No balls left anymore.
I don't want a signature.
The first hit is always free.
MS has to let Vista be hacked
Then the crack can flood the world.
MS would hate to see a generation of young users trying other products for free.
Domestic spying is now "Benign Information Gathering"
marginal initial cost of WinXP over linux with MSOffise, Photoshop-lite and a few other odds and ends: $800. this $800 goes toward about a 10% improvement in functionality for power users, almost no improvement for joe or janet 6pack.
marginal TCO of WinXP over Linux, excluding initial $800 bogey: >$800.
how much does an bi-annual hard drive wipe cost in terms of dollars, time wasted and lost data? > $800 over the total cost of ownership. add in more bucks for all the virus scans and ad|mal|crapware "maintenance."
the TRUTH (all else being equal): linux is cheaper to get into and it is cheaper to run.
BY A LOT!
guy/gals like you just try and obfuscate - you infer TCO favors windows, but you make no effort to back it up. you can't. you are either naive or you are sinister - either way, the truth is far from you.
...if they found a hole. Which is more likely, that they'd report it and see it closed, or that they'd use it as they have in the past. Hmmm...
Everybody knows 3 people with my name.
Giving a little back does not make up for that.
Yep. Virtue is not measured by how heavily you honey the urine you feed your fellow human beings, it's measured by how little you piss in their cup to begin with.
Please stop stalking me, bro.
Let's all get on the perdy MS spaceship where we will live happy ever after...Please. Er..and ..um...it's NOT a cookbook people, it a microsoft manual.
I can't believe there haven't been more comments like this! Steve isn't exactly a zero day kinda guy. ;)
As stated on Rutkowska's blog at http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html
"[...]I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform.[...]"
Microsoft put the "sucks" in "success".