Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Invites Black Hats into Vista

Posted by ryuzaki0 on from the you-may-want-to-think-this-through dept.

gtzpower writes "Microsoft is inviting hackers to 'Take Your Best Shot' at Vista. 'You need to touch it, feel it,' Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. 'We're here to show our work.'" From the article: "A security team with oversight of every Microsoft product — from its Xbox video game console to its Word program for creating documents — has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks." Essentially a tie-in with an article we discussed yesterday.

23 of 189 comments (clear)

  1. Not that I wish to flame, but... by HugePedlar · · Score: 4, Insightful

    ...I was going to point out the dupe, but now the editors have started doing it for us!

    "Essentially a tie-in with an article we discussed yesterday."

    --
    Argh.
  2. No real black hats interested by The+Famous+Brett+Wat · · Score: 5, Insightful

    The real black hats want it to be widely deployed before they start exploiting it.

    --
    proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
    1. Re:No real black hats interested by Millenniumman · · Score: 2, Insightful

      No, customers should not be expecting bugs on the day it comes out. Microsoft should test it comprehensively and then do a beta long enough that there are extremely few bugs, and no serious ones.

      --
      Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
  3. Quote by Anonymous Coward · · Score: 5, Insightful
    "There are some who feel like that the conditions are such that they can attack us there. My answer is bring them on," Ballmer said. "We've got the force necessary to deal with the security situation."

    Say, wait. If you've just given prerelease test copies of Vista to 3,000 "black hats"... and you're hoping they'll find bugs in them and report them back to you before Vista ships... I mean... how do you know that's what they're actually going to do?

    What if some of these "black hats" look over Vista, find security bugs, keep them secret, go back to Microsoft and say "Whelp! Looks like Vista doesn't have any security holes at all!"; then wait for Vista to be released, and once it's out have a 0-day exploit that they can use in their offshore spam/spyware businesses and that no one else will even know exists until two years from now when a gray hat independently finds and publishes it and Microsoft finally fixes it?

    I mean, of course that's a worst case scenario. But still, sometimes I think the old thinking on how the world of hackers works no longer really applies now that the primary motivating force is not pride, but money (in the form of sweet, sweet herbal viagra).
    1. Re:Quote by mottie · · Score: 4, Insightful

      You speak a lot of sense.. I would think that doing this with "White Hats" would make more sense. Realistically all the Black Hats would already have a cracked beta copy that they've downloaded anyways. I'm sure they all would want to have their name attached to the first 0 day exploit. This is all just more press for Microsoft's attempts at security.

  4. Won't help them by MECC · · Score: 2, Insightful

    Until MS figures out that permissions should be based on tasks, roles, and objects instead of who you log in as, all the stupid human tricks inthe world won't help them. It looks to me as though security in vista has the same thinking underpinning its design as NT/2K/XP - log in as admin to do admin things, and have permission to to anything.

    --
    "We are all geniuses when we dream"
    - E.M. Cioran
    1. Re:Won't help them by jimicus · · Score: 3, Insightful

      Even when you are running as Administrator, it still requires that you consent when you're running tasks/programs/etc that need superuser status


      So, having spent years training normal users that the correct way to get anything done is to click "Yes" on every single dialog box that comes up, regardless of what the dialog actually says, they're now doing the same to sysadmins?
  5. Close but no cigar, MS by FlyByPC · · Score: 2, Insightful

    It's one thing to invite hackers to "take their best shot" at breaking Vista. Even if you could trust them to report what they found (and hey, these black-hatters seem like nice, trustworthy guys, right?), how should they really know what the source contains?

    ...unless M$ is letting them look at the source itself -- but since I haven't heard any reports of Hell freezing over, I'm guessing that isn't happening.

    --
    Paleotechnologist and connoisseur of pretty shiny things.
  6. It's a play on words by Morosoph · · Score: 4, Insightful

    Microsoft does not want black-hats to be cracking Vista, unless they're visiting a honeypot; for black-hats will keep what they know to themselves, and maybe create false trails. Rather, MS is indicating the grey- and white-hats that they're legally in the clear.

    "Black Hat" is simply the name of the conference organiser, a cool name to be sure, but not an indication of who MS is reaching out to.

    --
    Wikileaks, no DNS
  7. Good! by scuzzman · · Score: 2, Insightful

    I say good for them. At least Microsoft is attempting to release a secure product. Sure, it may still have its holes, but this is possibly the most constructive thing they could've done to increase the security of this OS. It's nice to see Microsoft actually paying attention to security as opposed to ignoring it and thinking all the [spy|mal|ad]ware will go away as we've seen them do for 20 years now.

  8. Re:why invite the black hats in? by soulshinejam · · Score: 3, Insightful

    Shouldn't we change the Microsoft symbol next to all related articles? I mean, seriously... Gates no longer works for Microsoft and manages his own charity foundation. What else does this guy have to do to wash the blood from his hands?

    (Ironically, my confirmation script image for this post is "unfair")

  9. Incredibly stupid title by hellfire · · Score: 4, Insightful

    The title has created some incredibly +5 funny comments, which is great for cheap entertainment, but the title is completely fucking wrong and now the flamethrowers must be unleashed.

    From TFA:
    After suffering embarrassing security exploits over the past several years, Microsoft Corp. is trying a new tactic: inviting some of the world's best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.

    Black hats are the bad guys, the guys actually hacking the computers for the sake of getting money and identities. The security experts are the good guys!

    Maybe I'm overreacting, but that little change in the title rather important. It turns the story from "Microsoft showing all the efforts it is making to improve security" to "Microsoft so desperate to improve security they invite convicted hackers/spammers/international mafia to come hack vista!"

    Of course, without said change, we have no +5 funny comments, and thus no real story to make fun of, because there's not much material to make fun of here, and nothing to critize about Microsoft because what they are doing in the article is what they should be doing. Nice Job Slashdot.

    --

    "All great wisdom is contained in .signature files"

  10. Re:Microsoft invites what now? by dr_dank · · Score: 5, Insightful

    Something like this would bring the wannabees and dingbats out of the woodwork. A real paranoid black hatter wouldn't want to have his identity known or put himself under Microsoft's sights for a non-serious amount of money. You'd better believe that people that take this challenge will be closely watched from now on.

    --
    Where does the school board find them and why do they keep sending them to ME?
  11. Re:This is both onerous and fun by JPribe · · Score: 2, Insightful

    Linksys's

    "links-is-is?"
    "link-sizis?"

    How do you say that without sounding like a whacko???

    --

    Why go fast when you can go anywhere? O|||||||O
  12. Re:Microsoft invites what now? by Anonymous Coward · · Score: 1, Insightful

    You'd better believe that people that take this challenge will be closely watched from now on.

    More likely, they'd be offered a job at MS. Take off the tinfoil :)

  13. Re:why invite the black hats in? by Anonymous Coward · · Score: 1, Insightful

    Charity...that's what he's doing

  14. Re:This is both onerous and fun by Chr0nik · · Score: 2, Insightful

    This is friggin hilarious, Half the people here think this is MS's first attempt at finding bugs and exploits in vista. The other half think it's a conspiracy theory to find and create a database of known hackers. 1. The NSA needs no help finding hackers... The really good ones.... WORK FOR THEM. And if they don't they probably will some day. At some point, due to the purely sickening salaries they get paid to work for them. The difference between black and white, is about high-5 figures in most cases. Sometimes 6. 2. MS has multiple security firms populated with heavies that have been testing this thing since alpha. If you think otherwise, you are ignorant. Software giants (all of them) pay extremely large amounts of cash for documented exploits, sometimes in paper bags. When they are not doing that, they are paying huge contract maintenance fees, and when they are not doing that, they are paying disgusting salaries. A lot of the time it's all at once. They pay the Salaried guys to find the bulk of the security flaws, then they pay a contract company to make them look like idiots, then they hire the real heavies to make the contractors look stupid. All of this to guys that shop at thinkgeek, and live off of caffeine, and coined terms like l337! and PwNT!. Only after all of this do they open it up to the general hacking community for a possible raping. MS is no exception. They are just being more public about it than others because they have been so heavily critisized in the past for being lax on security. They are in the spotlight, so they have to be.

    --


    ... what did you expect, something profound?
  15. Re:This is both onerous and fun by postbigbang · · Score: 3, Insightful

    You're of the mistaken belief that all the people that go to BH and DefCon are genius, code-cracking hackers. They're not. Instead, you get a whole bunch of wannabees and lots of security officers that are scared shitless of their next attack.

    So MS gets to tease these guys, make them think that they're tough stuff, and it's all hilarious. Sorry you didn't catch that.

    Half these guys will discover that Vista has not one WGA-like heartbeat responder, but several. Trace the protocols. I did.

    --
    ---- Teach Peace. It's Cheaper Than War.
  16. Re:why invite the black hats in? by nuzak · · Score: 3, Insightful

    Yes, but Ballmer is still a better ringer for Locutus.

    Maybe when Ballmer takes the reins, we can change it to a chair flying through a window.

    --
    Done with slashdot, done with nerds, getting a life.
  17. Re:why invite the black hats in? by q3ctf4 · · Score: 1, Insightful

    It is extremely vital for Microsoft to show that Vista is secure, especially in the enterprise. This is a great marketing move because it illustrates Microsoft's seriousness and commitment to security.

  18. Re:Microsoft invites what now? by MindPrison · · Score: 2, Insightful

    A real paranoid black hatter wouldn't want to have his identity known or put himself under Microsoft's sights for a non-serious amount of money. You'd better believe that people that take this challenge will be closely watched from now on.

    It would be cheaper just to hire them. Monitoring people cost a lot of people, you could expect it would take a team of 3-4 people just to keep tabs on one of them.

    Want to see paranoid? Take a guess - who many of these secret hackers already work for microsoft do you think? Microsoft is big, there's bound to be a few.

    --
    What this world is coming to - is for you and me to decide.
  19. Re:Microsoft invites what now? by Anonymous Coward · · Score: 2, Insightful

    $1000 per exploit? Are you kidding? From a company that rapes us for billions for their shoddy work? $1000 would be an insult. So is this cheap marketing ploy. Just because a bunch of hackers have better things to do than to work for free for Microsoft doesn't mean that Vista has iron clad security. Of course, the mainstream media is too stupid to see through this transparent marketing ploy, and will happily regurgitate the PR on the newswire, misinform the public, and collect their paycheck. So instead of a headline that reads "Computer Scientists refuse to work gratis for Microsoft" we'll read "Creepy Evil Hackers Can't Crack Vista".

  20. Re:why invite the black hats in? by dispar-ssk · · Score: 1, Insightful

    dude he made a product that millions of people bought. Nobody was forced to buy it, thats called a free market get over it. The market gave rise to open source as a result of microsoft's high price and contant crashing. It's not their fault that most people dont want to use more complicated software. If you hate microst simply dont buy their stuff and try to convince people you know to use open source software (pc bsd a good start, package handling goes a long way). Get a hobby or somthing perhaps take a economics class at a local community college.