Slashdot Mirror
Microsoft Invites Black Hats into Vista
gtzpower writes "Microsoft is inviting hackers to 'Take Your Best Shot' at Vista. 'You need to touch it, feel it,' Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. 'We're here to show our work.'" From the article: "A security team with oversight of every Microsoft product — from its Xbox video game console to its Word program for creating documents — has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks." Essentially a tie-in with an article we discussed yesterday.
They invite hackers to take their best shot?
Why not just PAY the hackers to do their best at breaking it?
What this world is coming to - is for you and me to decide.
You may be right. In a pschological sense they succeeded with at least one person, at least if you take his statement at face value. From yesterday's article:
Mr. Moore, 24 years old, who lives in Austin, Texas. But he says the meetings put a human face on a company he once saw as impenetrable. "You're less willing to publicly humiliate someone you know in real life," he says.'"
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Security expert at Microsoft: "delay shipping Vista! We know it's ready otherwise, and people are clamoring for it, and stock prices depend on it, but I've discovered a security hole that is very serious!" Bill Gates: "I think you need a career change. Don't you have an assistant that says it's ready to ship as is? Let me talk to him..."
Currently hooked on AMP
Way to give the hackers a head start in probing the vulnerabilities of yet another microsoft product. Now we will be minmizing the time vista is out before MS recieves all these complaints of new viruses for their new OS.
From what I hear this is not entirely true. A friend of mine has been working with current builds of Vista for work, and apparently it's not "Administrators access all" anymore. There's a group called "first installer" or something to that effect that has sole access to certain aspects of the operating system. Apparently though, it's more annoying to people who actually need to get to this stuff than it is helpful to keep people who know what they're doing out, as is always the case. However, I don't think they've gone to a full *nix style permissions system or any crazy brand new format either.
Imagine if this is a special version of Vista that keeps detailed logs that can somehow find their way back to MS. This could give them a nice window (no pun intended) into the black hats' methods. Probably the black hats would be all over that, though.
Or, imagine that the Vista they get is not the one the rest of us will get -- MS could, for example, purposely insert a bunch of security problems of varying severity and type to see how sophisticated the black hats are.
The more you regulate a company, the worse its products become.
Can Microsoft every recreate the excitement that accompanied releases like Windows 3 or 95? Back then a large segment of the population, at least in the US, was still transitioning from no or limited personal computing to having and using their own machine, and they usually ran about $2000 for a leading edge one. Nowadays, just about anybody who can cough up $600 to Dell can have one on their doorstep in a few days, up and running, internet connected, and have been there, done that either before or at work. I can remember some year in the late 80's they called the ms-dos christmas, probably about when 386sx's became affordable.
Since there's nothing really new, just more of the same, can Microsoft do ANYTHING to recreate the old stock pumping marketing splashes of yore?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
When you run the console while you're logged into administrator, it does not automatically have superuser status--you need to choose to run the console as administrator [...] How do I know this? I'm one of the contracted testers that is working with the vista firewall and its ACLs.
... wait for it ... the Administrator account. I'd also be interested if there's any useful tools for managing permissions. Or is that still a mixture of DOS attributes and whatnot that one needs to right-click one's way through the file system/registry/etc. to make effective use of?
This sentence doesn't parse for me, but I'd be interested in knowing whether Vista has a "super user", or are you using that term in the historically generalised and hence meaningless sense? In 2000, there's SYSTEM (not entirely appropriate for daily use) which has rights beyond Administrator, but in 2003 there's rights that the SYSTEM account doesn't have unless granted by
Sorry, it is rather vague. No, I mean it in the sense of a user that has some sort of elevated permissions, whether that's full-access, root-style permissions or simply permissions to do specific admin-related tasks.
No promises that what I'm saying is 100% accurate, because I've only been working with Vista for about a week and a half now, but this is all as true as I can tell from my observations.
When you run a task, it checks your permissions against the ACL for that task to see if your user account is allowed to run it. Even if you've got the rights to run it, it'll pop a little window up to verify that it's YOU running it (and not, for example, a subversive program that's gotten on to your computer). How well does it work? Don't know yet. But it's one hell of a security improvement over NT/2000/XP/2003.
(As for your question about tools for giving certain rights to user accounts, I can't answer that yet as I haven't needed to do that for the testing I'm doing. I'd be better equipped to answering a question like that in a few weeks).
So, does Vista have a system administration account or not?
An equivalent of the Unix "root" user account or is it more like Ubuntu where the admin account is "hidden" by default and you have to sudo / RunAs whenever you want to do something outside your sandbox? I'm one of those people who do "sudo su -" whenever I put on my "admin hat" and I really hope Vista has an admin account since doing RunAs for every app. when doing sys-admin stuff is pretty tedious.
In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
Charity...that's what he's doing
No. Bill's "charity" is a needle compared to the haystack his company extorts from users who are stuck with his monopoly. People in africa have asked him to offer software at prices proportionate to income there, and he refused, obviously not caring that the vast majority in a poor country cannot afford basic software that costs over a MONTH's wages. Giving a little back does not make up for that. Especially not when it's done in his name, as a publicity stunt, in partnership with his wife, who he's probably trying to look like a decent person in front of. Certainly not lately, when he's been taking photo ops with political leaders, and getting Knighted by the UK, which is currently suffering from scandals involving underhanded deals for peerages etc.
Anyone can give to charity. The question is... why?
Am I the only one that sees this as a well-contained and rigged attempt at advertising security in high-control situations?
OF COURSE it's going to be difficult/improbably to hack the Vista box that MS provides to Black Hat. It's running no unnecessary processes and has all known security checks locked down.
What really matters (to consumers) is the following is whether or not it will be as secure when 15 different unnecessary and unupdated programs are running in the background.
No? Somehow, I'm not surprised.
They don't mean REAL black-hat hackers. Not the ones that are all secretive and write viruses and do real hacking and such. They mean the type that goes to conferences and gives lectures. The "respectable" ones.