Microsoft Invites Black Hats into Vista

gtzpower writes "Microsoft is inviting hackers to 'Take Your Best Shot' at Vista. 'You need to touch it, feel it,' Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. 'We're here to show our work.'" From the article: "A security team with oversight of every Microsoft product — from its Xbox video game console to its Word program for creating documents — has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks." Essentially a tie-in with an article we discussed yesterday.

why invite the black hats in?

aren't they already freaking there?!

ed

Re:why invite the black hats in?

You are absolutely correct. Just because he's not going to leave until July 2008, and just because he is giving up his day-to-day activities while remaining chairman of the board and "advisor for key development projects" [microsoft.com] doesn't mean he should still be considered at all a leader of any kind over at MS right now in August of 2006.

Re:why invite the black hats in?

I just got pwned.

Re:why invite the black hats in?

"That man's been served so hard, he may never walk again."

Re:why invite the black hats in?

Yes, but Ballmer is still a better ringer for Locutus.

Maybe when Ballmer takes the reins, we can change it to a chair flying through a window.

Re:why invite the black hats in?

What else does this guy have to do to wash the blood from his hands?

Give the money back.

Re:why invite the black hats in?

Charity...that's what he's doing

No. Bill's "charity" is a needle compared to the haystack his company extorts from users who are stuck with his monopoly. People in africa have asked him to offer software at prices proportionate to income there, and he refused, obviously not caring that the vast majority in a poor country cannot afford basic software that costs over a MONTH's wages. Giving a little back does not make up for that. Especially not when it's done in his name, as a publicity stunt, in partnership with his wife, who he's probably trying to look like a decent person in front of. Certainly not lately, when he's been taking photo ops with political leaders, and getting Knighted by the UK, which is currently suffering from scandals involving underhanded deals for peerages etc.

Anyone can give to charity. The question is... why?

Not that I wish to flame, but...

...I was going to point out the dupe, but now the editors have started doing it for us!

"Essentially a tie-in with an article we discussed yesterday."

Re:Not that I wish to flame, but...

Any of you who listen to Security Now [grc.com] will have heard M$ have re-written the networking stack (as discovered by Symantec et.al).

Needless to say, even after this testing and patching, there is a high probablity the networking interface will still have a few 'zero day' flaws...

Microsoft invites what now?

They invite hackers to take their best shot?

Why not just PAY the hackers to do their best at breaking it?

Why not just start with the basics?

Step #1. No open ports.

Step #2. No services running that are not absolutely essential.

The idea is to reduce the number of available avenues for attacks. Then you can focus on protecting/hardening the apps that are running. Such as (on Linux) putting them in a chroot jail.

Re:Why not just start with the basics?

chroot jails are a BSD thing, actually.

Re:Microsoft invites what now?

Probably a good idea to do $1,000 pet exploit found first, plus a free copy of Vista when it's done for everyone reporting at least 20 (let's be honest, it probably won't be that hard to find 20), and some other rewards for most found. Microsoft could afford to pay these guys and get some actual results out of it. The alternative really is to let all the black hats find out the exploits months in advance, report nothing, and then on release day things go absolutely nuts.

Re:Microsoft invites what now?

Something like this would bring the wannabees and dingbats out of the woodwork. A real paranoid black hatter wouldn't want to have his identity known or put himself under Microsoft's sights for a non-serious amount of money. You'd better believe that people that take this challenge will be closely watched from now on.

Trap?

It could be a trap, you know. Bring in the black hats, and then brainwash them en masse so they don't want to use computers anymore but still buy many copies of MS products. No more security problems!

Re:Trap?

You may be right. In a pschological sense they succeeded with at least one person, at least if you take his statement at face value. From yesterday's article:

Mr. Moore, 24 years old, who lives in Austin, Texas. But he says the meetings put a human face on a company he once saw as impenetrable. "You're less willing to publicly humiliate someone you know in real life," he says.'"

Re:Trap?

It is a trap. They have a suicide booth in there, with Vista logo's printed all over it. The last thing you ever hear before dying a horrible bloody death is the Windows Vista Chime.

Re:Trap?

Isn't that what all versions of Windows have always been?

Re:Trap?

The last thing you ever hear before dying a horrible bloody death is the Windows Vista Chime.

...and the last thing you see is a clippy saying "You look like you are about to die a horrible and bloody death. Would you like some help with that?"

How it plays out

------------Now-----------
MS: "Have it Vista, hackers -- see if you can find any exploits"
BHs: *they go to it* "Nope, we don't have any security holes to report to you, it looks like Vista is impenetrable."

------------Vista is released-----------
MS: "What the heck? How can there be over twelve-thousand viruses for Vista on the day it's released?!"
BHs: "All your Vistas are belong to us! Thanks for your help Microsoft!"

No real black hats interested

The real black hats want it to be widely deployed before they start exploiting it.

"You need to touch it, feel it"

Please. Wash your hands after. We don't need those Vista cooties infecting everything else when you get back.

Quote

"There are some who feel like that the conditions are such that they can attack us there. My answer is bring them on," Ballmer said. "We've got the force necessary to deal with the security situation."

Say, wait. If you've just given prerelease test copies of Vista to 3,000 "black hats"... and you're hoping they'll find bugs in them and report them back to you before Vista ships... I mean... how do you know that's what they're actually going to do?

What if some of these "black hats" look over Vista, find security bugs, keep them secret, go back to Microsoft and say "Whelp! Looks like Vista doesn't have any security holes at all!"; then wait for Vista to be released, and once it's out have a 0-day exploit that they can use in their offshore spam/spyware businesses and that no one else will even know exists until two years from now when a gray hat independently finds and publishes it and Microsoft finally fixes it?

I mean, of course that's a worst case scenario. But still, sometimes I think the old thinking on how the world of hackers works no longer really applies now that the primary motivating force is not pride, but money (in the form of sweet, sweet herbal viagra).

Re:Quote

You speak a lot of sense.. I would think that doing this with "White Hats" would make more sense. Realistically all the Black Hats would already have a cracked beta copy that they've downloaded anyways. I'm sure they all would want to have their name attached to the first 0 day exploit. This is all just more press for Microsoft's attempts at security.

This is both onerous and fun

Consider: Microsoft gets to ride free hacks this time-->before the OS gets released. All that nice work, and they don't spend a dime. Interesting also because the release they gave out isn't a 'community-style' release. It makes one wonder if there's a 'Vista-call-home' component to it, too. Might be nice to know which of the coders actually tried to boot the thing, and then note their IP for future reference (or maybe to turn over to the NSA).

Still, with many noted reviewers in full belief that it's swiss cheese, it ought to be fun to see who eats it with crackers.

Re:This is both onerous and fun

You're of the mistaken belief that all the people that go to BH and DefCon are genius, code-cracking hackers. They're not. Instead, you get a whole bunch of wannabees and lots of security officers that are scared shitless of their next attack.

So MS gets to tease these guys, make them think that they're tough stuff, and it's all hilarious. Sorry you didn't catch that.

Half these guys will discover that Vista has not one WGA-like heartbeat responder, but several. Trace the protocols. I did.

I can just imagine...

Security expert at Microsoft: "delay shipping Vista! We know it's ready otherwise, and people are clamoring for it, and stock prices depend on it, but I've discovered a security hole that is very serious!" Bill Gates: "I think you need a career change. Don't you have an assistant that says it's ready to ship as is? Let me talk to him..."

Head Start

Way to give the hackers a head start in probing the vulnerabilities of yet another microsoft product. Now we will be minmizing the time vista is out before MS recieves all these complaints of new viruses for their new OS.

Won't help them

Until MS figures out that permissions should be based on tasks, roles, and objects instead of who you log in as, all the stupid human tricks inthe world won't help them. It looks to me as though security in vista has the same thinking underpinning its design as NT/2K/XP - log in as admin to do admin things, and have permission to to anything.

Re:Won't help them

Sorry, that's not the case. Permissions in Vista really ARE based on tasks, roles, and objects.

Even when you are running as Administrator, it still requires that you consent when you're running tasks/programs/etc that need superuser status. When you run the console while you're logged into administrator, it does not automatically have superuser status--you need to choose to run the console as administrator.

All accesses (to services, registry sections, config/admin programs, and anything that tries to change those) are based on ACLs (access control lists). How do I know this? I'm one of the contracted testers that is working with the vista firewall and its ACLs.

Is it perfect? I don't know. But I do know it feels pretty secure--not entirely different from the way things worked when I played around with setting up Linux server boxes in college (which was only a year ago).

Re:Won't help them

Even when you are running as Administrator, it still requires that you consent when you're running tasks/programs/etc that need superuser status

So, having spent years training normal users that the correct way to get anything done is to click "Yes" on every single dialog box that comes up, regardless of what the dialog actually says, they're now doing the same to sysadmins?

'You need to touch it, feel it,'

"Now Vista, can you show us on this doll where the hacker touched you?

"Let the record show that the victim pointed to the KERNEL!"

Black hatted foxes

Isn't there a saying or something about foxes and henhouses? Do foxes wear black hats?

Just how good would a black hat look on a red fox? Or do foxes come in black, too? That'd look pretty good...

Close but no cigar, MS

It's one thing to invite hackers to "take their best shot" at breaking Vista. Even if you could trust them to report what they found (and hey, these black-hatters seem like nice, trustworthy guys, right?), how should they really know what the source contains?

...unless M$ is letting them look at the source itself -- but since I haven't heard any reports of Hell freezing over, I'm guessing that isn't happening.

Security tests?

"A security team with oversight of every Microsoft product [...] has broad authority to block shipments until they pass security tests"

Of course! That explains why there are so few bugs and holes in MS products. Oh wait..

It's a play on words

Microsoft does not want black-hats to be cracking Vista, unless they're visiting a honeypot; for black-hats will keep what they know to themselves, and maybe create false trails. Rather, MS is indicating the grey- and white-hats that they're legally in the clear.

"Black Hat" is simply the name of the conference organiser, a cool name to be sure, but not an indication of who MS is reaching out to.

Wise decision, Locutus

Invite the non-yet-assimilated into the cube, as to save on expenses.

Spyware, Viruses, Botnets, etc

Knowing how bad security actually is in Microsoft products (a company with such resources should have come up with somthing like Tripwire combined with ACLs and maybe even better things a long time ago) the blurb sound like out of this world.

Good!

I say good for them. At least Microsoft is attempting to release a secure product. Sure, it may still have its holes, but this is possibly the most constructive thing they could've done to increase the security of this OS. It's nice to see Microsoft actually paying attention to security as opposed to ignoring it and thinking all the [spy|mal|ad]ware will go away as we've seen them do for 20 years now.

Realise something

I am sure microsoft is not stupid. I am sure you need to give them your name address, phone, social, first born and everything else before they give the black hat the pre release copy. Also are they having them try at this conference and not at home? Maybe with a mobile lab with vista on it setup ?

Security team?

"A security team with oversight of every Microsoft product from its Xbox video game console to its Word program for creating documents has broad authority to block shipments until they pass security tests."

So.. Have they been on a 10 year vacation or something?

Re:Security team?

They? Vacation? I'm pretty sure the "team" consists of a dog tied to the "testing PC" and trained to bite anyone who approches.

Fact gathering exercize

Imagine if this is a special version of Vista that keeps detailed logs that can somehow find their way back to MS. This could give them a nice window (no pun intended) into the black hats' methods. Probably the black hats would be all over that, though.

Or, imagine that the Vista they get is not the one the rest of us will get -- MS could, for example, purposely insert a bunch of security problems of varying severity and type to see how sophisticated the black hats are.

Headline

When I saw the headline "Microsoft Invites Black Hats into Vista
", I thought: "With all the security holes in it, didn't they invite Black Hats into Win XP too?" :-)

Incredibly stupid title

The title has created some incredibly +5 funny comments, which is great for cheap entertainment, but the title is completely fucking wrong and now the flamethrowers must be unleashed.

From TFA:
After suffering embarrassing security exploits over the past several years, Microsoft Corp. is trying a new tactic: inviting some of the world's best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.

Black hats are the bad guys, the guys actually hacking the computers for the sake of getting money and identities. The security experts are the good guys!

Maybe I'm overreacting, but that little change in the title rather important. It turns the story from "Microsoft showing all the efforts it is making to improve security" to "Microsoft so desperate to improve security they invite convicted hackers/spammers/international mafia to come hack vista!"

Of course, without said change, we have no +5 funny comments, and thus no real story to make fun of, because there's not much material to make fun of here, and nothing to critize about Microsoft because what they are doing in the article is what they should be doing. Nice Job Slashdot.

4 Step Program

1: Find holes in Vista Beta
2: Don't Disclose Them
3: ??
4: Profit

Where ?? = Wait til Vista is Released

Trying to recreate the good ol' days

Can Microsoft every recreate the excitement that accompanied releases like Windows 3 or 95? Back then a large segment of the population, at least in the US, was still transitioning from no or limited personal computing to having and using their own machine, and they usually ran about $2000 for a leading edge one. Nowadays, just about anybody who can cough up $600 to Dell can have one on their doorstep in a few days, up and running, internet connected, and have been there, done that either before or at work. I can remember some year in the late 80's they called the ms-dos christmas, probably about when 386sx's became affordable.

Since there's nothing really new, just more of the same, can Microsoft do ANYTHING to recreate the old stock pumping marketing splashes of yore?

Pat the bunny?

'You need to touch it, feel it,'

Sort of like what these guys [comingzune.com] are doing to the bunny?

Does it mean it'll be delayed infinitely?

It seems to me that this is a sure way to delay the release indefinitely: they must know how f... well, insecure... the Vista is - now they have a good excuse to miss the promised shipment dates once again :) "Oh, black hats have found yet another hole in our system! Bummer - we have to postpone the relase for another 6 years"...

Windows 2000

IIRC, didn't Microsoft do something like this when they were getting Windows 2000 ready for release? This looks very familiar.

Why now?

... Just wait until its released and break its face upon release.

black hat hackers are notoriously cocky

they love challenges especially when it's a huge corporation like Microsoft daring them to poke holes in their new operating system. i'm sure MS will have no issues finding a group that will be more than happy to prove that they are better than the rest.

Poor Little White Collars

Oh, to be on the list of employees whose code was hacked to bits by the (Mad) Black Hatters.

Layoffs, anyone?

Real Black Hats are busy making exploits

only someone who's not that good would bother attacking a beta before it ships installed on a massive scale.

Oh boy !

There definitely are some fun days ahead !!!

Trojans

The "copy" the hackers are givin probably will contain trojans and all kinds of monitoring processes so they can see what they are actually doing. This way, they get the information even if they don't report it, and become familiar with their processes.

Double benefit?

"has broad authority to block shipments until they pass security tests."

Did this strike anyone else as an excellent scheme to both test their security AND an excuse for delays in shipment of Windows Vista?

umm

  Wouldn't it be better to invite/pay White Hat hackers? Black Hat hackers don't help people. They just help themselves and exploit others.

After reading TFA....

Sounds more like they are looking to get the Grey and Whites involved. Which wouldn't be a bad thing. You just have to hope they're as good as the Blacks. Because as sure as you have a herd of people step up to test this there will be at least a few who get a copy for nefarious purposes.

I will have to agree that Zonk and the greelighters here might want to read the articles then re-read the headlines to make sure they aren't just fanning the flamewars.

I'm just sayin...

Meaningless Ploy

Am I the only one that sees this as a well-contained and rigged attempt at advertising security in high-control situations?

OF COURSE it's going to be difficult/improbably to hack the Vista box that MS provides to Black Hat. It's running no unnecessary processes and has all known security checks locked down.

What really matters (to consumers) is the following is whether or not it will be as secure when 15 different unnecessary and unupdated programs are running in the background.

No? Somehow, I'm not surprised.

Effect on Linux advocacy

In the 90's, Linux advocates used "stability" as their main argument against Windows. Microsoft took that argument away with XP (regardless of the idiotic BSOD comments tossed around these parts).

From 2001 to now, Linux advocates have used "security" as their main argument against Windows. Microsoft is in the process of taking that argument away.

Soon, Linux advocates will be left with "price" as their main argument (glossing over the fact that startup price is insignificant compared to total cost of ownership), which the public really doesn't care about (they'll just think that Linux is free because it's not worth paying for).

Already hacked ...

you can see it in ...

http://news.com.com/2100-7349_3-6102458.html [com.com]

"As one of the security measures in Vista, Microsoft is adding a mechanism to block unsigned driver software to run on the 64-bit version of the operating system. However, Rutkowska found a way to bypass the shield and get her code to run. Malicious drivers could pose a serious threat because they run at a low level in the operating system, security experts have said."

Same old roll out plan

The first hit is always free.
MS has to let Vista be hacked
Then the crack can flood the world.
MS would hate to see a generation of young users trying other products for free.

Like they'd tell them...

...if they found a hole. Which is more likely, that they'd report it and see it closed, or that they'd use it as they have in the past. Hmmm...

It's a COOKBOOK!!

Let's all get on the perdy MS spaceship where we will live happy ever after...Please. Er..and ..um...it's NOT a cookbook people, it a microsoft manual.

Re:What do you get if you actually do discover a f

r00t access?

Re:Wow, submitted this 2 hours ago....

Bad title.